PAM session logs truncated at 1024 bytes when sending to syslog

book

Article ID: 223074

calendar_today

Updated On:

Products

CA Privileged Access Manager (PAM)

Issue/Introduction

We've noticed that events from the session logs are truncated at 1024 bytes when sent to syslog.

Syslog messages from Credential Manager (XML formatted) arrive complete, even when they are significantly longer than 1024 bytes.  There seems to be a bug in the way the session manager logs are sent.

PAM version: 3.4.3

Cause

PAM indeed truncates session logs to 1024 characters before sending them to the configured syslog server. This is a legacy limit. Session log messages typically are much shorter than the limit, but the messages include information such as user name and user group membership. Particularly the latter can be quite long if the user is member of multiple AD or LDAP groups, to a point where the actual message is completely missing on the syslog server.

Environment

Release : 3.4

Component : PRIVILEGED ACCESS MANAGEMENT

Resolution

As of September 2021 session logs remain truncated to 1024 characters in all supported releases. A defect is open with PAM Engineering to have the limit increased or eliminated in future releases, as had been done on the Credential Management side in the past already.

The limit is enforced in a php class that could be updated by PAM Support during a WebEx session with SSH access, w/o impacting any ongoing user sessions. If the message truncation causes auditing problems for you, and you need to get them addressed, please open a case with PAM Support.