Having issue sending PAM Metric information from production PAM appliance to Splunk


Article ID: 223149


Updated On:


CA Privileged Access Manager (PAM)


We have monitoring  for verifyAccountPassword events in Splunk which is not triggering logs since 8/19/2021.   ( Below is the last logs we have )

Below is the splunk query we use to query metric data.

index=main sourcetype="xsuite"  NOT "CAPAM_bind" type=verifyAccountPassword   (hostname="pxxxx")

however  we are able to see below logs in splunk 

hostname = mxxxxx, created = 2021-09-01 18:17:21, detail = PAM-CMN-1989: Ending session recording reconciliation. 0 session recording rows added to table. 0 sidecar(.inf) files added to share. 0 nearly empty files deleted from share., dom_name = undef, h_id = undef, ip_source = undef, local_ip_source = undef, log_id = 32936494005, machine_id = \xE0\xC4
\xFE|\xAB\x80\x81, port = undef, public_ip_source = undef, pvr_id = undef, s_name = undef, sessionID = undef, target_account = undef, task_name = undef, trans_type = system, u_name = sessionReconciliation,


We need help in confirming  PAM is sending the data to Splunk or not.



An outage on the splunk forwarder that PAM was configure to send data to caused our splunk forwarder to halt.


Release : 3.4

Component :


If you reset/update the configuration in the Symantec PAM GUI for the splunk forwarder it will automatically try to restart the services.