Having issue sending PAM Metric information from production PAM appliance to Splunk

book

Article ID: 223149

calendar_today

Updated On:

Products

CA Privileged Access Manager (PAM)

Issue/Introduction

We have monitoring  for verifyAccountPassword events in Splunk which is not triggering logs since 8/19/2021.   ( Below is the last logs we have )

Below is the splunk query we use to query metric data.

index=main sourcetype="xsuite"  NOT "CAPAM_bind" type=verifyAccountPassword   (hostname="pxxxx")

however  we are able to see below logs in splunk 

hostname = mxxxxx, created = 2021-09-01 18:17:21, detail = PAM-CMN-1989: Ending session recording reconciliation. 0 session recording rows added to table. 0 sidecar(.inf) files added to share. 0 nearly empty files deleted from share., dom_name = undef, h_id = undef, ip_source = undef, local_ip_source = undef, log_id = 32936494005, machine_id = \xE0\xC4
+.›\xA41GܠH\x9B 
\xFE|\xAB\x80\x81, port = undef, public_ip_source = undef, pvr_id = undef, s_name = undef, sessionID = undef, target_account = undef, task_name = undef, trans_type = system, u_name = sessionReconciliation,

 

We need help in confirming  PAM is sending the data to Splunk or not.

 

Cause

An outage on the splunk forwarder that PAM was configure to send data to caused our splunk forwarder to halt.

Environment

Release : 3.4

Component :

Resolution

If you reset/update the configuration in the Symantec PAM GUI for the splunk forwarder it will automatically try to restart the services.