We have monitoring for verifyAccountPassword events in Splunk which is not triggering logs since 8/19/2021. ( Below is the last logs we have )
Below is the splunk query we use to query metric data.
index=main sourcetype="xsuite" NOT "CAPAM_bind" type=verifyAccountPassword (hostname="pxxxx")
however we are able to see below logs in splunk
hostname = mxxxxx, created = 2021-09-01 18:17:21, detail = PAM-CMN-1989: Ending session recording reconciliation. 0 session recording rows added to table. 0 sidecar(.inf) files added to share. 0 nearly empty files deleted from share., dom_name = undef, h_id = undef, ip_source = undef, local_ip_source = undef, log_id = 32936494005, machine_id = \xE0\xC4
+.\xA41GܠH\x9B
\xFE|\xAB\x80\x81, port = undef, public_ip_source = undef, pvr_id = undef, s_name = undef, sessionID = undef, target_account = undef, task_name = undef, trans_type = system, u_name = sessionReconciliation,
We need help in confirming PAM is sending the data to Splunk or not.
An outage on the splunk forwarder that PAM was configure to send data to caused our splunk forwarder to halt.
Release : 3.4
Component :
If you reset/update the configuration in the Symantec PAM GUI for the splunk forwarder it will automatically try to restart the services.