PAM has been configured to send text-based session recordings to an external syslog server. When reviewing the logd in the SIEM utility, the formatting is off.
Jan 1 00:00:00 10.18.12.71 gksyslog[8675309]: user : pamuser device : pamdevice , session_recording; (B[m 48 root 20 0 0 0 0 S 0.0 0.0 0:00.00 lru-add-drain/1 (B[m[39;49m
Jan 1 07:16:36 10.18.12.71 gksyslog[8675309]: user : pamuser device : pamdevice , session_recording; (B[m 12 root 20 0 0 0 0 S 0.0 0.0 5:51.31 events/1 (B[m[39;49m
Jan 1 07:16:37 10.18.12.71 gksyslog[1936]: user : pamuser device : pamdevice , session_recording; Cpu(s):(B[m[39;49m(B[m 1.2%(B[m[39;49mus,(B[m[39;49m(B[m 0.7%(B[m[39;49msy,(B[m[39;49m(B[m 0.0%(B[m[39;49mni,(B[m[39;49m(B[m 98.2%(B[m[39;49mid,(B[m[39;49m(B[m 0.0%(B[m[39;49mwa,(B[m[39;49m(B[m 0.0%(B[m[39;49mhi,(B[m[39;49m(B[m 0.0%(B[m[39;49msi,(B[m[39;49m(B[m 0.0%(B[m[39;49mst(B[m[39;49m[K
Jan 1 07:16:37 10.18.12.71 gksyslog[1936]: user : pamuser device : pamdevice , session_recording; (B[m 37 root 20 0 0 0 0 S 0.0 0.0 0:00.00 khubd (B[m[39;49m
Jan 1 07:16:09 10.18.12.71 gksyslog[8675309]: user : pamuser device : pamdevice , session_recording; (B[m 10 root RT 0 0 0 0 S 0.0 0.0 0:06.42 watchdog/1 (B[m[39;49m
Jan 1 07:16:10 10.18.12.71 gksyslog[1936]: user : pamuser device : pamdevice , session_recording; Tasks:(B[m[39;49m(B[m 163 (B[m[39;49mtotal,(B[m[39;49m(B[m 2 (B[m[39;49mrunning,(B[m[39;49m(B[m 161 (B[m[39;49msleeping,(B[m[39;49m(B[m 0 (B[m[39;49mstopped,(B[m[39;49m(B[m 0 (B[m[39;49mzombie(B[m[39;49m[K
Jan 1 07:16:10 10.18.12.71 gksyslog[1936]: user : pamuser device : pamdevice , session_recording; (B[m 30 root 20 0 0 0 0 S 0.0 0.0 0:00.00 kacpid (B[m[39;49m
Jan 1 07:16:12 10.18.12.71 gksyslog[8675309]: user : pamuser device : pamdevice , session_recording; (B[m 12 root 20 0 0 0 0 S 0.0 0.0 5:51.30 events/1 (B[m[39;49m
When PAM is configured to send session recording text to the syslog, it sends the output of the terminal unmodified. The `top` command uses ANSI escape characters to control color and cursor position, those are the characters being observed in the logs.
Privileged Access Manager, all versions
Some SIEM utilities such as Splunk automatically parse them, as seen in the output below. Please contact the SIEM vendor to learn how to format the message.