search cancel

PAM Session Recording Sending Escape Characters to Syslog

book

Article ID: 228483

calendar_today

Updated On:

Products

CA Privileged Access Manager (PAM)

Issue/Introduction

PAM has been configured to send text-based session recordings to an external syslog server. When reviewing the logd in the SIEM utility, the formatting is off.

Jan 1 00:00:00 10.18.12.71 gksyslog[8675309]: user : pamuser device : pamdevice , session_recording; (B[m 48 root 20 0 0 0 0 S 0.0 0.0 0:00.00 lru-add-drain/1 (B[m[39;49m
Jan 1 07:16:36 10.18.12.71 gksyslog[8675309]: user : pamuser device : pamdevice , session_recording; (B[m 12 root 20 0 0 0 0 S 0.0 0.0 5:51.31 events/1 (B[m[39;49m
Jan 1 07:16:37 10.18.12.71 gksyslog[1936]: user : pamuser device : pamdevice , session_recording; Cpu(s):(B[m[39;49m(B[m 1.2%(B[m[39;49mus,(B[m[39;49m(B[m 0.7%(B[m[39;49msy,(B[m[39;49m(B[m 0.0%(B[m[39;49mni,(B[m[39;49m(B[m 98.2%(B[m[39;49mid,(B[m[39;49m(B[m 0.0%(B[m[39;49mwa,(B[m[39;49m(B[m 0.0%(B[m[39;49mhi,(B[m[39;49m(B[m 0.0%(B[m[39;49msi,(B[m[39;49m(B[m 0.0%(B[m[39;49mst(B[m[39;49m[K
Jan 1 07:16:37 10.18.12.71 gksyslog[1936]: user : pamuser device : pamdevice , session_recording; (B[m 37 root 20 0 0 0 0 S 0.0 0.0 0:00.00 khubd (B[m[39;49m
Jan 1 07:16:09 10.18.12.71 gksyslog[8675309]: user : pamuser device : pamdevice , session_recording; (B[m 10 root RT 0 0 0 0 S 0.0 0.0 0:06.42 watchdog/1 (B[m[39;49m
Jan 1 07:16:10 10.18.12.71 gksyslog[1936]: user : pamuser device : pamdevice , session_recording; Tasks:(B[m[39;49m(B[m 163 (B[m[39;49mtotal,(B[m[39;49m(B[m 2 (B[m[39;49mrunning,(B[m[39;49m(B[m 161 (B[m[39;49msleeping,(B[m[39;49m(B[m 0 (B[m[39;49mstopped,(B[m[39;49m(B[m 0 (B[m[39;49mzombie(B[m[39;49m[K
Jan 1 07:16:10 10.18.12.71 gksyslog[1936]: user : pamuser device : pamdevice , session_recording; (B[m 30 root 20 0 0 0 0 S 0.0 0.0 0:00.00 kacpid (B[m[39;49m
Jan 1 07:16:12 10.18.12.71 gksyslog[8675309]: user : pamuser device : pamdevice , session_recording; (B[m 12 root 20 0 0 0 0 S 0.0 0.0 5:51.30 events/1 (B[m[39;49m

 

Cause

When PAM is configured to send session recording text to the syslog, it sends the output of the terminal unmodified. The `top` command uses ANSI escape characters to control color and cursor position, those are the characters being observed in the logs.

Environment

Privileged Access Manager, all versions

Resolution

Some SIEM utilities such as Splunk automatically parse them, as seen in the output below. Please contact the SIEM vendor to learn how to format the message.

Attachments