PAM has been configured to send text-based session recordings to an external syslog server. When reviewing the logd in the SIEM utility, the formatting is off.
Jan 1 00:00:00 10.18.12.71 gksyslog[8675309]: user : pamuser device : pamdevice , session_recording; (B[m 48 root 20 0 0 0 0 S 0.0 0.0 0:00.00 lru-add-drain/1 (B[m[39;49m
Jan 1 07:16:36 10.18.12.71 gksyslog[8675309]: user : pamuser device : pamdevice , session_recording; (B[m 12 root 20 0 0 0 0 S 0.0 0.0 5:51.31 events/1 (B[m[39;49m
Jan 1 07:16:37 10.18.12.71 gksyslog[1936]: user : pamuser device : pamdevice , session_recording; Cpu(s):(B[m[39;49m(B[m 1.2%(B[m[39;49mus,(B[m[39;49m(B[m 0.7%(B[m[39;49msy,(B[m[39;49m(B[m 0.0%(B[m[39;49mni,(B[m[39;49m(B[m 98.2%(B[m[39;49mid,(B[m[39;49m(B[m 0.0%(B[m[39;49mwa,(B[m[39;49m(B[m 0.0%(B[m[39;49mhi,(B[m[39;49m(B[m 0.0%(B[m[39;49msi,(B[m[39;49m(B[m 0.0%(B[m[39;49mst(B[m[39;49m[K
Jan 1 07:16:37 10.18.12.71 gksyslog[1936]: user : pamuser device : pamdevice , session_recording; (B[m 37 root 20 0 0 0 0 S 0.0 0.0 0:00.00 khubd (B[m[39;49m
Jan 1 07:16:09 10.18.12.71 gksyslog[8675309]: user : pamuser device : pamdevice , session_recording; (B[m 10 root RT 0 0 0 0 S 0.0 0.0 0:06.42 watchdog/1 (B[m[39;49m
Jan 1 07:16:10 10.18.12.71 gksyslog[1936]: user : pamuser device : pamdevice , session_recording; Tasks:(B[m[39;49m(B[m 163 (B[m[39;49mtotal,(B[m[39;49m(B[m 2 (B[m[39;49mrunning,(B[m[39;49m(B[m 161 (B[m[39;49msleeping,(B[m[39;49m(B[m 0 (B[m[39;49mstopped,(B[m[39;49m(B[m 0 (B[m[39;49mzombie(B[m[39;49m[K
Jan 1 07:16:10 10.18.12.71 gksyslog[1936]: user : pamuser device : pamdevice , session_recording; (B[m 30 root 20 0 0 0 0 S 0.0 0.0 0:00.00 kacpid (B[m[39;49m
Jan 1 07:16:12 10.18.12.71 gksyslog[8675309]: user : pamuser device : pamdevice , session_recording; (B[m 12 root 20 0 0 0 0 S 0.0 0.0 5:51.30 events/1 (B[m[39;49m
Privileged Access Manager, all versions
When PAM is configured to send session recording text to the syslog, it sends the output of the terminal unmodified. The `top` command uses ANSI escape characters to control color and cursor position, those are the characters being observed in the logs.
Some SIEM utilities such as Splunk automatically parse them, as seen in the output below. Please contact the SIEM vendor to learn how to format the message.