search cancel

PAM 4.0.2 Upgrade Syslog Forwarding/CPU problem

book

Article ID: 237670

calendar_today

Updated On:

Products

CA Privileged Access Manager (PAM)

Issue/Introduction

PAM Admin upgraded to PAM 4.0.2 successfully, but after the upgrade they are experiencing the following problem(s):

  • PAM Session Logs are no longer being forwarded to Splunk if you configured the integration via the PAM UI >> Configuration >> Logs >> Syslog
  • PAM CPU Utilization spikes to almost 100% if PAM is configured Syslog Forwarding, as described above.
  • PAM Disk utilization is spiking after the upgrade

Cause

PAM 4.0.2 introduced new feature Updated Splunk and Syslog Server Configuration Options. In the initial 4.0.2 upgrade patch this could cause a problem with an existing syslog configuration.

Environment

Release : 4.0.2

Component : PRIVILEGED ACCESS MANAGEMENT

Resolution

This problem has since been fixed, and is not observed when using upgrade patch 4.0.2a, which is available on the PAM Solutions & Patches page since Mar 31, 2022. Please make sure to discard any copy you may have of the upgrade patch downloaded prior to this date (version 4.0.2 without the letter a).

 

The following was a workaround for the original 4.0.2 upgrade patch:

  • Before the upgrade remove the Syslog Integration on page Configuration >> Logs >> Syslog on all members by unselecting the "Enable syslog to the specified server" checkbox and clicking the Update button. Reconfigure after successful upgrade.
  • If you upgraded already, and you can get to the PAM UI still, please go to PAM UI >> Configuration >> Logs >> Syslog and click "Update" at the bottom of the window. No actual configuration change is required.
    • If you cannot get to the regular PAM UI -> attempt to logon as the config user with URL https://<pam appliance>/config/ or https://<pam appliance>/config/?legacy=1.
    • If neither works, please open a case with Broadcom Support.
    • Alternatively, restore a snapshot (virtual appliance) or restore from backup (hardware appliance). Then use patch 4.0.2a for the upgrade.