PAM Admin wants to know how to determine who changed certain Unix Accounts from Password Authentication to Public Key Authentication.

Release : 4.0.x, 4.1.x

Component : PRIVILEGED ACCESS MANAGEMENT

Ultimately we have the following report that would capture this information:

• Administrator Activities Report

However the data only goes back 7 days because via the default archive settings:

PAM UI >> Settings >> Credential Manager >> Auto-Archive

If the data is archived and then if either Syslog Forwarding or Splunk Forwarder enabled, look into their logs.  He

host="<pam primary ip>" OR host="<pam primary ip2.>"  OR "<pam primary ip3>" "audit DETAIL Target.Account" "User.name=<target user>" "Update.User"

This will advise (highlight) the Update.User -> who last updated that account.