SYSLOG To SPLUNK APP Logs are without any time zone reference.
search cancel

SYSLOG To SPLUNK APP Logs are without any time zone reference.

book

Article ID: 257399

calendar_today

Updated On:

Products

CA Privileged Access Manager (PAM)

Issue/Introduction

We have been reported that PAM syslogs which are been forwarded to splunk application are receiving without time region/zone reference.

DEV PAM LOGS:

 

We are getting 2 types of logs from DEV servers to Splunk UAT. One of the log type has time stamp details in the log itself.

Kindly check, if other logs format can also have similar timestamp details in it.

 

Log Sample which has timestamp in it :

<132>1 2022-12-07T04:47:31+00:00 .... pam - metric DETAIL <Metric><type>getAccount</type>...</Metric>

 

Other log type ( similar logs we are receiving in PROD) :

<134>Dec 7 05:12:02 ... <14>gkpsyslog[4070387]: created = 2022-12-07 05:12:02 Private IP: ... Request Server xxx is added to A2A via auto-registration.

 

Environment

Release : 4.1

Cause

Metric and audit logs from Credential Management come with time stamps that include the offset, "+00:00" in the sample above. Session log messages have a different time format in the header and show a "created = " time without offset. All PAM appliances run on UTC time, but the message should make that clear.

Resolution

This will be fixed in 4.1.3+ and 4.2+. The session log messages sent to the syslog server will have a time stamp with a format like "2023-02-27T21:21:56+00:00" in the header, to be consistent with the Credential Manager messages. The "Created =" time stamp inside the message also will include the time zone (UTC) to make clear which time zone it to.

Powered by Wolken Software