Are audit logs sent automatically to syslog and to SIEM?
search cancel

Are audit logs sent automatically to syslog and to SIEM?

book

Article ID: 259560

calendar_today

Updated On:

Products

CA Privileged Access Manager (PAM)

Issue/Introduction

Our audit wants to monitor automatically if the job has run (and if so, if succesfully or not) and have an alarm on it.

Is this information available in syslog shipped to our SIEM?

Environment

Release : 4.1

Cause

We would like to avoid a weekly manual check, so we are looking for an automatic way to do it.

Resolution

 

Yes, we send a metric message for each account to the syslog server, and at the end we send a metric message for the scheduled job itself. By default this is in XML format, but in the latest PAM release you can change it to space delimited.

The metric type is "runScheduledJob", you can see the job name, the user ID will show as "ScheduledJob" and it will show whether the job completed successfully or not.

A job is regarded as successful, if all target accounts in it are verified or updated successfully.

 

2023-02-08T15:24:00+00:00 rp614428-38-122 pam DETAIL <Metric><type>runScheduledJob</type><level>1</level><description><hashmap><k>dateTime</k><v>2023-02-08-15-24-00</v><k>commandInitiator</k><v>USER</v><k>initiatingUser</k><v>super</v><k>dayOfWeek</k><v>1</v><k>scheduleCommand</k><v>&lt;hashmap&gt;&lt;k&gt;TargetAccount.passwordVerified&lt;/k&gt;&lt;v&gt;null&lt;/v&gt;&lt;k&gt;groupID&lt;/k&gt;&lt;v&gt;33001&lt;/v&gt;&lt;k&gt;this.cn&lt;/k&gt;&lt;v&gt;verifyAccountPassword&lt;/v&gt;&lt;k&gt;x_useTargetGroup&lt;/k&gt;&lt;v&gt;true&lt;/v&gt;&lt;k&gt;useSamePassword&lt;/k&gt;&lt;v&gt;true&lt;/v&gt;&lt;k&gt;x_generatePassword&lt;/k&gt;&lt;v&gt;true&lt;/v&gt;&lt;k&gt;initiatingUser&lt;/k&gt;&lt;v&gt;super&lt;/v&gt;&lt;/hashmap&gt;</v><k>repeatElapsedDays</k><v>1</v><k>recurrent</k><v></v><k>commandToExecute</k><v>verifyAccountPassword</v><k>jobName</k><v>verifylinux</v><k>repeatEveryWeekDay</k><v>false</v><k>daysOfWeek</k><v></v><k>nthWeek</k><v>1</v><k>dayOfMonth</k><v>1</v><k>repeatEveryNthWeek</k><v>false</v><k>repeatEveryDayOfMonth</k><v>true</v><k>repeatMonths</k><v></v></hashmap></description><errorCode>0</errorCode><userID>ScheduledJob</userID><success>true</success><originatingIPAddress></originatingIPAddress><originatingHostName></originatingHostName><extensionType></extensionType></Metric>

Powered by Wolken Software