Generate Last login report of users in PAM
Article ID: 268553
Updated On:
Products
Issue/Introduction
Is it possible to generate a report for all the users on-boarded on PAM showing their last login time?
Resolution
The best way you can achieve the objective with PAM currently is via the 'GET /api.php/v1/users.json' REST API call.
You can specify the following field to retrieve last user login times with this API call:
lastSuccessfulLoginTime
Example when using the Settings > API Doc page:
After clicking on the "Try it out!" button and entering API key credentials that have read access to all users, you get a result similar to the following in JSON format, with lastSuccessfulLoginTime values included in epoch time.
You can convert epoch time to human readable time using time conversion methods programmatically, or interactively with online tools such as https://www.epochconverter.com/
Another option is to extract login messages with time stamps from session logs. They can be exported from the Sessions > Logs page, or viewed in the SIEM tool you have integrated with PAM, such as Splunk. When a user logs in to PAM, a "PAM-CMN-0917" message will be generated in the session logs, such as "PAM-CMN-0917: User super logged in successfully via LOCAL authentication.". Keep in mind that in a PAM cluster each node will only show its own session log messages. Also, the number of messages retained on each node are capped at 250000 and may not go back as far as you want to look.
Additional Information
See documentation page PAM External REST API and pages under it for details on how to enable the Rest API and configure API keys for use by administrators and programmers.
Feedback
