Configuring a PAM SC endpoint to communicate with a PAM Utility appliance for sending events to be forwarded to SIEM or syslog, there are errors in the ReportAgent log which indicate the reports are not being sent, even if eventforwarder has been configured correctly according to the recommendations in
Track User Behavior Activities on Server Control Endpoints Using an SIEM Tool
and also the SIEM/syslog service on the receiving endpoint has been configured according to KB 260967 to support tcp. Despite this and the fact that there are messages in policyfetcher.log indicating there is connection to the DH, the following error messages continue to appear in the ReportAgent log files:
[ACMQ INFORMATION]: ACMQ_Init [452]: Connecting to Server URL = failover:(mock://127.0.0.1:61616?wireFormat=openwire)?maxReconnectAttempts=5.
[ACMQ INFORMATION]: ACMQ_Init [581]: Successfully connected to the Distribution Server mock://127.0.0.1:61616?wireFormat=openwire with user = +reportagent.
[ACMQ INFORMATION]: ACMQ_Init [452]: Connecting to Server URL = failover:(ssl://<DH_Server_IP>:61616)?maxReconnectAttempts=5.
[ACMQ INFORMATION]: ACMQ_Init [581]: Successfully connected to the Distribution Server ssl://<DH_Server_IP>:61616 with user = +reportagent.
[ACMQ INTERNAL ERROR]: acmq_MsgSend failed on line: 707 with error: 'User +reportagent is not authorized to write to: queue://queue/snapshots'.
Additional Info: Server = ssl://<DH_Server_IP>;
Queue = queue/snapshots.
[ACMQ INFORMATION]: ACMQ_Terminate [884]: Terminate connection to Distribution Server.
[ACMQ INFORMATION]: ACMQ_Terminate [884]: Terminate connection to Distribution Server
And the ac2xml.log is displaying the following errors:
closed file /opt/CA/PAMSCShared/data/db2xml/ACDB.xml
Schedule parameter: 00:00@Sun,Mon,Tue,Wed,Thu,Fri,Sat
7 days parsed
Local Time: Mon Oct 30 16:49:00 2023
STATUS: Waiting for next report generation. Time: 00:00 Tue
Wait parameters: days = 1, hours = -16, minutes = -49
Sleep Time: 25860...
Set message expiration time 25560 seconds
***Error: failed to send acmq message: ERROR: Failed to send a message to the Message Queue, rv = %d: %s
Failed to send report (seosdb)!
ERROR: do_report failed.
PAM SC 14.1 reporting to DS 14.1 or PAM UTA 4.1.X
There are several possible causes for this, but one of them is that audit setting is not enabled for sending reports to the ActiveMQ
In this case, even if the reportagent is running and it is able to connect to the ActiveMQ in the Distribution Server/PAM Utility Appliance, these errors will show up
To verify that edit the accommon.ini file under /opt/CA/PAMSCShared and therein go to the [ReportAgent] section and check
If the current setting has value 0, change it to 1 and restart the ReportAgent.
Message
[ACMQ INTERNAL ERROR]: acmq_MsgSend failed on line: 707 with error: 'User +reportagent is not authorized to write to: queue://queue/snapshots'.
can be safely ignored