Reports are not being sent to the CA PAM Utility Appliance even
search cancel

Reports are not being sent to the CA PAM Utility Appliance even

book

Article ID: 275695

calendar_today

Updated On:

Products

CA Privileged Access Manager (PAM)

Issue/Introduction

Configuring a PAM SC endpoint to communicate with a PAM Utility appliance for sending events to be forwarded to SIEM or syslog, there are errors in the ReportAgent log which indicate the reports are not being sent, even if eventforwarder has been configured correctly according to the recommendations in

https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/privileged-access-manager/4-1-5/pam-server-control/Administrate-PAM-SC/siem-track-user-behavior-activities-on-server-control-devices.html

and also the SIEM/syslog service on the receiving endpoint has been configured according to:

https://knowledge.broadcom.com/external/article?articleId=260967

to support tcp. Despite this and the fact the there are messages in policyfetcher.log indicating there is connection to the DH, the following error messages continue to appear in the ReportAgent log files:

[ACMQ INFORMATION]: ACMQ_Init [452]: Connecting to Server URL = failover:(mock://127.0.0.1:61616?wireFormat=openwire)?maxReconnectAttempts=5.

[ACMQ INFORMATION]: ACMQ_Init [581]: Successfully connected to the Distribution Server mock://127.0.0.1:61616?wireFormat=openwire with user = +reportagent.

[ACMQ INFORMATION]: ACMQ_Init [452]: Connecting to Server URL = failover:(ssl://<DH_Server_IP>:61616)?maxReconnectAttempts=5.

[ACMQ INFORMATION]: ACMQ_Init [581]: Successfully connected to the Distribution Server ssl://<DH_Server_IP>:61616 with user = +reportagent.

[ACMQ INTERNAL ERROR]: acmq_MsgSend failed on line: 707 with error: 'User +reportagent is not authorized to write to: queue://queue/snapshots'.

Additional Info: Server = ssl://<DH_Server_IP>;

Queue = queue/snapshots.

[ACMQ INFORMATION]: ACMQ_Terminate [884]: Terminate connection to Distribution Server.

[ACMQ INFORMATION]: ACMQ_Terminate [884]: Terminate connection to Distribution Server

And the ac2xml.log is displaying the following errors:

closed file /opt/CA/PAMSCShared/data/db2xml/ACDB.xml
Schedule parameter: 00:00@Sun,Mon,Tue,Wed,Thu,Fri,Sat
7 days parsed
Local Time: Mon Oct 30 16:49:00 2023

STATUS: Waiting for next report generation. Time: 00:00 Tue
Wait parameters: days = 1, hours = -16, minutes = -49
Sleep Time: 25860...
Set message expiration time 25560 seconds
***Error: failed to send acmq message: ERROR: Failed to send a message to the Message Queue, rv = %d: %s
Failed to send report (seosdb)!
ERROR: do_report failed.

 

 

 

Environment

PAM SC 14.1 reoporting to DS 14.1 or PAM UTA 4.1.X

Cause

There are several possible causes for this, but one of them is that audit setting is not enabled for sending reports to the ActiveMQ

In this case, even if the reportagent is running and it is able to connect to the ActiveMQ in the Distribution Server/PAM Utility Appliance, these errors will show up

To verify that edit the accommon.ini file under /opt/CA/PAMSCShared and therein go to the [ReportAgent] section and check

audit_enabled
Specifies whether you want to send endpoint audit data to the Distribution Server.
Values:
no; 1 yes
Default: 0
 

Resolution

If the previous setting has as a value 0, please change it to 1 and restart the ReportAgent

Additional Information

Message

[ACMQ INTERNAL ERROR]: acmq_MsgSend failed on line: 707 with error: 'User +reportagent is not authorized to write to: queue://queue/snapshots'.

can be safely ignored

Powered by Wolken Software