CEF audit is showing two "susr" fields in the CEF message
search cancel

CEF audit is showing two "susr" fields in the CEF message

book

Article ID: 278763

calendar_today

Updated On:

Products

CA Privileged Identity Management Endpoint (PIM)

Issue/Introduction

PAMSC is showing fields 'susr' with the same name 'susr' for two different descriptions.

susr=root 
Program=/usr/bin/bash start=07 Dec 2023 Time=12:21:52 message=OWNER check of resource User_Logon_Session_ID=xxxxxx Audit_flags=0 
susr=root nStatus=80 rt=1701947925 nReason=3 nStage=54 OS=Linux

 

 

 

Environment

 PAM 4.1 that receives events from PIM 12.8SP1 and PAM SC 14.1

Cause


There are two "susr" fields in the CEF message. One is UserName and the other to EffectiveUserName
This is confusing in audit logs.

Resolution

Solution will be included in a hotfix to install over PAM 4.1.6.01

Powered by Wolken Software