After A Cluster Restart, Secondary PAM Appliances Stop Sending Messages to Splunk
search cancel

After A Cluster Restart, Secondary PAM Appliances Stop Sending Messages to Splunk

book

Article ID: 380840

calendar_today

Updated On:

Products

CA Privileged Access Manager (PAM)

Issue/Introduction

The PAM cluster was recently restarted as part of regular maintenance. After the cluster was restarted, Splunk stopped receiving session log messages from appliances in the secondary site.

Environment

Privileged Access Manager, 4.1.x & 4.2.0

Cause

Session logs are stored in a database table local to each appliance. This issue was caused due to a combination of how logstash tracks session log messages and how the session log table is handled during a cluster start.

Resolution

The issue will be resolved as DE618128 in the 4.2.1 release. To get the logs flowing to Splunk again, please open a support case and reference this KB for an engineer to provide a workaround.