Kelly Wong

Tech Tip - CA Privileged Access Manager: Socket Filter Agent Monitoring

Blog Post created by Kelly Wong Employee on May 23, 2017

CA Privileged Access Manager Tech Tip by Kelly Wong, Principal Support Engineer for 23rd May 2017



Device with Socket Filter Agent is not displayed in the Socket Filter Agents Status list (Devices >> Socket Filter Agent). 

'SFA Monitoring' is enabled from Socket Filter Config and SFA daemon/ service is running on the Target Host.




SFA monitoring is intended for filter monitoring.

If this is a new device to CA PAM or SFA is freshly installed on the device, please ensure that a socket filter is assigned to the device in the respective policy setup.


From the SFA log -- log.txt, we should find the communication traces between PAM appliance and Target Host. Example:

5/16/2017 7:59:36 PM CHR:MONITORING THREAD::New thread::socket:268 ...
5/16/2017 7:59:36 PM CHR:We received::From:<PAM_IP> To:<Target_IP>
5/16/2017 7:59:36 PM ReplyHello: Sending HELLO_REPLY: pacHdr.PacketLength:12, packet:2.70|2
5/16/2017 7:59:36 PM ReplyHello: Sent HELLO_REPLY, sent 18 bytes
5/16/2017 7:59:36 PM handleConn: recv failed,retVal = 0 ,ErrorCode = 0 , so no request is following the HELLO.


Additional Information

Check the log.txt residing under <Socket Filter>\Bin directory to troubleshoot the SFA related issues.