Ralf,
a client is trying to extract CM Audit Data from events forwarded to their SYSLOG server (rssyslog.d on RHEL) but they can't seem to find the Password Views audit data.
According to our documentation https://docops.ca.com/ca-privileged-access-manager/3-2-4/en/reference/messages-and-log-formats/syslog-message-formats we should be able to retrieve the audit data from the syslog server, albeit it may require some "decoding" as the CM Audit Records are in an XML format and the data within itself needs to be mapped to appropriate event types, etc.
I have the following questions for you.
1. On the Syslog server, should we be able to see the same audit data that we see in the "Password Views Report"?
2. What exactly are we looking for on the syslog side - can you provide an example of what the audit data record would look like for a "Password View" event?
3. Does rsyslog.d require any special configuration / template ?
thanks in advance.