Symantec Privileged Access Management

Hi Eddie,

As pointed out in the support case you have open, the log table on the external log server corresponds to the session logs in CA PAM, which does not include the messages you are looking for. The Password Management messages are included in our syslog integration. If you want to see PM messages stored in an external DB, please raise an idea (rather than posting a question) on this community site, see the screenshots I had sent you earlier.

Thanks,

Ralf Prigl

Ralf,

a client is trying to extract CM Audit Data from events forwarded to their SYSLOG server (rssyslog.d on RHEL) but they can't seem to find the Password Views audit data.

According to our documentation https://docops.ca.com/ca-privileged-access-manager/3-2-4/en/reference/messages-and-log-formats/syslog-message-formats we should be able to retrieve the audit data from the syslog server, albeit it may require some "decoding" as the CM Audit Records are in an XML format and the data within itself needs to be mapped to appropriate event types, etc.

I have the following questions for you.

1. On the Syslog server, should we be able to see the same audit data that we see in the "Password Views Report"?

2. What exactly are we looking for on the syslog side - can you provide an example of what the audit data record would look like for a "Password View" event?

3. Does rsyslog.d require any special configuration / template ?

thanks in advance.