Question: PAM administrator activity in credential manager like view password, addition/deletion of target accounts – are these logged by PAM?
will these be part of syslog messages or can they be seen under Session Recording Logs?
We want to be able to have access to these logs to generate an alert from SIEM for such privileged operations by PAM administrator.
thanks,
Maruti
I wrote a Knowledge Base article, TEC1604627, that explains how to find the desired information in the Credential Management messages in the Session Log or syslog. You can try using this document to parse those messages on your SIEM system. These messages should appear in the syslog. If they do not, you may want to refer to another article, TEC1120412. This article explains what to look for to determine if Access and Credential Management messages are being written to the log file, and how to get it working if you don't see the Credential Management messages. You should be able to find the Tech Docs via the Support portal. Please let us know if you cannot.