Symantec Privileged Access Management

I have PIM integrated with Splunk and having following questions on logs.

1. What are the fileds(or list of fields) appearing in events collected by Splunk?
2. Can someone explain the log format(like sequesnce of fileds in log)?

Sample event collected in Splunk-

Mar  1 10:36:18 S137AF5.netf.adint.ssa.gov  S137AF5 CEF Ver1.0| CA Technologies|Privileged Identity Manager|12.9 SP2|1|Login event|4| EVENT_HEADER=1 dhost=s137a76 Event_type=Login event Status=Permitted susr=root dst=_CRONJOB_ Program=SBIN_CROND start=01 Mar 2018 Time=06:30:01 message=Resource UACC check User_Logon_Session_ID=5a9788e7:00006374 Audit_flags=0 nStatus=80 rt=1519903801 nReason=2 nStage=59

Hello Pravin,

The logs are in syslog format and most of the fields should be self explaining.

An overview of the the audit events that the Event Forwarder forwards to a Syslog server are listed here:

SIEM Events - CA Privileged Identity Manager - 14.0 - CA Technologies Documentation 

A description of Endpoint specific audit events are described in more details here:

Audit Log Records - CA Privileged Identity Manager - 14.0 - CA Technologies Documentation 

Hi Andreas,

Thank you for the response. Suggested link tell us about different types of events will be appeared in SIEM integration. Our customer is looking for the fields of each event type.

As you said, event format is syslog and most of them are self-explanatory but still cannot get some of them.

In the sample event, looks like it is 'pipe' separated format the first field is then "Mar 1 10:36:18 S137AF5.netf.adint.ssa.gov S137AF5 CEF Ver1.0". It has date and time with our distribution server name appeared in FQDN and in short name with additional information about CEF version. So, in short, first field provides more than one form of information.

Also, there are fields like "1" and "4" which are not self-explanatory.

If you can help me to get information on all fields would be great help.

Thanks,

Pravin Bhole