Symantec Privileged Access Management

How to configure the Event forwarder on Privilege Identity Manager (ENTM and DH Server) to send the log on SPLUNK  with High availability ?

I have configured the Event Forwarder on the EM server and configured the VIP (with EM and DH server) to specify in the accommon.ini file on the endpoints. But when EM server getting down , this architecture is not able to send the logs to SPLUNK.

What am I missing here?

Hi Kripa,

I have not tested this exact situation myself, but I suspect the problem may be related to the Event Forwarder Service on the secondary ENTM. Have you confirmed that the Event Forwarder service is running in the Services panel when this happens?

Regards,

Christian Lutz

Sr. Support Engineer

CA Technologies - North America

Kripa, 

What you will need to do is configure the EventForwarder on Distribution Servers to send the local queue/audit messages to Splunk. By default after the DS install the queue/audit is setup as a routed queue to the primary ENTM. This is seen by queue/audit@ENTM host in the configuration - queue.conf. If you remove @ENTM host this will make a local queue. 

The published fix RO93962 has instructions on how to deploy the fix which you would do on the DS so it will read the queue/audit data and send it over.

This has not been explicitly tested by CA. 

Thanks, 

Aaron 

Aaron,

I updated the queues.conf according to your instruction, but still no luck.

1. tail queues.conf

queue/DLQ

queue/snapshots@HE3ILXVDMID655 secure,global

queue/audit secure,global

ac_endpoint_to_server@HE3ILXVDMID655 secure,global

ac_server_to_endpoint@HE3ILXVDMID655 secure,global

RuntimeStatusDetailQueue@HE3ILXVDMID655 secure,global

ac_server_to_server@HE3ILXVDMID655 secure,global

ac_server_to_server_local secure,maxbytes=1GB,overflowPolicy=discardOld

com.netegrity.ims.msg.queue@HE3ILXVDMID655 secure,global

ac_server_to_server_recording secure,global,maxbytes=10GB,overflowPolicy=rejectIncoming

Thanks,

Kripa Singh, CISSP, CISM, CISA

Security Operations & Reliability Engineering, Tech Lead

Information Security

(O): 703-450-3152

(M): 571-226-0056

I am getting following message in the /opt/CA/AccessControlServer/Services/EventForwarder/log/EventForwarder.log file on Loadbalancer/DH server when primary EM server is down:

2018-09-07 15:41:49.780 | INFO  | main       | com.ca.ppm.eventForwarder.services.Receiver       :39    | Send configuration request to the server

2018-09-07 15:42:09.860 | ERROR | main       | com.ca.ppm.eventForwarder.services.ForwarderManagerImpl:213   | No TENENT (Syslog) configuration message received from the server

2018-09-07 15:42:09.860 | INFO  | main       | com.ca.ppm.eventForwarder.services.ForwarderManagerImpl:193   | Received wrong configuration, going to sleep for: 60 seconds

2018-09-07 15:43:09.860 | INFO  | main       | com.ca.ppm.eventForwarder.services.Receiver       :39    | Send configuration request to the server

2018-09-07 15:43:29.941 | ERROR | main       | com.ca.ppm.eventForwarder.services.ForwarderManagerImpl:213   | No TENENT (Syslog) configuration message received from the server

2018-09-07 15:43:29.941 | INFO  | main       | com.ca.ppm.eventForwarder.services.ForwarderManagerImpl:193   | Received wrong configuration, going to sleep for: 60 seconds

2018-09-07 15:44:29.942 | INFO  | main       | com.ca.ppm.eventForwarder.services.Receiver       :39    | Send configuration request to the server

2018-09-07 15:44:50.036 | ERROR | main       | com.ca.ppm.eventForwarder.services.ForwarderManagerImpl:213   | No TENENT (Syslog) configuration message received from the server

2018-09-07 15:44:50.036 | INFO  | main       | com.ca.ppm.eventForwarder.services.ForwarderManagerImpl:193   | Received wrong configuration, going to sleep for: 60 seconds

2018-09-07 15:45:50.036 | INFO  | main       | com.ca.ppm.eventForwarder.services.Receiver       :39    | Send configuration request to the server

2018-09-07 15:46:10.119 | ERROR | main       | com.ca.ppm.eventForwarder.services.ForwarderManagerImpl:213   | No TENENT (Syslog) configuration message received from the server

2018-09-07 15:46:10.120 | INFO  | main       | com.ca.ppm.eventForwarder.services.ForwarderManagerImpl:193   | Received wrong configuration, going to sleep for: 60 seconds

The conf is changed as below:

1. business.inventory prefetch=1,maxbytes=1MB

2. supermarket        exclusive,import=RV

#

########################################################################

sample

queue.sample

queue/A

queue/B

queue/DLQ

queue/snapshots@HE3ILXVDMID655 secure,global

queue/audit secure,global

ac_endpoint_to_server@HE3ILXVDMID655 secure,global

ac_server_to_endpoint@HE3ILXVDMID655 secure,global

RuntimeStatusDetailQueue@HE3ILXVDMID655 secure,global

ac_server_to_server@HE3ILXVDMID655 secure,global

ac_server_to_server_local secure,maxbytes=1GB,overflowPolicy=discardOld

com.netegrity.ims.msg.queue@HE3ILXVDMID655 secure,global

ac_server_to_server_recording secure,global,maxbytes=10GB,overflowPolicy=rejectIncoming

Thanks,

Kripa Singh, CISSP, CISM, CISA

Security Operations & Reliability Engineering, Tech Lead

Information Security

(O): 703-450-3152

(M): 571-226-0056