Layer7 Privileged Access Management

Expand all | Collapse all

monitoring PAM administrator activity

Jump to Best Answer
  • 1.  monitoring PAM administrator activity

    Posted 02-08-2018 03:15 AM

    Question: PAM administrator activity in credential manager like view password, addition/deletion of target accounts – are these logged by PAM?

    will these be part of syslog messages or can they be seen under Session Recording Logs?

     

    We want to be able to have access to these logs to generate an alert from SIEM for such privileged operations by PAM administrator. 

     

    thanks,

    Maruti



  • 2.  Re: monitoring PAM administrator activity

     
    Posted 02-08-2018 09:46 AM

    Hi Maruti,

     

    I'm aware that you can view Administrative activities in Reports on the Credential Management side of PAM. The reports are limited to "Additions", "Updates", and "Deletions". And you can track all the objects in credential manager.

     

    Regards,


    Michael Pass



  • 3.  Re: monitoring PAM administrator activity

    Posted 02-08-2018 09:53 AM

    hi Michael,

    AFAIK with 2.8.2-  Credential Manager reports are limited to "target password view", not deletion or addition operations.

    further I am trying to understand if they can be part of syslog so that we can parse them (SIEM) and generate an alert/notification

    pls let me know your thoughts and if any new features are added in 3.x version 



  • 4.  Re: monitoring PAM administrator activity

    Posted 02-08-2018 11:29 AM

    Hi Maruti, The activities you are interested in would be covered in the "Administrative Activities” report on the password management side. And there should be syslog messages once you integrate PAM with a syslog server. These messages used to be truncated to 1024 characters, but that limit has recently been removed. You would have to upgrade to 2.8.4.1, or proceed to PAM 3.X to have that benefit. The credential management syslog messages are not easy to digest. PAM documentation for recent releases, e.g. at https://docops.ca.com/ca-privileged-access-manager/3-1-1/EN/implementing/add-credential-manager-roles-and-groups/credential-manager-grouping-terminology, provide helpful information. Target account add/update/delete events would have XML style message details with object type <c.cw.m.ac>.



  • 5.  Re: monitoring PAM administrator activity
    Best Answer

    Posted 02-09-2018 12:29 PM

    I wrote a Knowledge Base article, TEC1604627, that explains how to find the desired information in the Credential Management messages in the Session Log or syslog.  You can try using this document to parse those messages on your SIEM system.  These messages should appear in the syslog.  If they do not, you may want to refer to another article, TEC1120412.  This article explains what to look for to determine if Access and Credential Management messages are being written to the log file, and how to get it working if you don't see the Credential Management messages.  You should be able to find the Tech Docs via the Support portal.  Please let us know if you cannot.



  • 6.  Re: monitoring PAM administrator activity

    Posted 02-09-2018 01:03 PM

    thanks for response, but I could not retrieve both the KB article, they result in page/URL not found.

    can you post the links or check if they have been moved ?