Layer7 Privileged Access Management

Expand all | Collapse all

PIM-Splunk event format and field eplaination

Jump to Best Answer
  • 1.  PIM-Splunk event format and field eplaination

     
    Posted 03-01-2018 10:40 AM

    I have PIM integrated with Splunk and having following questions on logs.

    1. What are the fileds(or list of fields) appearing in events collected by Splunk?
    2. Can someone explain the log format(like sequesnce of fileds in log)?

    Sample event collected in Splunk-

    Mar  1 10:36:18 S137AF5.netf.adint.ssa.gov  S137AF5 CEF Ver1.0| CA Technologies|Privileged Identity Manager|12.9 SP2|1|Login event|4| EVENT_HEADER=1 dhost=s137a76 Event_type=Login event Status=Permitted susr=root dst=_CRONJOB_ Program=SBIN_CROND start=01 Mar 2018 Time=06:30:01 message=Resource UACC check User_Logon_Session_ID=5a9788e7:00006374 Audit_flags=0 nStatus=80 rt=1519903801 nReason=2 nStage=59



  • 2.  Re: PIM-Splunk event format and field eplaination
    Best Answer

    Posted 03-02-2018 03:54 AM

    Hello Pravin,

     

    The logs are in syslog format and most of the fields should be self explaining.

    An overview of the the audit events that the Event Forwarder forwards to a Syslog server are listed here:

    SIEM Events - CA Privileged Identity Manager - 14.0 - CA Technologies Documentation 

     

    A description of Endpoint specific audit events are described in more details here:

    Audit Log Records - CA Privileged Identity Manager - 14.0 - CA Technologies Documentation 



  • 3.  Re: PIM-Splunk event format and field eplaination

     
    Posted 03-05-2018 08:26 AM

    Hi Andreas,

    Thank you for the response. Suggested link tell us about different types of events will be appeared in SIEM integration. Our customer is looking for the fields of each event type.

    As you said, event format is syslog and most of them are self-explanatory but still cannot get some of them.

    In the sample event, looks like it is 'pipe' separated format the first field is then "Mar 1 10:36:18 S137AF5.netf.adint.ssa.gov S137AF5 CEF Ver1.0". It has date and time with our distribution server name appeared in FQDN and in short name with additional information about CEF version. So, in short, first field provides more than one form of information.

    Also, there are fields like "1" and "4" which are not self-explanatory.

    If you can help me to get information on all fields would be great help.

    Thanks,

    Pravin Bhole



  • 4.  Re: PIM-Splunk event format and field eplaination

    Posted 03-05-2018 08:36 AM

    Hello Pravin,

     

    I guess the reason why the first "field” in your case is not resolved correctly is a known issue in the EventForwarder - please open a Support Case with us and we wil provide you with a fix for this.