Symantec Privileged Access Management

  • Private Community
 View Only

  • 1.  auditlog information

    Posted Jul 22, 2020 07:45 AM

    Hello,

     

    I have received questions for auditlog records from an user.

    If someone accesses a PIM server and some resource from a remote device, new records are generated in the auditlog(seos.audit).

    He is wondering from where in the server, the auditlog collects user information (hostname, IP address or userID).

    I have checked your online manual, but I couldn't find useful information to answer it.

    Could you kindly share us the way how to collect the information (especially user one)?

     

    Regards,

    UHCHIDA Akio



  • 2.  RE: auditlog information

    Broadcom Employee
    Posted Jul 22, 2020 01:55 PM
    UHCHIDA

    this information is stored in an internal db and can be viewed using seaudit commands on the local nodes
    An example may look something like this

    [root@xxxxxxxxxx ~]# seaudit -a -st now-5
    CA Privileged Access Manager Server Control seaudit v14.10.0.1335 - Audit log lister
    Copyright (c) 2018 CA. All rights reserved.
    22 Jul 2020 13:38:47 S UPDATE XUSER seosd 338 10 joe
    22 Jul 2020 13:38:47 P LOGIN joe 59 2 10.230.8.131 SSH (OS user)

    to collect all the latest information about a user loging on all terminals you can use

    [root@xxxxxxxxxxx ~]# seaudit -l "joe" "*"
    CA Privileged Access Manager Server Control seaudit v14.10.0.1335 - Audit log lister
    Copyright (c) 2018 CA. All rights reserved.
    22 Jul 2020 13:38:47 P LOGIN joe 59 2 10.230.8.131 SSH (OS user)
    22 Jul 2020 13:39:50 O LOGOUT joe 49 2 (OS user)

    The command usage can be found with -?

    Most customers have their audit data forwarded to a tool like Splunk which they can build larger reports and search through more than 1 host at a time. There are also some reports you can generate from the ENTM gui if you have configured snapshots. I personally do not have any documentation to provide and there are several possible methods but you could request this type of information from a presales or services engineer.

    Joe Lutz


    Original Message


  • 3.  RE: auditlog information

    Posted Jul 27, 2020 07:10 AM

    Hello Joe,

     

    Thank you for your reply.

    I understood that auditlog information would be recorded in an internal DB.

    (I'm guessing the DB you mentioned was seos.audit.)

     

    I would like to make sure how the audit information(especially user information) was recorded.

    When an user tried to access the protected resource, its user information get recorded as userID, IP address or hostname.

    Am I right?

     

    If, so from where these information was referred?

    In other words, when the record is stored in the DB, which information does the DB fetch?

     

    Regards,

    UCHIDA Akio


    Original Message


  • 4.  RE: auditlog information

    Broadcom Employee
    Posted Jul 27, 2020 08:30 AM
    UCHIDA 

    From the sample 

    22 Jul 2020 13:38:47 P LOGIN joe 59 2 10.230.8.131 SSH (OS user)

    You can see that the action was a login on 22 Jul 2020 13:38
    The user was joe
    the ip joe logged in from was 10.230.8.131
    the type of login was ssh
    The user was an OS user
    and the P stands for permit
    and the reason for the permit was 59 was 

    [root@lvntest000470 ~]# seaudit -t |grep 59
    CA Privileged Access Manager Server Control seaudit v14.10.0.1335 - Audit log lister
    Copyright (c) 2018 CA. All rights reserved.
    59 Resource UACC check

    I am not sure what you mean about "DB fetch" . seaudit command can be used to pull the records you are looking for.

    Joe
    Original Message