How can I interpret Credential Management syslog entries

Document ID : KB000009849
Last Modified Date : 14/02/2018
Show Technical Document Details
Introduction:

The messages sent to syslog by CA PAM for Credential Management events have a different format than is used on the Access side.  This different format can make it difficult to identify these events.  This document will make this clear.

 

Instructions:

To start, below is the message that was written to the syslog server when a password was viewed for the support account, test6 application on the host 10.130.73.6. Llinefeeds were inserted in order to in so I could point to these fields.  The CA PAM nodename, event, account, application and host name are highlighted in red, in order to make them easier to find

Dec 10 03:12:45 Support04-XS2449-02 <Metric><type>viewAccountPassword</type><level>1</level><description>
<hashmap><k>referenceCode</k><v></v><k>TargetAccount.accessType</k><v></v><k>reason</k><v>Other</v>
<k>selectedComponent</k><v></v><k>password</k><v></v><k>TargetAccount.userName</k><v>support</v>
<k>commandInitiator</k><v>USER</v><k>Attribute.descriptor2</k><v></v><k>Attribute.descriptor1</k><v></v><k>adminPassword</k><v></v><k>TargetApplication.name</k><v>test6</v><k>TargetServer.hostName</k>
<v>10.130.73.6</v><k>TargetAccount.ID</k><v>10 14</v><k>reasonDetails</k><v>One-click access required</v>
<k>adminUserID</k><v>super</v></hashmap></description><errorCode>0</errorCode><userID>super</userID><success>true</success><originatingIPAddress></originatingIPAddress><originatingHostName></originatingHostName><extensionType></extensionType></Metric>

 

The following message was posted when the password was changed for account yyyyyyy, application LODssh on CA PAM Support04-XS250-02:

Dec 10 17:12:27 Support04-XS250-02 <Metric><type>updateTargetAccountPassword</type><level>1</level><description><hashmap><k>Attribute.protocol</k><v>SSH2_PASSWORD_AUTH</v><k>Attribute.useOtherAccountToChangePassword</k><v>false</v><k>TargetApplication.ID</k><v>4319</v><k>TargetAccount.userName</k><v>yyyyyy</v><k>TargetAlias.name</k><v></v><k>commandInitiator</k><v>USER</v><k>Attribute.descriptor2</k><v></v><k>Attribute.descriptor1</k><v></v><k>TargetApplication.name</k><v>LOD9ssh</v><k>Attribute.discoveryAllowed</k><v>false</v><k>passwordG enerated</k><v>false</v><k>TargetAccount.synchronize</k><v>true</v><k>TargetAccount.cacheDuration</k><v>30</v><k>TargetAccount.accessType</k><v></v><k>TargetAccount.ownerUserId</k><v>-1</v><k>TargetAccount.privileged</k><v>true</v><k>PasswordViewPolicy.ID</k><v>1000</v><k>TargetAccount.compoundServerIDs</k><v></v><k>TargetAccount.compoundAccount</k><v>false</v><k>TargetAccount.cacheBehavior</k><v>useCacheFirst</v><k>isNotifyUpdateTargetAccount</k><v>false</v><k>Attribut

The following two messages were generated when account yyyyyy was deleted.  The account had not actually been applied to a policy.

Dec 10 17:12:34 Support04-XS250-02 <c.cw.m.ach><bm.id>3150</bm.id><bm.cd>1481390307000</bm.cd><bm.cu>super</bm.cu><bm.ud>1481390307000</bm.ud><bm.uu>super</bm.uu><bm.ha>SkUvMyHoeUxYpW/rGCed9HxKBE4=</bm.ha><act.id>4602</act.id><un>yyyyyy</un><pw>{1}786ce8343c57708c629fed1fab815408</pw><cm>false</cm><ht>false</ht><skid>1</skid></c.cw.m.ach>
Dec 10 12:30:29 10.130.73.72 gkpsyslog[2853]: Private IP: , Public IP: , Nat/Proxy IP: , User: __xcd_local__, Transaction: admin, Address: - -, Device Name: - -, User Group: --, Port: - -, Access/Protocol: - -, Service/App: - -, Details: Message 12053:  Target accounts were deleted from policies.

 

This is just a small sampling of the messages that you might see, but it should give you a good start.