How can I tell if CA PAM is writing messages to syslog properly?

Document ID : KB000009749
Last Modified Date : 14/02/2018
Show Technical Document Details
Introduction:

CA PAM is the combination of two legacy products, which use different formats when writing to syslog.  This document will help you understand what to look for in order to tell that both side are performing this task properly, and what to do if they are not.

Instructions:

To begin with, take a look at the screen capture of the Syslog configuration.  You may configure one or two addresses.  By default port 514 will be used.  If two servers are used they must both use the same port.  As soon as you enter this information and click Update you should start seeing messages appear in the syslog server. 

SyslogConfig.JPG

 

The first few messages are from the Password Management side of CA PAM.  You can tell this from the format, which looks like html.  You can see the name of the CA PAM instance and also a tag, <Metric>, that indicates that the message was generated by CA PAM internal activities, and not for any task you may have performed.

Dec 12 02:12:57 VOGED01-CAPAM3 <Metric><type>login</type><level>1</level><description><hashmap><k>adminUserID</k><v>super</v></hashmap></description><errorCode>0</errorCode><userID>super</userID><success>true</success><originatingIPAddress>127.0.0.1</originatingIPAddress><originatingHostName>localhost</originatingHostName><extensionType></extensionType></Metric> message repeated 4 times: []

Dec 12 02:12:12 VOGED01-CAPAM3 <Metric><type>login</type><level>1</level><description><hashmap><k>adminUserID</k><v>super</v></hashmap></description><errorCode>0</errorCode><userID>super</userID><success>true</success><originatingIPAddress>127.0.0.1</originatingIPAddress><originatingHostName>localhost</originatingHostName><extensionType></extensionType></Metric>

Dec 12 02:12:00 VOGED01-CAPAM3 <Metric><type>login</type><level>1</level><description><hashmap><k>adminUserID</k><v>super</v></hashmap></description><errorCode>0</errorCode><userID>super</userID><success>true</success><originatingIPAddress>127.0.0.1</originatingIPAddress><originatingHostName>localhost</originatingHostName><extensionType></extensionType></Metric> message repeated 3 times: []

Dec 11 21:15:52 voged01-capam3.ca.com gkpsyslog[14118]: Private IP: , Public IP: , Nat/Proxy IP: 10.132.132.1, User: super, Transaction: admin, Address: - -, Device Name: LOD9, User Group: --Port: - -, Access/Protocol: - -, Service/App: - -, Details: Target Server LOD9 not added to Password Authority.  Error Message Duplicate host name. AddTargetServer.invoke HostName '10.130.73.9' already exists.

Dec 12 02:12:48 VOGED01-CAPAM3 <Metric><type>login</type><level>1</level><description><hashmap><k>adminUserID</k><v>super</v></hashmap></description><errorCode>0</errorCode><userID>super</userID><success>true</success><originatingIPAddress>127.0.0.1</originatingIPAddress><originatingHostName>localhost</originatingHostName><extensionType></extensionType></Metric>

Dec 12 02:12:48 VOGED01-CAPAM3 <Metric><type>login</type><level>1</level><description><hashmap><k>adminUserID</k><v>super</v></hashmap></description><errorCode>0</errorCode><userID>super</userID><success>true</success><originatingIPAddress>127.0.0.1</originatingIPAddress><originatingHostName>localhost</originatingHostName><extensionType></extensionType></Metric> message repeated 4 times: []

 

The next few messages are the result of the deletion of a Device called Ubuntu, which will be deleted from both the Password Management and Access sides.  The messages from the Access side do not use the html format.  They also identify the source of the message slightly differently.  When the device is deleted the associated policy will be deleted too.

Dec 12 02:12:48 VOGED01-CAPAM3 <c.cw.m.ts><bm.id>1019</bm.id><bm.cd>1470405708000</bm.cd><bm.cu>super</bm.cu><bm.ud>1470405708000</bm.ud><bm.uu>super</bm.uu><bm.ha>GRGbdr/oidSqucWqYxwSYLWp/LI=</bm.ha><bm.at.li><c.cw.m.at><bm.id>1043</bm.id><bm.cd>1470405708000</bm.cd><bm.cu>super</bm.cu><bm.ud>1470405708000</bm.ud><bm.uu>super</bm.uu><bm.ha>GRGbdr/oidSqucWqYxwSYLWp/LI=</bm.ha><at.na>descriptor1</at.na><at.ob.id>1019</at.ob.id><at.ob.cl>c.cw.m.ts</at.ob.cl></c.cw.m.at><c.cw.m.at><bm.id>1044</bm.id><bm.cd>1470405708000</bm.cd><bm.cu>supe r</bm.cu><bm.ud>1470405708000</bm.ud><bm.uu>super</bm.uu><bm.ha>GRGbdr/oidSqucWqYxwSYLWp/LI=</bm.ha><at.na>descriptor2</at.na><at.ob.id>1019</at.ob.id><at.ob.cl>c.cw.m.ts</at.ob.cl></c.cw.m.at></bm.at.li><hn>10.130.73.9</hn><ip>10.130.73.9</ip><dn>Ubuntu</dn></c.cw.m.ts>

Dec 11 21:16:41 voged01-capam3.ca.com gkpsyslog[3462]: Private IP: , Public IP: , Nat/Proxy IP: , User: __xcd_local__, Transaction: admin, Address: - -, Device Name: - -, User Group: --Port: - -, Access/Protocol: - -, Service/App: - -, Details: Message 12052:  Target applications and all associated accounts were deleted from policies.

Dec 12 02:12:48 VOGED01-CAPAM3 <Metric><type>login</type><level>1</level><description><hashmap><k>adminUserID</k><v>super</v></hashmap></description><errorCode>0</errorCode><userID>super</userID><success>true</success><originatingIPAddress>127.0.0.1</originatingIPAddress><originatingHostName>localhost</originatingHostName><extensionType></extensionType></Metric>

Dec 11 21:16:41 voged01-capam3.ca.com gkpsyslog[14118]: Private IP: 10.132.132.1, Public IP: 141.202.54.2, Nat/Proxy IP: 10.132.132.1, User: super, Transaction: admin, Address: 10.130.73.9, Device Name: Ubuntu, User Group: --Port: - -, Access/Protocol: - -, Service/App: - -, Details: Device Ubuntu successfully deleted; Target server Ubuntu deleted

Dec 11 21:17:01 support-virtual-machine CRON[28872]: (root) CMD (   cd / && run-parts --report /etc/cron.hourly)

Dec 12 02:12:09 VOGED01-CAPAM3 <Metric><type>login</type><level>1</level><description><hashmap><k>adminUserID</k><v>super</v></hashmap></description><errorCode>0</errorCode><userID>super</userID><success>true</success><originatingIPAddress>127.0.0.1</originatingIPAddress><originatingHostName>localhost</originatingHostName><extensionType></extensionType></Metric>

 

The next messages are for the addition of a device called LOD9, with IP Address 10.130.73.9.

Dec 12 02:12:09 VOGED01-CAPAM3 <c.cw.m.ts><bm.id>1032</bm.id><bm.cd>1481509089450</bm.cd><bm.cu>super</bm.cu><bm.ud>1481509089458</bm.ud><bm.uu>super</bm.uu><bm.ha>dPMRmDmcb5I6qvWH6NqE+0OvxYw=</bm.ha><bm.at.li><c.cw.m.at><bm.id>1056</bm.id><bm.cd>1481509089450</bm.cd><bm.cu>super</bm.cu><bm.ud>1481509089450</bm.ud><bm.uu>super</bm.uu><at.na>descriptor1</at.na><at.ob.id>1032</at.ob.id><at.ob.cl>c.cw.m.ts</at.ob.cl></c.cw.m.at><c.cw.m.at><bm.id>1057</bm.id><bm.cd>1481509089450</bm.cd><bm.cu>super</bm.cu><bm.ud>1481509089450</bm.ud><bm.uu >super</bm.uu><at.na>descriptor2</at.na><at.ob.id>1032</at.ob.id><at.ob.cl>c.cw.m.ts</at.ob.cl></c.cw.m.at></bm.at.li><hn>10.130.73.9</hn><ip>10.130.73.9</ip><dn>LOD9</dn></c.cw.m.ts>

Dec 11 21:17:01 voged01-capam3.ca.com gkpsyslog[14118]: Private IP: 10.132.132.1, Public IP: 141.202.54.2, Nat/Proxy IP: 10.132.132.1, User: super, Transaction: admin, Address: 10.130.73.9, Device Name: LOD9, User Group: --Port: - -, Access/Protocol: - -, Service/App: - -, Details: Device LOD9 added successfully.   Access Methods:  SSH:22; Services:  None; VPN Services:  None; Groups:  None; Tags: None ; Target Server LOD9 added to Password Authority

 

 

Now that you know what the messages look like from both sides, you should easily be able to tell when they are not be coming from Password Management.  This sometimes may not occur until after you have rebooted the system following Enabling syslog.  If you have done this you may have to use the following procedure to get it going.

1.  Uncheck the Enable box and click Update.

2.  Reboot CA PAM.

3.  Check the Enable box and click Update.

4.  Go to the syslog server and check if messages are appearing from both sides

On occasion you might have to go through this procedure a few times.  If you still aren't seeing messages from both sides please open a ticket with Support.

There is one more thing that you must keep in mind.  The format of the Password Management messages may differ from those you see above.  They were generated on a CA PAM 2.7 system.  The message below was generated on an earlier version of CA PAM.  This one contains the string <16134>, but otherwise the formats look similar.

02-24-2014 10:43:20 Syslog.Debug 121.0.137.41 <16134>Feb 24 01:42:59 cspm: [INFO] hd: <Metric><type>alive</type><level>1</level><description><CommandRequest><cmdName>alive</cmdName><remoteHost>sac1.innocore2.co.kr</remoteHost><requestURI>null</requestURI></CommandRequest></description><errorCode>0</errorCode><userID>SYSTEM</userID><success>true</success><originatingIPAddress>sac1.innocore2.co.kr</originatingIPAddress><originatingHostName>sac1.innocore2.co.kr</originatingHostName><extensionType></extensionType></Metric>