Sessions Logs - Missing password view events

Document ID : KB000109779
Last Modified Date : 26/09/2018
Show Technical Document Details
Question:
Why aren't password views logged to CA PAM's Session Logs?
Environment:
PAM 3.x
Answer:
In CA PAM - the password views are not logged to our session logs because we have the following: 

A specific report for this: 
CA PAM UI >> Credentials >> Reports >> Run >> Here you will find a report call "View Password Requests" that will give the information that you are looking for. 

Alternatively; you can either implement our Splunk or Syslog Forwarding Integration - that will send these "Audiiting" type messages. 

Example Audit event in Splunk: 

Aug 3 09:16:57 141.202.114.132 1 2018-08-03T13:18:39+00:00 dedke01-pam32 pam - metric DETAIL <Metric><type>viewAccountPassword</type><level>1</level><description><hashmap><k>commandInitiator</k><v>USER</v><k>adminUserID</k><v>super</v><k>reason</k><v></v><k>selectedComponent</k><v>0</v><k>Attribute.descriptor2</k><v></v><k>Attribute.descriptor1</k><v></v><k>TargetAccount.ID</k><v>1020</v><k>TargetApplication.name</k><v>WIN-Remote</v><k>reasonDetails</k><v>Password Viewed</v><k>password</k><v></v><k>TargetServer.hostName</k><v>10.162.29.14</v><k>TargetAccount.accessType</k><v></v><k>referenceCode</k><v></v><k>adminPassword</k><v></v><k>TargetAccount.userName</k><v>administrator</v></hashmap></description><errorCode>0</errorCode><userID>super</userID><success>true</success><originatingIPAddress></originatingIPAddress><originatingHostName></originatingHostName><extensionType></extensionType></Metric> 

 
Additional Information:
For more information on integrating CA PAM with Splunk via Syslog - you can follow this knowledge document: 

https://comm.support.ca.com/kb/how-to-forward-pams-syslog-to-splunk-for-data-analytics/kb000097550