Sectona PAM records various types of events which can be configured and forwarded to any SIEM solution using syslog capture feature.
Administrative events: PAM Administration related events such as creating a new User, adding a new server, adding a privileged account, modifying User access policy in PAM, etc.
Security events: Security events such as Failed User login, Access for a server/ device, Failed Password change for a privileged account, etc. All these events should be configured in SIEM solution to get an alert for unusual login attempts from completely different IP addresses, too many failed login attempts, multiple Failed Privileged password change, etc.
System events: These are events that populated on PAM solution such as, network failure, PAM system critical service failure, the event log displays the type and category (low, medium, critical) of error occurred which can be configured into an alert through SIEM and sent to PAM administrator for quick address of the issue. This is crucial as these events may result in failure of User access which may impact Businesses inadvertently.
You can configure Sectona PAM to forward all these types of events to an external Syslog or SIEM server. All events are forwarded in Syslog format.
Steps to configure Log Forwarding
The steps below will help you configure Log Forwarding to an external Syslog or SIEM solution:
Navigate to the Configuration option in the navigation bar and select SIEM & Log Forwarding from sidebar.
Description: Provide a description. For SIEM logs for the Central Logging server.
IP Address: Provide the IP address of the target server.
Port No: Enter port no of the destination server.
Check the Active checkbox for activation and click Save button
Protocols supported are TCP and UDP.
Configuring event specific forwarding
To select what types of event logs you want to forward to an external Syslog or SIEM solution, follow the below steps to configure:
Click on Event Configuration button, an event configuration windows opens.
Use the checkbox option to select an event(s) you want to forward.
Event ID: The unique ID of a particular event.
Event Name: The name of the event who's logs are to be received.
Click on the Save button to save the selected event you want PAM to forward.
Navigate to System option in the navigation bar and select System Status from the sidebar. Click on App Services tab.
Search for service named SystemEventService, click on Start / Stop button to start the service to enable log forwarding.
Click on to View Trail, it populates any addition or modification done on the above-mentioned parameters with details of changes done by the PAM administrator.
This operation cannot be performed if the SystemEventService is not running.