Sectona PAM records various types of events which can be configured and forwarded to any SIEM solution using syslog capture feature.

  • Administrative events: PAM Administration related events such as creating a new User, adding a new server, adding a privileged account, modifying User access policy in PAM, etc. 

  • Security events: Security events such as Failed User login, Access for a server/ device, Failed Password change for a privileged account, etc. All these events should be configured in SIEM solution to get an alert for unusual login attempts from completely different IP addresses, too many failed login attempts, multiple Failed Privileged password change, etc.

  • System events: These are events that populated on PAM solution such as, network failure, PAM system critical service failure, the event log displays the type and category (low, medium, critical) of error occurred which can be configured into an alert through SIEM and sent to PAM administrator for quick address of the issue. This is crucial as these events may result in failure of User access which may impact Businesses inadvertently.

You can configure Sectona PAM to forward all these types of events to an external Syslog or SIEM server. All events are forwarded in Syslog format.

Steps to configure Log Forwarding

The steps below will help you configure Log Forwarding to an external Syslog or SIEM solution:

  • Navigate to the Configuration option in the navigation bar and select SIEM & Log Forwarding from sidebar.

  • Description: Provide a description. For SIEM logs for the Central Logging server.

  • IP Address: Provide the IP address of the target server.

  • Port No: Enter port no of the destination server.

  • Check the Active checkbox for activation and click Save button

Protocols supported are TCP and UDP.

Configuring event specific forwarding

To select what types of event logs you want to forward to an external Syslog or SIEM solution, follow the below steps to configure:

  • Click on Event Configuration button, an event configuration windows opens.

  • Use the checkbox option to select an event(s) you want to forward.

  • Event ID: The unique ID of a particular event.

  • Event Name: The name of the event who's logs are to be received.

  • Click on the Save button to save the selected event you want PAM to forward.

  • Navigate to System option in the navigation bar and select System Status from the sidebar. Click on App Services tab.

  • Search for service named SystemEventService, click on Start / Stop button to start the service to enable log forwarding.

  • Click on 

     to View Trail, it populates any addition or modification done on the above-mentioned parameters with details of changes done by the PAM administrator.

Event ID

Event name

Event description

101

System Log- Low

Displays events which have low criticality level system logs

102

System Log- High

Displays events which have high criticality level system logs

103

System Log- Medium

Displays events which have medium criticality level system logs

111

Asset

Displays events related to configuration activity on the assets in the system

112

Accounts

Displays events related to configuration activity on the accounts in the system

113

User

Displays events related to configuration activity on the users in the system

114

User role

Displays events related to configuration activity on the user roles in the system

115

Account Discovery

Displays events related to configuration activity on the Account Discovery in the system

116

Network Scan 

Displays events related to configuration activity on the Asset discovery of type Network Scan in the system

117

AWS

Displays events related to configuration activity on the Asset discovery of type AWS in the system

118

VMWare

Displays events related to configuration activity on the Asset discovery of type VMWare in the system

119

Azure

Displays events related to configuration activity on the Asset discovery of type Azure in the system

120

Active Directory

Displays events related to configuration activity on the Asset discovery of type Active Directory in the system

121

Hyper-V

Displays events related to configuration activity on the Asset discovery of type Hyper-V in the system

123

Vault API

Displays events related to the configuration activity on the Vault API in the system

124

Vault Extensions

Displays events related to the configuration activity on the Vault Extensions in the system

125

Active Mapping

Displays events related to mapping configuration of the active mapping in the system

126

Server Access Policy Unix

Displays events related to configuration activity on the Server Access Policy that are applied on Unix Server in the system

127

Server Access Policy Windows

Displays events related to configuration activity on the Server Access Policy that are applied on Windows Server in the system

128

Password Policy

Displays events related to configuration activity on the Password Policy in the system

129

Rotation Policy

Displays events related to configuration activity on the Rotation Policy in the system

130

Checkout Policy

Displays events related to configuration activity on the Checkout Policy in the system

131

Directory Server

Displays events related to configuration activity on the AD & Directory Store in the system

132

Account Default

Displays events related to configuration activity on the Account Default in the system

133

Instance

Displays events related to configuration activity on the Instance in the system

134

Landing & Proxy Server

Displays events related to configuration activity on the Landing & Proxy Server in the system

135

GCP

Displays events related to configuration activity on the Asset discovery of type GCP in the system

501

Session Initiated

Displays events when the session is initiated in the system

502

Login Failed

Displays events related to login failed activity in the PAM system

503

Login Success

Displays events related to login success activity in the PAM system

504

User Locked

Displays events when the user is locked in the PAM system

505

Password Change Success

Displays events related to successful password change activity on the target server

506

Password Change Failed

Displays events related to failed password change activity on the target server

507

Password Change Aborted

Displays events related when the password change is aborted on the target server

508

Command Executed

Displays events when a command is executed during a session in the system

509

Command Execution Denied

Displays events when a command execution is disapproved during a session in the system

510

Command Execution Confirmed

Displays events when a command execution is confirmed during a session in the system

511

Process Execution Completed

Displays events when a process is executed through WMON during a session in the system

512

Process Execution Denied

Displays events when a process execution is disapproved through WMON during a session in the system

513

Process Execution Confirmed

Displays events when a process execution is approved through WMON during a session in the system

514

File Transfer Completed

Displays events when a file is transferred during a session in the system

515

File Deleted

Displays events when a file is deleted during a session in the system

801

System Health Information

Displays events when the CPU, memory and disk utilization exceeds the base configured value.

This operation cannot be performed if the SystemEventService is not running.