Sectona PAM records various types of events which can be configured and forwarded to any SIEM solution using the Syslog capture feature.
Administrative events: PAM Administration related events such as creating a new User, adding a new server, adding a privileged account, modifying User access policy in PAM, etc.
Security events: Security events such as Failed User login, Access for a server/ device, Failed Password change for a privileged account, etc. All these events should be configured in the SIEM solution to get an alert for unusual login attempts from completely different IP addresses, too many failed login attempts, multiple Failed Privileged password changes, etc.
System events: These are events that populated on the PAM solution, such as network failure and PAM system critical service failure; the event log displays the type and category (low, medium, critical) of error that occurred, which can be configured into an alert through SIEM and sent to PAM administrator for the quick address of the issue. This is crucial as these events may fail User access which may impact Businesses inadvertently.
You can configure Sectona PAM to forward all these events to an external Syslog or SIEM server. All events are forwarded in Syslog format.
Steps to configure Log Forwarding
The steps below will help you configure Log Forwarding to an external Syslog or SIEM solution:
Navigate to the Configuration option in the navigation bar and select SIEM & Log Forwarding from the sidebar.
Description: Provide a description of SIEM logs for the Central Logging server.
IP Address: Provide the IP address of the target server.
Port No: Enter port no of the destination server.
Check the Active checkbox for activation and click the Save button
Protocols supported are TCP and UDP.
Configuring event-specific forwarding
To select what types of event logs you want to forward to an external Syslog or SIEM solution, follow the below steps to configure:
Click on the Event Configuration button, and an event configuration window opens.
Use the checkbox to select an event(s) you want to forward.
Event ID: The unique ID of a particular event.
Event Name: The event whose logs are to be received.
Click the Save button to save the selected event you want PAM to forward.
Navigate to the System option in the navigation bar and select System Status from the sidebar. Click on the App Services tab.
Search for a service named SystemEventService, and click on Start / Stop button to start the service to enable log forwarding.
Click on to View Trail, it populates any addition or modification done on the parameters mentioned above with details of changes done by the PAM administrator.
Event ID
Event name
Event description
101
System Log- Low
Displays events which have low criticality level system logs
102
System Log- High
Displays events which have high criticality level system logs
103
System Log- Medium
Displays events which have medium criticality level system logs
111
Asset
Displays events related to configuration activity on the assets in the system
112
Accounts
Displays events related to configuration activity on the accounts in the system
113
User
Displays events related to configuration activity on the users in the system
114
User role
Displays events related to configuration activity on the user roles in the system
115
Account Discovery
Displays events related to configuration activity on the Account Discovery in the system
116
Network Scan
Displays events related to configuration activity on the Asset discovery of type Network Scan in the system
117
AWS
Displays events related to configuration activity on the Asset discovery of type AWS in the system
118
VMWare
Displays events related to configuration activity on the Asset discovery of type VMWare in the system
119
Azure
Displays events related to configuration activity on the Asset discovery of type Azure in the system
120
Active Directory
Displays events related to configuration activity on the Asset discovery of type Active Directory in the system
121
Hyper-V
Displays events related to configuration activity on the Asset discovery of type Hyper-V in the system
123
Vault API
Displays events related to the configuration activity on the Vault API in the system
124
Vault Extensions
Displays events related to the configuration activity on the Vault Extensions in the system
125
Active Mapping
Displays events related to mapping configuration of the active mapping in the system
126
Server Access Policy Unix
Displays events related to configuration activity on the Server Access Policy that are applied on Unix Server in the system
127
Server Access Policy Windows
Displays events related to configuration activity on the Server Access Policy that are applied on Windows Server in the system
128
Password Policy
Displays events related to configuration activity on the Password Policy in the system
129
Rotation Policy
Displays events related to configuration activity on the Rotation Policy in the system
130
Checkout Policy
Displays events related to configuration activity on the Checkout Policy in the system
131
Directory Server
Displays events related to configuration activity on the AD & Directory Store in the system
132
Account Default
Displays events related to configuration activity on the Account Default in the system
133
Instance
Displays events related to configuration activity on the Instance in the system
134
Landing & Proxy Server
Displays events related to configuration activity on the Landing & Proxy Server in the system
135
GCP
Displays events related to configuration activity on the Asset discovery of type GCP in the system
501
Session Initiated
Displays events when the session is initiated in the system
502
Login Failed
Displays events related to login failed activity in the PAM system
503
Login Success
Displays events related to login success activity in the PAM system
504
User Locked
Displays events when the user is locked in the PAM system
505
Password Change Success
Displays events related to successful password change activity on the target server
506
Password Change Failed
Displays events related to failed password change activity on the target server
507
Password Change Aborted
Displays events related when the password change is aborted on the target server
508
Command Executed
Displays events when a command is executed during a session in the system
509
Command Execution Denied
Displays events when a command execution is disapproved during a session in the system
510
Command Execution Confirmed
Displays events when a command execution is confirmed during a session in the system
511
Process Execution Completed
Displays events when a process is executed through WMON during a session in the system
512
Process Execution Denied
Displays events when a process execution is disapproved through WMON during a session in the system
513
Process Execution Confirmed
Displays events when a process execution is approved through WMON during a session in the system
514
File Transfer Completed
Displays events when a file is transferred during a session in the system
515
File Deleted
Displays events when a file is deleted during a session in the system
801
System Health Information
Displays events when the CPU, memory and disk utilization exceeds the base configured value.
This operation cannot be performed if the SystemEventService is not running.
JavaScript errors detected
Please note, these errors can depend on your browser setup.
If this problem persists, please contact our support.