Forwarding Logs
Sectona PAM records various types of events which can be configured and forwarded to any SIEM solution using the Syslog capture feature.
Administrative events: PAM Administration related events such as creating a new User, adding a new server, adding a privileged account, modifying User access policy in PAM, etc.
Security events: Security events such as Failed User login, Access for a server/ device, Failed Password change for a privileged account, etc. All these events should be configured in the SIEM solution to get an alert for unusual login attempts from completely different IP addresses, too many failed login attempts, multiple Failed Privileged password changes, etc.
System events: These are events that populated on the PAM solution, such as network failure and PAM system critical service failure; the event log displays the type and category (low, medium, critical) of error that occurred, which can be configured into an alert through SIEM and sent to PAM administrator for the quick address of the issue. This is crucial as these events may fail User access which may impact Businesses inadvertently.
You can configure Sectona PAM to forward all these events to an external Syslog or SIEM server. All events are forwarded in Syslog format.
Steps to configure Log Forwarding
The steps below will help you configure Log Forwarding to an external Syslog or SIEM solution:
Navigate to the Configuration option in the navigation bar and select SIEM & Log Forwarding from the sidebar.
Description: Provide a description of SIEM logs for the Central Logging server.
IP Address: Provide the IP address of the target server.
Port No: Enter port no of the destination server.
Check the Active checkbox for activation and click the Save button
Protocols supported are TCP and UDP.
Configuring event-specific forwarding
To select what types of event logs you want to forward to an external Syslog or SIEM solution, follow the below steps to configure:
Click on the Event Configuration button, and an event configuration window opens.
Use the checkbox to select an event(s) you want to forward.
Event ID: The unique ID of a particular event.
Event Name: The event whose logs are to be received.
Click the Save button to save the selected event you want PAM to forward.
Navigate to the System option in the navigation bar and select System Status from the sidebar. Click on the App Services tab.
Search for a service named SystemEventService, and click on Start / Stop button to start the service to enable log forwarding.
Click on View Trail, it populates any addition or modification done on the parameters mentioned above with details of changes done by the PAM administrator.
Action | Representation |
---|---|
View Trail |
Event ID | Event name | Event description |
101 | System Log- Low | Displays events which have low criticality level system logs |
102 | System Log- High | Displays events which have high criticality level system logs |
103 | System Log- Medium | Displays events which have medium criticality level system logs |
111 | Asset | Displays events related to configuration activity on the assets in the system |
112 | Accounts | Displays events related to configuration activity on the accounts in the system |
113 | User | Displays events related to configuration activity on the users in the system |
114 | User role | Displays events related to configuration activity on the user roles in the system |
115 | Account Discovery | Displays events related to configuration activity on the Account Discovery in the system |
116 | Network Scan | Displays events related to configuration activity on the Asset discovery of type Network Scan in the system |
117 | AWS | Displays events related to configuration activity on the Asset discovery of type AWS in the system |
118 | VMWare | Displays events related to configuration activity on the Asset discovery of type VMWare in the system |
119 | Azure | Displays events related to configuration activity on the Asset discovery of type Azure in the system |
120 | Active Directory | Displays events related to configuration activity on the Asset discovery of type Active Directory in the system |
121 | Hyper-V | Displays events related to configuration activity on the Asset discovery of type Hyper-V in the system |
123 | Vault API | Displays events related to the configuration activity on the Vault API in the system |
124 | Vault Extensions | Displays events related to the configuration activity on the Vault Extensions in the system |
125 | Active Mapping | Displays events related to mapping configuration of the active mapping in the system |
126 | Server Access Policy Unix | Displays events related to configuration activity on the Server Access Policy that are applied on Unix Server in the system |
127 | Server Access Policy Windows | Displays events related to configuration activity on the Server Access Policy that are applied on Windows Server in the system |
128 | Password Policy | Displays events related to configuration activity on the Password Policy in the system |
129 | Rotation Policy | Displays events related to configuration activity on the Rotation Policy in the system |
130 | Checkout Policy | Displays events related to configuration activity on the Checkout Policy in the system |
131 | Directory Server | Displays events related to configuration activity on the AD & Directory Store in the system |
132 | Account Default | Displays events related to configuration activity on the Account Default in the system |
133 | Instance | Displays events related to configuration activity on the Instance in the system |
134 | Landing & Proxy Server | Displays events related to configuration activity on the Landing & Proxy Server in the system |
135 | GCP | Displays events related to configuration activity on the Asset discovery of type GCP in the system |
501 | Session Initiated | Displays events when the session is initiated in the system |
502 | Login Failed | Displays events related to login failed activity in the PAM system |
503 | Login Success | Displays events related to login success activity in the PAM system |
504 | User Locked | Displays events when the user is locked in the PAM system |
505 | Password Change Success | Displays events related to successful password change activity on the target server |
506 | Password Change Failed | Displays events related to failed password change activity on the target server |
507 | Password Change Aborted | Displays events related when the password change is aborted on the target server |
508 | Command Executed | Displays events when a command is executed during a session in the system |
509 | Command Execution Denied | Displays events when a command execution is disapproved during a session in the system |
510 | Command Execution Confirmed | Displays events when a command execution is confirmed during a session in the system |
511 | Process Execution Completed | Displays events when a process is executed through WMON during a session in the system |
512 | Process Execution Denied | Displays events when a process execution is disapproved through WMON during a session in the system |
513 | Process Execution Confirmed | Displays events when a process execution is approved through WMON during a session in the system |
514 | File Transfer Completed | Displays events when a file is transferred during a session in the system |
515 | File Deleted | Displays events when a file is deleted during a session in the system |
801 | System Health Information | Displays events when the CPU, memory and disk utilization exceeds the base configured value. |
This operation cannot be performed if the SystemEventService is not running.