Solution Overview

Kron PAM can send logs to SIEM systems via UDP or TCP protocol. RFC_5424 and RFC_3164 formats are supported. The SIEM module can forward the created syslog packets to the predefined Syslog server. Below are the SYS log types which can be sent.

Auth Log: Contains authentication logs.

Command Log All: Contains only the KRON PAM proxy command logs.

Command Log Command: For SSH sessions, executed commands are being logged and those can be received by SIEM.

Command Log File Transfer: For RDP sessions, transferred files are logged, and SIEM can receive them.

Command Log Key Log: For RDP sessions, we log onto the keyboard, and SIEM can receive those.

Event Log: This log contains almost all activities in Kron PAM. Detailed event types are given in Appendix 1 of this document.

HTTP Proxy Log: Contains HTTP Proxy Log, which is in the HTTP Proxy log screen in the product.

Vault Discover New Users Log: Contains Vault New User logs.

Script Player Log: Contains PTA Script Player logs, which are in the Script Player log screen in the product.

Session Log: Contains session logs in the product's session log screen.

TACACS Log: Contains TACACS accounting logs, which are in the TACACS Account log screen in the product.

Threat Analytics Log: Contains Threat Analytics logs, which are in the Threat Analytics dashboard in the product.

*The above log types may differ from release to release, and as the development goes on always all logs are always covered for sending to SIEM