Integrating PAM360 with ManageEngine EventLog Analyzer

This document discusses the process of integrating PAM360 with ManageEngine EventLog Analyzer. At the end of this document, you will have learned the following: 

  1. Key Benefits of Integration
  2. How does the Integration Work?
  3. Prerequisites for Performing the Integration
  4. Steps to Configure the Integration in EventLog Analyzer
  5. Steps to Enable EventLog Analyzer Integration in PAM360
  6. Troubleshooting Tips

1. Key Benefits of Integration

ManageEngine PAM360 integrates with ManageEngine EventLog Analyzer, an end-to-end log management solution that facilitates log collection, custom log parsing, and complete log analysis with reports.

The PAM360-EventLog Analyzer integration allows you to consolidate and visualize the log data for remote sessions initiated from the PAM360 interface. To check these logs within PAM360, go to Audit >> Recorded Connections and view the Activity Log column beside any resource name.

Note: Currently, log data collection through the PAM360-EventLog Analyzer integration is available only for Windows RDP sessions.

2. How does the Integration Work?

EventLog Analyzer sources data from PAM360 via its API using your server details and login credentials. The log data sent to EventLog Analyzer from PAM360 is updated periodically and visualized for better comprehension. Once the integration is complete, you will be able to view the list of active and closed remote sessions, a complete overview of the events carried out during the remote sessions, and the machine log details, right from the PAM360 interface.

3. Prerequisites for Performing the Integration

3.1 Allow Windows Resources to Accept Remote Sessions from PAM360

Execute the following commands in the Windows device for which a remote session will be initiated from PAM360. These commands have to be executed in every device for which a remote session will be launched from PAM360 for the first time. After the first time, you don't need to execute the commands again for future remote sessions. This can also be executed through a bulk GPO update on all the target end-points. These commands allow the log data to be sent from the particular Windows machine to EventLog Analyzer.

Open a command prompt from an Administrator account and execute the following:

  1. auditpol /set /category:"Account Logon" /success:enable /failure:enable
  2. gpupdate /force

3.2 Import SSL Certificate in the Server

PAM360 lets you enable HTTPS to secure the remote connections. To enable HTTPS during the integration, it is mandatory to import a valid SSL certificate in the server. Follow the steps below to import a certificate in the server:

  1. Stop the PAM360 service.
  2. Open the command prompt and go to the "<PAM360_Installation_Folder>/bin" directory.
  3. Execute the following command:
    importCert.bat <Path of the certificate used by EventLog Analyzer> 
  4. Restart the PAM360 service.

4. Steps to Configure the Integration in EventLog Analyzer

Before you enable the EventLog Analyzer integration in PAM360,  follow the below configuration steps in the EventLog Analyzer console to optimize EventLog Analyzer to receive the log data from PAM360.

4.1 Add PAM360 and Resource as Devices in EventLog Analyzer

  1. Navigate to Log360 >> EventLog Analyzer.
  2. Add the following devices to the EventLog Analyzer console:
    1. Add the PAM360 server.
    2. Add all the resources for which a remote session will be launched from PAM360 and for which the corresponding logs to be collected from EventLog Analyzer.
    3. Please note that the resources/devices can be manually added using the discovery function in EventLog Analyzer. Click here for more information on workgroups in EventLog Analyzer.

4.2 Add PAM360 as an Application in EventLog Analyzer

  1. In Log360 >> EventLog Analyzer, navigate to Settings >> Log Source Configuration >> Applications >> ME Applications, and click Add ME Application.
  2. On the page that appears, choose the Application as Password Manager Pro.
  3. Now, choose the machine in which PAM360 is running and click Add.

4.3 Enable Activity Rules for PAM360 Sessions

  1. In Log360 >> EventLog Analyzer, navigate to Correlation >> Manage Rules >> Activity Rules.
  2. Click the red icon beside PMP Sessions to enable activity logs for remote sessions taken via PAM360.

Once you have completed the steps as instructed above, you can proceed to the next step and enable the EventLog Analyzer integration in PAM360.

5. Steps to Enable EventLog Analyzer Integration in PAM360

Follow the steps detailed below to enable integration with ManageEngine Event Log Analyzer:

  1. Log in to your PAM360 account.
  2. Navigate to Admin >> Integration >> ManageEngine. You will see a consolidated view of all ManageEngine products available for integration with PAM360.

  3. Note: Only user roles with ManageEngine Integration privileges can access the ManageEngine Integrations page.


  4. Under the EventLog Analyzer logo, you will see one of the following options depending on the integration status:
  5. Buttons and Definitions:

    Sl. No Button Definition

    1

    Enable

    You will see this option if the integration is disabled. Click this button to integrate PAM360 with EventLog Analyzer by providing the required details of the EventLog Analyzer server.

    2

    Edit

    You will see this option if the integration is enabled. Click this button to update the EventLog Analyzer server details, such as the hostname and port number.

    3

    Disable

    You will see this option if the integration is enabled. Click this button to disable the existing integration with the EventLog Analyzer server.

  6. Click the Enable button under the EventLog Analyzer logo on the ManageEngine Integrations page.
  7. In the window that appears, enter the following details:
    1. Host Name - The host name of the machine where the EventLog Analyzer is running.
    2. Port - The port where EventLog Analyzer is listening. Specify the HTTPS port number if the HTTPS mode is enabled.
    3. User Name - The username of an administrator account in EventLog Analyzer. Ensure the account has administrator privileges, not an operator or guest account.
    4. Password - The password of the specified administrator account.
    5. Enable HTTPS - Select this checkbox to enable connection via HTTPS. If the HTTPS mode is enabled, you must import a valid SSL certificate into the server. Click here for steps to import an SSL certificate.
      Log360 configuration
  8. Click Enable to complete the integration.
  9. To view the log data for the remote sessions initiated via the PAM360 interface, navigate to Audit >> Recorded Connections and click the Activity Logs icon beside the desired recorded session.
    Recorded_connection_audit

Notes:

  1. Once EventLog Analyzer integration is enabled under Admin >> Integrations >> ManageEngine, the SIEM integration for EventLog Analyzer will also be enabled automatically under Admin >> Integrations >> SIEM Integration. This is to ensure that all the log details from PAM360 are sent to EventLog Analyzer in the form of syslogs. 
  2. To ensure that the EventLog Analyzer integration works smoothly, it is recommended that the SIEM integration with EventLog Analyzer is always enabled.
  3. Click here for more information on SIEM integration.

5.1 How to Set Up Alert Notifications in EventLog Analyzer?

Receive alerts for activities related to PAM360 in the form of email or SMS whenever your PAM360 server encounters unauthorized logins. Start configuring the alerts once the PAM360-EventLog Analyzer integration is complete. Remember, the alerts can be configured from the EventLog Analyzer console only. Create a new alert profile and specify your preferences. Here are the steps in detail:

  1. Navigate to Log360 >> EventLog Analyzer and switch to the Alerts tab.
  2. To add a new profile, click + Add in the top right corner and click Configuration >> Alerts.
  3. Here, enter a name, choose a severity, and select the required device.
  4. Under the Select Alert option, click the Custom Alerts tab.
  5. Using the available drop-downs, specify the following criteria:

Source Device not equals pam360-server (choose the name of your PAM360 server)

+

Logon Type equals 10

+

Event ID equals 4624 (this ID signifies unauthorized login)

The specified criteria will look like: Rule Criteria = (SOURCEHOST:pam360-server) AND (LOGONTYPE:10) AND (EVENTID:4624)

  1. Click Save to save the criteria.
  2. Under Alert Notification, choose your preferred notification settings. Based on these settings, you will receive an alert through Email or SMS whenever an unauthorized login is detected in your PAM360 server. To invoke a workflow for the alert, click the Workflow tab, choose a predefined workflow from the drop-down and assign it to an admin or an operator. Click Save Profile to save all alert settings.

The alert profile creation is complete. Now, all alerts related to the selected criteria will be listed under the Alerts tab.

To know more in detail about creating alert profiles, click here. To know more about creating new workflows in EventLog Analyzer, click here.

6. Troubleshooting Tips

  1. If the activity log is not captured, check for the time difference between the PAM360 server and the remote machines. The time of the remote machine should be the same or behind PAM360 server time.
  2. If all the integrations are proper but the correlation is not collecting data, check the Syslog values to confirm if Session Started and Session Ended logs are captured from PAM360.
  3. If the PAM360 sessions in ELA are not displaying data, check for the remote server name displayed in ELA. The remote server name has to be the same as the DNS name of the resource in PAM360.






Top