en-US - - English

Logging details

In PassMan, all relevant activities can be tracked down, what happened, when and by whom. There are 2 types of logging:

System log 

System log entries are written by the PassMan virtual machine, like the standard syslog. Logntries have a loose structure:

{system time} {passman node} {service}: {log message}

Audit log

Audit log entries are triggered by activities of Padmin and PassMan users. These entries have a stricter structure:

{system time} {passman node} {service}: {process name}(process id): {parameters in key = value format }

The most relevant parameter keys are:

  • id of the log entry
  • if the activity belongs to an activity group (like import, multiple delete, target restore), then activity_group shows the id of the group
  • type of the action
  • start_timestamp is unix epoch time (the number of seconds since 1st January 1970)
  • user_upn is the univeral principal name of the user who committed the action in format username@domain. Automatic tasks have the user 'auto@internal'.
  • user_address is IP address or server name of the user. Automatic tasks have 'localhost' as user address.
  • business_result shows whether the action succeeded or failed.
  • entity_type, entity_name and entity tell what entity the action applies to, account, target or group.
  • entity_parent_name, entity_path makes it easier to find the entity in the tree (shown left on the PassMan UI). In case of private folders, the path looks like this: 'admin@local private/192.168.208.28/ad'
  • details give additional information depending on the type of activity
  • failure, failure_code and failure_details are filled if the activity failed

Activity details


categorytype

details

description
sessionsession_log

user: user attempting to log in

user_address: IP address of user

token_issued_at: when auth token was given to user

token_expiry_time: when will auth token expire

failure, failure_code

logout_time: when the user explicitely logged out on the UI

PassMan session has started / finished.

job / account

CreateAccount

target: id of target

parameters of account

Create new account for given target.
job / accountUpdateAccount

account: id of account

parameters of account

Change the parameters of the account, like name, description etc. Credential changes are done by UpdateCredentials.
job / accountDeleteAccountaccount: id of accountDelete given account.
job / accountCheckCredentialsaccount: id of accountCheck the correctness of the credentials by logging into the target in the background.
job / accountDeleteCredentials

account: id of account

credential_types: password and/or ssh key

Delete given credentials of an account.
job / accountCheckoutCredentials

account: id of account

credential_type: password or ssh key

exclusive_duration: time the account can't be checked out by others

Show the given credential to the user, who can use it to access the account manually. If exclusive duration is given, PassMan ensures that other users won't show the credentials of this account.
job / accountCheckinCredentialsaccount: id of accountIf the credentials are checked out exclusively, this activity will 'give them back', allowing other user to check them out. If the exclusive duration of the checkout is up, this job will run automatically.
job / accountLoginCheckoutCredentialsaccount: id of account
credential_type: password or ssh key
exclusive_duration: time the account can't be checked out by others

user agent: passman agent initiating the action

Similar to CheckoutCredentials, but the credentials are used to log into the account, without showing them to the user. This functionality needs a passman agent, which handles the automatic login.
job / accountUpdateCredentials

account: id of account

credentials: password and/or ssh key to change, values not shown in log

Change the credentials of an account. The changes are not reflected on the target, only in PassMan.
job / accountResetCredentials

account: id of account

credentials: password and/or ssh key to change, values not shown in log

Change the credentials of an account. Unlike UpdateCredentials, it changes them on the target system as well, therefore if the target is unreachable, or none of the current credentials are in sync, then this will fail.
job / accountResetElevatedCredentials

target: id of target

accounts: ids of accounts of target

computers: name of windows servers where the service passwords will be changed

Change credentials of multiple accounts of given target using a service account. It can also change the passwords of windows services running on other computers.
job / targetCreateTarget

parent: id of group (folder) to create it in

target parameters

Create target.
job / targetUpdateTarget

target: id of target

target parameters

Change target parameters
job / targetDeleteTargettarget: id of targetDelete given target.
job / targetMoveTarget

target: id of target

destination group: id of group to move it to

Move the target to a different group (folder). Permission to delete it from current group and to create it in the destination group are required to succeed.
job / targetRestoreAccounts

timestamp: time the accounts should be restored to

account: id of account

target: id of target

Target recovery restores the accounts to a previous state. This is useful if the target device was restored to a backup, and PassMan needs to be synchronized to this earlier state.
job / folderCreateGroup

name: name of group

parent: id of the group to create it in

Create group (folder).
job / folderUpdateGroup

group: id of group

name: new name of group

description: new description of group

Change group (folder) name and/or description.
job / folderDeleteGroupgroup: id of groupDelete group (folder)
job / folderMoveGroup

group: id of group

parent id of group to move it to

Move given group (folder) to another parent group.
job / vaultOpenVaultkey: vault usernameOpens the vault, making sensitive data in the database accessible. Only users having a vault username and password can do that. If the vault is closed most jobs will fail.
job / vaultAddVaultKey

key: vault username

Add new vault user, which is independent from the login username and password. A user able to open the vault does not necessarily have to have login details to PassMan.
job / vaultDeleteVaultKeykey: vault usernameDelete vault user.
job / policyUpdateCredentialPolicy

credential_type: password or ssh key

policy: requirements for the credential

group: id of group

target: id of target

account: id of account

Change the policy the credentials have to be conform to.
job / policyUpdateACL

acl: access control list (list of rules)

group: id of group

target: id of target

account: id of account

Edit the ACL, which controls the permissions of the given entity.
user manAddUser

username

user parameters

Add new local user to access PassMan.
user manUpdateUser

username

user parameters

Change local user parameters.
user manDeleteUserusernameDelete given local user.
user manChangePasswordusernameChange password of given local user.
user manAddLocalGroupnameAdd local user group.
user manDeleteLocalGroupnameDelete local user group.
user manUpdateLocalGroupnameChange name of local group.
user manForgotPassword

name

error_message

Send email to given user about forgotten password.
padmin / certificatePadminGenerateSelfSignedCert

domain

country

state

company

city

admin_email

To have a secure comminication via https a certificate is needed. If the site does not have a properly signed certificate, a self-signed one can be generated.
padmin / certificatePadminUploadCert-Upload certificate dedicated to the site running PassMan.
padmin / maintenancePadminPassmanStart-Start PassMan, if it is stopped. After every start, the vault admin needs to open the vault for users to have access to sensitive data.
padmin / maintenancePadminPassmanStop-Stop PassMan, if it is not stopped.
padmin / maintenancePadminPassmanRestart-Stop PassMan and then start it again. Some activities need PassMan restarted to let the changes take effect.
padmin / maintenancePadminPadminRestart-Restart Padmin service on virtual machine.
padmin / maintenancePadminShutdown-Shut down the virtual machine. It won't be accessible from Padmin anymore.
padmin / maintenancePadminShutdownCluster-Shut down all nodes of the cluster.
padmin / maintenancePadminReboot-Reboot the virtual machine. It might take a few minutes, during that time it is not accessible from Padmin.
padmin / maintenancePadminRebootCluster-Reboot all nodes of the cluster.
padmin / maintenancePadminUpdateDatabaseIndexes-Update the database indexes of the PassManDatabase. It might be necessary after database restore activity.
padmin / updatePadminUpdatePassmanFileupload_fileUpdate PassMan by uploading an update file. After that, restarting is necessary.
padmin / updatePadminUpdateFileupload_fileUpdate Padmin by uploading an update file. After that restarting is necessary.
padmin / updatePadminOsUpdateupload_fileUpdate the operating system of the virtual machine. Afterwards, reboot is necessary. In cluster mode, it can update only one node, so the update process needs to be run three times on each node.
padmin / dataPadminDatabaseBackupfilename_postfixBackup PassMan database. Backups are stored on the virtual machine.
padmin / dataPadminDatabaseRestorefilenameRestore Passman database. It's a long process and might take sevaral minutes to finish. After that, PassMan needs to be restarted.
padmin / dataPadminDatabaseExportfilenameExport database backup file by downloading it by the browser. Export files are encrypted.
padmin / dataPadminDatabaseImport
db_dump_file
Import previously exported database backup file. Importing does not restore it automatically, just copies it to the virtual machine.
padmin / dataPadminDeleteBackupfilenameDelete backup file from virtual machine. Old backups are not deleted automatically.
padmin / dataPadminAutoBackup-Set daily automatic backup parameters. If export destination is set, then backup files are encrypted (just like in case of export), copied to the given destination and removed from the virtual machine.
padmin / system settingsPadminNetworknetwork parametersChange the network settings of the virtual machine, like IP address, gateway, dns, search domains, static routes. If the changes make the virtual machine unaccessible via http, then having it rescued via Padmin is not possible.
padmin / system settingsPadminLicense-Change the PassMan license.
padmin / system settingsPadminAutoJobschanged parameters

Following automatic jobs can be configured to run daily at a specific time:

  • CheckCredentials for each account
  • ResetCredential before expiring for each account
  • Email about expiring accounts
  • Check AD services and domain members which run services to PassMan
padmin / system settingsPadminAuthentication-Configure authentication methods to PassMan. Restarting Passman is necessary to have the changes take effect.
padmin / system settingsPadminEmailparametersConfigure the email settings.
padmin / system settingsPadminSecuritychanged parametersAutomatic ACL rule update for parent groups to ensure the user can view the entity he / she was given access to.
padmin / system settingsPadminTimechanged parametersConfigure time zone and ntp servers.
padmin / system settingsPadminSyslogServerparametersConfigure syslog server to send system and audit log.
padmin / system settingsPadminZabbixparametersConfigure zabbix monitoring software.
padmin / system settingsPadminDebugModechanged parametersEnable / disable debug mode to have more detailed system log. It does not affect the audit log.
padmin / system settingsPadminSwapchanged parametersIncrease the size of the swap file. It can't be decreased.
padmin / system settingsPadminPmslchanged parametersConfigure how the PMSL (PassMan Secure Login tool) will be used to login to targets directly from the PassMan UI.
padmin / system settingsPadminRemoteLoginchanged parametersEnable / disable ssh access to the virtual machine.
padmin / system settingsPadminConfigExport-Export all Padmin settings to an encrypted file, and let it download.
padmin / system settingsPadminConfigImportconf_fileImport all Padmin settings from a previously exported file.