We would like to request the same. We have been using PasswordState for a long time (8 or 9 years?), and have added it to our SIEM for correlation. The major issue is that the Syslog messages are far too "English" to be easily parsed with Regular Expressions.
Having an option to send the data in a structured, machine parsable, way would make ingestion into a SIEM much easier. We don't really care which standard is followed, so long as it is consistent.
Formats typically supported by SIEMs are:
LEEF
CEF
JSON
Key Value Pairs (key1='value1' key2='value2' or key1: value1; key2: value2)
We would be looking for the following information in the logs (not necessarily in this order):
For password operations:
Operation Performed
Who performed it (domain\user or user@domain.net, display name is optional, or API)
Client IP/hostname
Result (Success/Fail)
Full path to password list (group/folder structure)
PasswordList ID
PasswordEntry Title
PasswordEntry ID
PasswordEntry Username
For authentication events:
Authentication could be split across multiple logs
Authentication against Primary Authentication Server
Authentication against additional Authentication server (eg. MFA, token, etc)
For these we would expect
Authentication Server Name
Authentication Method (AD, LDAP, SAML, OAuth, etc)
Auth status (success/fail)
Auth status reason (if available) eg. account locked, account disabled, account does not exist, etc
For host operations:
Operation Performed
Who performed it (domain\user or user@domain.net, display name is optional, or API)
Client IP/hostname
Result (Success/Fail)
Full path to host (group/folder structure)
HostEntry ID
HostEntry Hostname
HostEntry Site
HostEntry IP
Connection Port
Some additional information may be useful, but this would be among the minimum critical information.
Hopefully enough people are interested in this to make it happen.
Regards,
JohnB