We would like to request the same. We have been using PasswordState for a long time (8 or 9 years?), and have added it to our SIEM for correlation. The major issue is that the Syslog messages are far too "English" to be easily parsed with Regular Expressions.
Having an option to send the data in a structured, machine parsable, way would make ingestion into a SIEM much easier. We don't really care which standard is followed, so long as it is consistent.
Formats typically supported by SIEMs are:
LEEF
CEF
JSON
Key Value Pairs (key1='value1' key2='value2' or key1: value1; key2: value2)
We would be looking for the following information in the logs (not necessarily in this order):
For password operations:
Operation Performed
Who performed it (domain\user or user@domain.net, display name is optional, or API)
Client IP/hostname
Result (Success/Fail)
Full path to password list (group/folder structure)
PasswordList ID
PasswordEntry Title
PasswordEntry ID
PasswordEntry Username
For authentication events:
Authentication could be split across multiple logs
Authentication against Primary Authentication Server
Authentication against additional Authentication server (eg. MFA, token, etc)
JSON/Leaf Syslog Formatting for remote logging
in Feature Requests
Posted
We would like to request the same. We have been using PasswordState for a long time (8 or 9 years?), and have added it to our SIEM for correlation. The major issue is that the Syslog messages are far too "English" to be easily parsed with Regular Expressions.
Having an option to send the data in a structured, machine parsable, way would make ingestion into a SIEM much easier. We don't really care which standard is followed, so long as it is consistent.
Formats typically supported by SIEMs are:
We would be looking for the following information in the logs (not necessarily in this order):
For password operations:
For authentication events:
Authentication could be split across multiple logs
For these we would expect
For host operations:
Some additional information may be useful, but this would be among the minimum critical information.
Hopefully enough people are interested in this to make it happen.
Regards,
JohnB