Secret Server Reported Events

When events occur in Secret Server, it generates and sends event messages in the Syslog / Common Event Format (CEF) format to Splunk. Each message includes the Event Name, Event ID, and the data fields that contain the details about the event. For a complete list of the Syslog events that Secret Server sends, refer to the Secret Server documentation.

The following image shows an example of an event message sent by Secret Server. The event was generated for when an administrator account in Secret Server edited a secret:

alt

The following table describes the Syslog/CEF data fields included in the event messages from Secret Server.

Event Data Field Definitions

Data Field Data Field Definition
cs1 The name of the role that was modified.
cs1label “Role”
cs2 The name of the user or group added to the role.
Cs2label “Group” or “User”
CS3 The name of the folder containing the secret.
cs3 label “Folder”
duid The user ID that is currently being viewed or billed.
duscr The username that is being viewed is outdated.
file ID The ID for the specific item on which the action occurred.
fileType The type or category of the item on which the action occurred.
fname The name of the item, such as a file or folder, on which the action occurred.
Message A detailed message explaining the action or event in the audit log.
msg The abbreviated version of the Message field.
Name The name of the event in a more user-friendly, understandable format.
Priority The level of importance or urgency of the event.
Product The name of the product involved in the event.
rt The timestamp indicating when the event occurred.
src The IP address of the machine that initiated the action or event.
suid The user ID of the user who triggered or executed the action.
suser The username associated with the suid user ID.
Vendor The name of the vendor or the company associated with the product.
Version The version number of the Secret Server.