Secret Server Reported Events
When events occur in Secret Server, it generates and sends event messages in the Common Event Format (CEF) to Splunk using Syslog. Each message includes the Event Name, Event ID, and the data fields that contain the details about the event. For a complete list of the Syslog events that Secret Server sends, refer to the Secret Server documentation.
The following image shows an example of an event message sent by Secret Server. The event was generated for when an administrator account in Secret Server edited a secret:
The following table describes the Syslog/CEF data fields included in the event messages from Secret Server. Fields labeled csXLabel identify what data the corresponding csX field contains.
Event Data Field Definitions
| Data Field | Data Field Definition |
|---|---|
cs1
|
The name of the role that was modified. |
cs1Label
|
Role
|
cs2
|
The name of the user or group added to the role. |
cs2Label
|
Group or User |
cs3
|
The name of the folder containing the secret. |
cs3Label
|
Folder
|
cs4
|
The display name of the user performing the action. |
cs4Label
|
suser Display Name |
cs5
|
The checkout time on checkin events. |
cs6
|
Event-type dependent. |
cs7
|
The checkin time. |
duid
|
The user ID being viewed or changed. |
duser
|
The username being viewed or updated. |
fileID
|
The ID for the specific item on which the action occurred. |
fileType
|
The type or category of the item on which the action occurred. |
fname
|
The name of the item, such as a file or folder, on which the action occurred. |
Message
|
A detailed message explaining the action or event in the audit log. |
msg
|
The abbreviated version of the Message field. |
Name
|
The name of the event in a more user-friendly, understandable format. |
Priority
|
The level of importance or urgency of the event. |
Product
|
The name of the product involved in the event. |
rt
|
The timestamp indicating when the event occurred. |
src
|
The IP address of the machine that initiated the action or event. |
suid
|
The user ID of the user who triggered or executed the action. |
suser
|
The username associated with the suid. |
Vendor
|
The name of the vendor or the company associated with the product. |
Version
|
The version number of Secret Server. |
The csX field mappings are not static across all event types. Secret Server dynamically assigns csX fields based on the event category. For example, a SECRET - VIEW event typically uses only cs3 and cs4, while a SECRET - CHECKIN event also populates cs5 and cs7 for time stamps. The cs6 field is also event-type dependent and may contain varying data.
