Privileged Access Management ยท Audit Training

Secret Server
Audit & Logging
Training Guide

A comprehensive reference for all logging capabilities within Delinea Secret Server โ€” covering every log type, report option, and compliance strategy for auditors and security teams.

14
Log Types
60+
Built-in Reports
8
Compliance Frameworks
100%
Tamper-evident
๐Ÿ“‹

All Logging Options in Secret Server

Secret Server provides 14 distinct log streams. Click any card to expand full field details.

14Total Log Types
60+Report Templates
5SIEM Connectors
Real-timeSyslog / CEF / LEEF
๐Ÿ”‘ Secret Activity Log
CORE
Tracks every interaction with individual secrets: views, edits, copies, password changes, and check-out/check-in events.
Per-secret Real-time Tamper-evident
View Fields
Date/TimeUTC timestamp of the event
ActionView, Edit, Copy Password, Launch, Check Out, Check In, Delete
UserUsername and domain of the actor
IP AddressSource IP of the session
NotesFree-text reason (if required by policy)
SuccessBoolean outcome of the operation
Secret Name / IDIdentifies the target credential
โ„น๏ธ Navigate to Admin โ†’ Reports โ†’ Secret Activity or open any Secret and click the Audit tab for per-secret history.
โš™๏ธ System Log
ADMIN
Platform-level events including configuration changes, engine restarts, license updates, and background task outcomes.
Platform-wide Admin only
View Fields
Date/TimeUTC timestamp
SeverityInfo, Warning, Error, Fatal
CategoryBackground Thread, Configuration, Security, License
MessageHuman-readable description of the event
Stack TraceAvailable for Error/Fatal events
โš ๏ธ Path: Admin โ†’ System Log. Can be exported to CSV and forwarded to SIEM via syslog.
๐Ÿ‘ค User Audit Log
SECURITY
Records all user-level actions: login attempts, password resets, role changes, group membership updates, and MFA events.
Identity Authentication
View Fields
UsernameAccount that performed or received the action
Action TypeLogin, Logout, Password Reset, Role Assign, MFA Enable/Disable
Performed ByAdmin or self
IP AddressClient IP
ResultSuccess / Failure
Failure ReasonBad password, locked, MFA fail, etc.
โœ… Critical for SOX and ISO 27001. Use the User Audit report under Admin โ†’ Reports.
๐Ÿ” Discovery Log
DISCOVERY
Details every discovery scan run, accounts found, import decisions, and errors encountered during automated credential discovery.
Scan-based Per-scanner
View Fields
Scanner NameDiscovery source/scanner identifier
Scan Start/EndDuration and timing
StatusComplete, Error, Partial
Accounts FoundCount of credentials discovered
Accounts ImportedCount brought into SS as secrets
ErrorsHosts unreachable, permissions denied, etc.
โ„น๏ธ Path: Admin โ†’ Discovery โ†’ Discovery Log. Essential for demonstrating scope of PAM coverage.
๐ŸŽฌ Session Recording Log
SESSION
Metadata for every recorded privileged session: RDP, SSH, and web launcher sessions with keystroke indexing and playback.
Keystroke index Video playback Searchable
View Fields
Session IDUnique identifier for the recording
ProtocolRDP, SSH, HTTP/HTTPS, Telnet
UserWho launched the session
Target HostDestination system
DurationSession length in seconds
KeystrokesFull indexed transcript (SSH/Telnet)
Recording FileLink to video replay
โš ๏ธ Session metadata is stored in the DB; video files on the Session Recording Server. Requires Session Recording license feature.
๐Ÿ—๏ธ Access Request Log
WORKFLOW
Full workflow trail for every secret access request: submitter, approvers, approval/denial decisions, and timestamps.
Workflow Multi-level
View Fields
Request IDUnique workflow ticket number
RequestorUser who submitted the request
SecretTarget credential requested
Approver(s)All approvers in the chain
DecisionApproved / Denied / Cancelled
Business ReasonJustification provided at request
Expiry TimeWhen access automatically revoked
โœ… Gold standard evidence for SOX change management and HIPAA minimum necessary access requirements.
๐Ÿ’“ Heartbeat Log
HEALTH
Records automated credential validation results โ€” whether each secret's stored password still matches the target system.
Automated Scheduled
View Fields
Secret IDCredential being validated
StatusSuccess, Failed, Unable to Connect, Pending
Last HeartbeatMost recent check timestamp
Failure ReasonDetailed error for failed checks
RPCRemote Password Changer used
โ„น๏ธ Heartbeat failures indicate stale credentials โ€” a key risk indicator for auditors. Report at Reports โ†’ Heartbeat Failures.
๐Ÿ”„ Password Change Log
RPC
Tracks every remote password change (RPC) attempt: manual, scheduled, and event-driven rotations with full outcome records.
RPC Rotation Scheduled
View Fields
Secret NameCredential rotated
Change TypeManual, Scheduled, Check-in, Auto-Change
Triggered ByUser or system scheduler
ResultSuccess / Failed with error detail
Next ChangeScheduled next rotation time
โœ… Proves password rotation policy compliance. See Admin โ†’ Reports โ†’ Remote Password Changing.
๐Ÿ“ Folder & Permission Log
ACCESS
Captures all changes to folder structures, secret permissions, role assignments, and group membership affecting access controls.
RBAC Inheritance
View Fields
Object TypeFolder, Secret, Group, Role
ActionPermission Added, Removed, Modified
PrincipalUser or group affected
Permission LevelView, Edit, Owner, List
Changed ByAdmin performing the change
โš ๏ธ Critical for demonstrating least-privilege compliance. Alert on any Owner permission assignments.
๐Ÿ“Š Report Execution Log
REPORTS
Tracks who ran which reports, when, and with what parameters โ€” provides a meta-audit of audit activity itself.
Meta-audit Scheduled
View Fields
Report NameWhich built-in or custom report was run
Run ByUser executing the report
ParametersDate ranges, filters applied
Export FormatView, CSV, PDF, Email
๐Ÿ“ก Event Pipeline Log
SIEM
Tracks all events dispatched to external SIEM via syslog, CEF, LEEF, or webhook โ€” including failures and retries.
CEF/LEEF/Syslog Webhook
View Fields
Event TypeMaps to SS event code
DestinationSIEM endpoint IP/hostname
Delivery StatusSent, Failed, Queued
PayloadCEF/LEEF/JSON formatted event data
โ„น๏ธ Configured at Admin โ†’ Configuration โ†’ Application Settings โ†’ Syslog/SIEM.
๐Ÿ”— Dependency Change Log
DEPS
Records outcomes when dependent services (Windows Services, IIS App Pools, scheduled tasks) are updated after a password rotation.
Automation Post-rotation
View Fields
Dependency TypeWindows Service, IIS App Pool, COM+, Scheduled Task
Target MachineHost where dependency lives
StatusSuccess, Failure, Skipped
Error MessageDetailed failure reason
๐Ÿ› ๏ธ Configuration Audit Log
CONFIG
Captures every change made to Secret Server platform configuration โ€” policies, password requirements, LDAP/AD sync settings, and more.
Policy changes Admin actions
View Fields
Setting NameConfiguration key changed
Old ValuePrevious setting value
New ValueUpdated setting value
Changed ByAdmin account responsible
TimestampUTC date/time of change
โš ๏ธ Configuration changes that reduce security controls should trigger immediate SIEM alerts.
๐Ÿ“ฌ Inbox & Notifications Log
NOTIFY
Logs all system-generated email and in-app notifications: expiry warnings, heartbeat alerts, approval requests, and security alerts.
Email In-app Webhook
View Fields
Notification TypeExpiry, Heartbeat Fail, Approval, Security Alert
Recipient(s)User(s) or group(s) notified
ChannelEmail, In-app, Webhook
Sent AtDelivery timestamp
๐Ÿ”‘

Secret Activity Logs โ€” Deep Dive

The most-used audit log for compliance. Every interaction with a secret is captured and retained.

The Secret Activity Log is the per-credential audit trail and is accessible two ways: globally from the Reports menu and per-secret from the secret's Audit tab. It cannot be disabled for individual secrets when logging is enabled platform-wide.

โœ… Secret Activity logs are immutable within Secret Server โ€” users cannot delete or modify them. Admins should additionally forward them via syslog to a write-once SIEM for full tamper-evidence.
CharacteristicDetail
RetentionStored in Secret Server database; no automatic expiry โ€” governed by your DB backup/retention policy
GranularityEvery access attempt, successful or failed, is logged with actor identity and IP
Access RequiredView Own Audit, View Secret Audit (role permissions), or Administrator
Tamper ProtectionDatabase integrity + SIEM forwarding recommended
Export FormatsCSV, PDF (via browser print), API (REST/JSON)
Action CodeDescriptionRisk LevelCompliance Relevance
VIEWSecret fields were viewed (password/username revealed)HIGHSOX, HIPAA, PCI-DSS
COPYPassword copied to clipboardHIGHSOX, PCI-DSS
EDITSecret fields were modifiedCRITICALAll frameworks
DELETESecret was deletedCRITICALAll frameworks
CHECKOUTExclusive check-out acquiredMEDIUMSOX, NIST
CHECKINCheck-out released (auto-password change may follow)MEDIUMSOX, NIST
LAUNCHLauncher (RDP/SSH/Web) session initiatedHIGHPCI-DSS 10, HIPAA
SHARESecret shared with additional user/groupHIGHLeast-privilege frameworks
EXPIRESecret was manually expiredMEDIUMAll frameworks
UNDELETEDeleted secret was restoredHIGHChange management
CONVERTSecret type was convertedMEDIUMChange management
ACCESS_DENIEDUser attempted access but was deniedHIGHAll โ€” alert-worthy
01

Navigate to Reports

From the top navigation bar, go to Admin โ†’ Reports. The Reports dashboard lists all built-in report categories.

02

Select Secret Activity Report

Under the Secrets category, click Secret Activity. This provides a global view across all secrets you have permission to audit.

03

Set Date Range & Filters

Filter by date range, user, action type, and secret folder. For compliance reviews, set the period to match your audit window (e.g., last 90 days for PCI-DSS).

04

Per-Secret Audit Tab

Open any secret โ†’ click the Audit tab. This shows the full lifecycle history for that single credential. Ideal for incident investigation.

05

Export for Auditors

Click Export to CSV. Provide this file to external auditors or import into GRC tools. Date, user, action, and IP are all included.

Use the Secret Server REST API to programmatically pull Secret Activity data for automated compliance reporting:

# Authenticate and pull secret activity via REST API GET /api/v1/secret-audit?secretId={id}&startDate=2024-01-01&endDate=2024-03-31 # Response includes: { "records": [ { "dateRecorded": "2024-01-15T14:22:08Z", "action": "VIEW", "username": "jsmith@corp.com", "ipAddress": "10.0.1.45", "notes": "Incident IR-2024-041", "secretId": 1042, "secretName": "prod-db-svc-account" } ] }
โš™๏ธ

System Logs โ€” Platform Health & Configuration Events

System Logs capture the operational health and administrative changes to the platform itself.

Background Service Events โ–ผ
Background thread events cover: Secret expiry processing, Heartbeat engine status, Discovery scanner jobs, Password rotation scheduler, AD synchronization cycles, Session recording cleanup tasks. Each entry shows the thread name, outcome (Success/Error), and duration. Errors here indicate automated controls may be failing silently.
Configuration Change Events โ–ผ
Any change to Secret Server platform settings is logged here including: enabling/disabling features, changing password policies, modifying LDAP/AD configuration, updating email settings, changing security headers or TLS configuration. Old and new values are recorded. These events are extremely valuable during compliance audits to prove that security controls have not been degraded.
Severity Levels & Alerting โ–ผ
INFO โ€” Normal operation events. WARNING โ€” Degraded operation, retry loops, near-threshold states. ERROR โ€” Failed operations (e.g., heartbeat engine crash, AD sync failure). FATAL โ€” Service-stopping events requiring immediate attention. Best practice: forward WARNING and above to SIEM and configure paging alerts for ERROR/FATAL.
Log Retention & Access Path โ–ผ
Navigate to Admin โ†’ System Log. The UI shows the most recent 1,000 entries. For full historical access, query the tbAuditLog table in the SS SQL database or export from the SIEM. System Log entries are also written to the Windows Event Log (Application category) if enabled under Admin โ†’ Configuration โ†’ Application Settings โ†’ Log to Windows Event Log.
๐Ÿ‘ค

User Audit Logs โ€” Identity & Authentication

Tracks everything about how users interact with the platform, from login to role assignment.

EventWhat's CapturedCompliance UseAlert Priority
Successful LoginUsername, source IP, timestamp, auth method (local/AD/SAML)Access tracking, time-of-access analysisLOW
Failed LoginUsername attempted, IP, failure count, lockout statusBrute-force detection, UEBA baselineHIGH
Account LockoutAccount locked, by whom (system/admin), timestampIncident response, SOX access reviewsCRITICAL
MFA EventMethod (TOTP/DUO/YubiKey), success/failure, device IDMFA enforcement proof for PCI-DSS 8.3MEDIUM
Password ResetTarget account, who reset it, method (self-service/admin)Change management, audit trailMEDIUM
Role AssignmentRole added/removed, principal, admin performing changePrivilege creep detection, SOD reviewCRITICAL
Group MembershipGroup added/removed, user, timestampAccess control change trackingHIGH
User Created/DisabledNew or disabled account details, creatorOnboarding/offboarding complianceHIGH
ImpersonationAdmin acting as another user, target user, actions takenPrivileged operation audit trailCRITICAL
โš ๏ธ Segregation of Duties (SOD) Alert: Set event-based alerts on Role Assignment events, particularly Administer Users, Bypass SAML/MFA, and Unlimited Admin role grants. These should trigger real-time notifications to the Security team.
๐Ÿ”

Discovery Logs โ€” Credential Coverage Evidence

Proves to auditors that your organization has scanned for and onboarded all privileged accounts.

Discovery logs answer the auditor question: "How do you know you've found all privileged accounts?" They provide scan scope, findings, and import decisions.

๐Ÿ–ฅ๏ธ Active Directory Discovery

Domain(s) scannedAll AD domains in scope
OUs traversedOrganizational unit scope
Account typesService accounts, admin accounts, computer accounts
Unmanaged countAccounts found but not in SS

๐Ÿง Unix/Linux Discovery

IP ranges scannedCIDR blocks in discovery rules
SSH accountsRoot and sudo-capable accounts
Scan credentials usedService account performing the scan

๐Ÿ—„๏ธ Database Discovery

Database typeSQL Server, Oracle, MySQL, PostgreSQL
Instances foundDB instances discovered on the network
Accounts discoveredsa, system, DBA-level accounts

โ˜๏ธ Cloud Discovery

ProviderAWS, Azure, GCP
IAM roles/usersService principals discovered
Secrets ManagerIntegration with native cloud vaults
โ„น๏ธ Auditor Tip: Run the Discovery Import Report under Admin โ†’ Discovery โ†’ Discovery Import Items to show auditors which discovered accounts were not imported and provide business justification for exclusions.
๐ŸŽฌ

Session Recording Logs โ€” Full Privileged Session Audit

Provides irrefutable evidence of exactly what was done during a privileged access session.

CapabilityDetailAuditor Value
Video RecordingFull screen capture of RDP, web launcher sessions at configurable FPSNon-repudiation for privileged desktop actions
Keystroke LoggingEvery keystroke in SSH/Telnet sessions indexed and searchableSearch for specific commands across all sessions
Command DetectionPattern matching to alert on dangerous commands (rm -rf, net user, etc.)Real-time threat detection + retroactive investigation
Session MetadataStart time, end time, user, target IP, protocol, session durationAccess timeline reconstruction
Session Termination LogWho ended the session, normal vs forced terminationIncident response โ€” was session forcibly ended?
Inactivity DetectionAuto-terminate idle sessions; logs when termination triggeredProves automatic session timeout controls
Proxy Mode LogSession Connector/SSH Proxy entries showing credential injectionZero-knowledge credential usage proof
โœ… Session recordings are the strongest possible evidence for compliance with PCI-DSS Requirement 10 (logging and monitoring), HIPAA audit controls, and SWIFT CSP requirements. Store recordings for at minimum the framework's mandated retention period (typically 1 year for PCI, 6 years for HIPAA).
๐Ÿ—๏ธ

Access & Authentication Logs

Platform-wide access control and authentication event stream.

Every API call to Secret Server is logged, enabling audit of automated integrations and scripts.

FieldDescription
token_idOAuth2 token or SDK key identifier used
endpointREST endpoint called (e.g., /api/v1/secrets/{id})
methodHTTP method: GET, POST, PUT, DELETE, PATCH
response_code200 OK, 401 Unauthorized, 403 Forbidden, etc.
client_ipCalling system IP address
duration_msRequest processing time
โš ๏ธ Alert on 403 Forbidden responses from API calls โ€” these indicate automated processes attempting to access secrets outside their permission scope.

When SAML 2.0 / SSO is configured, authentication events are captured in both Secret Server and your IdP.

IdP ResponseSAML assertion result (success/failure)
NameIDIdentifier passed from IdP (usually email/UPN)
Assertion AttributesGroups/roles mapped from SAML claims
Session StartWhen SS session was established
Failure ReasonInvalid assertion, expired, signature failure

MFA enforcement logs provide proof that multi-factor authentication was required and used.

MFA ProviderLog Detail Captured
TOTP (Google Auth / Authy)OTP validation result, device enrollment status
Duo SecurityDuo push/call/passcode method, device name, approval/deny
YubiKey (OTP/FIDO2)Key serial/UID, validation server response
Email OTPOTP sent timestamp, validated timestamp, IP
RADIUSRADIUS server response, attribute pass-through

IP Address Allowlisting can be enforced at platform, user, and secret level. All enforcement events are logged.

Blocked IPSource IP that was denied access
Policy LevelPlatform, User, or Secret-level rule triggered
TargetResource the IP attempted to access
TimestampWhen the block occurred
๐Ÿ“ฆ

Additional Logging Types

Secret Server offers several more specialized logs for advanced scenarios.

๐Ÿ”— Secret Template Audit Log โ–ผ
Tracks every modification to Secret Templates (credential schemas): field additions, removals, type changes, launcher configuration changes, and password requirement updates. Critical for proving that password complexity standards have been consistently maintained. Navigate to Admin โ†’ Secret Templates โ†’ [Template] โ†’ Audit.
๐Ÿท๏ธ Secret Policy Audit Log โ–ผ
Records changes to Secret Policies which govern checkout requirements, session recording rules, heartbeat intervals, and comment requirements. Changes here directly affect security posture โ€” auditors should review this to confirm no policies were weakened. Path: Admin โ†’ Secret Policy โ†’ [Policy] โ†’ Audit.
๐Ÿ” Encryption Key Audit Log โ–ผ
Documents all operations against the Secret Server encryption key: initialization, rotation, backup operations, and HSM integration events. The encryption key protects all stored secret values โ€” this log is critical for cryptographic key management compliance under PCI-DSS 3.5โ€“3.7 and NIST SP 800-57. Path: Admin โ†’ Configuration โ†’ Security โ†’ Encryption & Backups.
๐Ÿ“… Secret Expiration Log โ–ผ
Records automatic and manual secret expiration events. Expiry forces re-entry or rotation of credentials, and this log proves that stale credentials are being eliminated. Use the Expiration Upcoming and Expired Secrets built-in reports to proactively identify issues before audits.
๐Ÿค Workflow & Approval Log โ–ผ
Comprehensive record of all workflow steps in access request approval chains: who was notified, when they responded, what decision was made, and any override events. Supports four-eyes principle (dual control) compliance evidence. Available under Admin โ†’ Reports โ†’ Workflow Activity.
๐ŸŒ Web Service / Distributed Engine Log โ–ผ
For distributed deployments with Distributed Engines (DE), the DE log captures: site connectivity status, heartbeat engine operations from remote sites, discovery jobs from distributed scanners, and RPC operations performed via the DE. Essential for organizations with geographically distributed PAM deployments. View at Admin โ†’ Distributed Engine โ†’ [Engine] โ†’ Logs.
๐Ÿ“ง Notification & Alert Delivery Log โ–ผ
Tracks every email, SMS (via connector), and webhook notification dispatched: delivery status, recipient, trigger event, and delivery timestamp. Proves that security alerts and expiry notifications were sent to the appropriate personnel, addressing requirements in frameworks like NIST 800-53 IR-6 (Incident Reporting).
๐Ÿ“Š

Built-in Audit Reports (60+)

Secret Server ships with over 60 pre-built reports. Here are the most critical for audit & compliance.

Report NameWhat It ShowsCompliance Use
All Secrets by FolderComplete inventory of all secrets with folder hierarchyScope documentation, inventory audit
Secret Activity (last 30 days)All secret interactions in the periodAccess review, anomaly detection
Expired SecretsCredentials past their expiration dateStale credential remediation
Secrets Without HeartbeatCredentials with no automated validationUnmanaged credential risk
Secrets Expiring SoonUpcoming expirations in next N daysProactive rotation planning
Secrets With No FolderUngrouped secrets lacking permission inheritanceAccess control governance
Checkout LogAll check-out/check-in events with durationExclusive access audit, SOX
Secrets with Unlimited Check-OutSecrets allowing indefinite exclusive accessRisk assessment for auditors
Report NameWhat It ShowsCompliance Use
User AuditAll user activity across the platformGeneral access audit
User Role AssignmentsEvery user and their current platform rolesPrivilege review, least-privilege audit
Users With No Last LoginDormant accounts that have never authenticatedDormant account remediation (SOX, CIS)
Users With No MFAAccounts without multi-factor auth enabledPCI-DSS 8.3 compliance proof
Secret Permissions by UserAll secrets a given user can accessUser access review (UAR) for SOX
Group MembershipAll groups and their membersRBAC review, offboarding verification
Failed Login AttemptsAuthentication failures by user and IPBrute force detection, SOC alerting
Admin UsersAll accounts with administrator-level rolesPrivileged account review
Report NameKey ColumnsFrequency Recommendation
Secret Access by User (Top N)User, Access count, Secret name, Last accessMonthly UEBA baseline
Bulk Operations LogBulk edits/deletes, actor, quantity affectedWeekly โ€“ high-risk actions
Password View Count by SecretHow often each secret's password was revealedQuarterly access review
After Hours AccessAccesses outside defined business hoursWeekly SOC review
Session Recording ActivityAll recorded sessions with metadataContinuous / on-demand
Discovery Import HistoryWhat was found and what was onboardedAfter each discovery scan
Workflow Approval AuditRequest, approver, decision, time-to-approveMonthly governance review
Report NameWhat It ShowsWhy Auditors Care
Heartbeat FailuresCredentials where stored password doesn't match targetProves automated validation is working
RPC FailuresFailed automated password rotationsRotation policy enforcement evidence
Inactive SecretsSecrets not accessed in N daysUnused credential risk โ€” candidates for retirement
Engine HealthDistributed Engine status, last contactPlatform reliability and coverage gaps
Session Recording StorageStorage utilization and retention statusEvidence of recording capability

Secret Server supports fully custom SQL-based reports. Compliance teams can write targeted queries against the SS database to produce any custom evidence required by auditors.

-- Example: All Secrets viewed by privileged users in the last 90 days -- Navigate to: Admin โ†’ Reports โ†’ New Report โ†’ SQL SELECT a.DateRecorded AS 'Access Date (UTC)', u.DisplayName AS 'User', u.UserName AS 'Username', s.SecretName AS 'Secret', f.FolderPath AS 'Folder', a.Action AS 'Action', a.Notes AS 'Reason Provided', a.IpAddress AS 'Source IP' FROM tbSecretAudit a JOIN tbUser u ON a.UserId = u.UserId JOIN tbSecret s ON a.SecretId = s.SecretId JOIN tbFolder f ON s.FolderId = f.FolderId WHERE a.DateRecorded >= DATEADD(day, -90, GETUTCDATE()) AND a.Action IN ('VIEW', 'COPY', 'EDIT') ORDER BY a.DateRecorded DESC;
โ„น๏ธ Custom reports can be scheduled to email automatically to auditors or GRC systems. Use Admin โ†’ Reports โ†’ [Report] โ†’ Schedule.
๐Ÿ›ก๏ธ

Compliance Framework Mapping

Map Secret Server log types to specific requirements across 8 major frameworks.

๐Ÿฆ PCI-DSS v4.0

  • Req 8.2โ€“8.3: User & MFA logs prove unique IDs and MFA enforcement
  • Req 10.2: Secret Activity + Session Recording satisfies activity logging
  • Req 10.3: Protect audit logs โ€” forward to write-once SIEM
  • Req 10.6: Retain logs โ‰ฅ 12 months, 3 months immediately available
  • Req 12.3: Risk assessments supported by Discovery and Heartbeat logs

โš•๏ธ HIPAA Security Rule

  • ยง164.312(b): Audit controls โ€” Secret Activity and User Audit logs
  • ยง164.312(c): Integrity โ€” immutable log storage with SIEM forwarding
  • ยง164.312(d): Authentication โ€” User Audit and MFA logs
  • ยง164.312(e): Transmission security โ€” API and session logs
  • Minimum necessary access โ€” Access Request workflow log

๐Ÿ“‘ SOX (IT Controls)

  • Access reviews: User Role Assignment + Secret Permissions reports
  • Change management: Configuration Audit + Template Audit logs
  • Segregation of duties: Role Assignment alerts + Workflow log
  • Privileged access: Secret Activity (VIEW/EDIT/DELETE) + Checkout log
  • Evidence retention: Export reports quarterly for walkthroughs

๐Ÿ” NIST SP 800-53

  • AU-2/AU-3: Audit events โ€” all 14 log types satisfy event coverage
  • AU-9: Protect audit info โ€” SIEM forwarding + immutable storage
  • AU-12: Audit record generation โ€” SS logs with timestamps
  • IA-2: MFA โ€” User Audit + MFA event logs
  • AC-6: Least privilege โ€” Role + Permission audit logs

๐ŸŒ ISO/IEC 27001

  • A.9 (Access Control): User Audit, Role Assignment, Permission logs
  • A.12.4 (Logging): All log types cover monitoring requirements
  • A.12.4.3: Admin & operator logs โ€” System Log + User Audit
  • A.16 (Incidents): Session Recording + Event Pipeline for IR
  • A.18 (Compliance): Reports + compliance mapping documentation

๐Ÿ›๏ธ CIS Controls v8

  • CIS 5 (Account Management): User Audit + discovery logs
  • CIS 6 (Access Control): Role + Permission + Request logs
  • CIS 8 (Audit Log Management): SIEM pipeline + retention policy
  • CIS 12 (Network Monitoring): Session Recording proxy logs
  • CIS 18 (Pen Testing): Discovery + Heartbeat failure reports

๐Ÿ’ณ SWIFT CSP (CSCF)

  • 5.1 Logical Access Controls: User Audit + Role Assignment logs
  • 6.1 Operator Security: Session Recording for all operator sessions
  • 6.2 Software Security: Config Audit log for change evidence
  • 6.5A Defense Against Cyber Attacks: Event pipeline to SIEM
  • 7.1 Vulnerability Scanning: Discovery log coverage

๐Ÿ—๏ธ FedRAMP / FISMA

  • AU family: All 14 log types map to AU control family
  • AC-17: Remote access โ€” Session Recording + API access logs
  • IA-8: MFA for non-org users โ€” MFA and SAML logs
  • SI-4: System monitoring โ€” SIEM pipeline from event log
  • CM-3: Change control โ€” Configuration Audit log
๐Ÿ“ก

SIEM Integration โ€” Real-Time Log Forwarding

Forward all Secret Server events to your SIEM for centralized, tamper-resistant storage.

01

Enable Syslog in Secret Server

Go to Admin โ†’ Configuration โ†’ Application Settings. Enable Syslog/SIEM. Set the SIEM server IP, port (typically 514 UDP or 6514 TCP/TLS), and format (CEF, LEEF, or Generic syslog).

02

Choose Log Format

CEF (Common Event Format) for Splunk, ArcSight, QRadar. LEEF (Log Event Extended Format) for IBM QRadar native. Syslog RFC 5424 for generic SIEM parsers. Delinea also supports JSON over HTTP webhooks for cloud SIEMs (Sentinel, Chronicle).

03

Select Events to Forward

All events can be forwarded. For targeted alerting, configure event subscriptions: Secret Access, User Auth, Admin Actions, Config Changes, Session Events. Navigate to Admin โ†’ Event Subscriptions to map events to notification rules.

04

Verify Delivery & Set Retention

Check the Event Pipeline Log for delivery confirmation. In your SIEM, set retention to match your compliance mandate โ€” minimum 12 months for PCI-DSS, 6 years for HIPAA records. Archive to cold storage after primary retention period.

Example CEF event for a Secret VIEW action:

# CEF Format (ArcSight / Splunk) CEF:0|Delinea|SecretServer|11.0|SS-AUDIT|Secret View|5| src=10.0.1.45 suser=jsmith@corp.com dhost=secretserver.corp.com outcome=success msg=Secret "prod-db-svc" viewed by jsmith@corp.com cs1=prod-db-svc cs1Label=SecretName cs2=1042 cs2Label=SecretID cs3=Database/Production cs3Label=FolderPath rt=1705329728000 # JSON Webhook Format (Microsoft Sentinel / Chronicle) { "event": "secret.viewed", "timestamp": "2024-01-15T14:22:08Z", "actor": "jsmith@corp.com", "sourceIp": "10.0.1.45", "secretId": 1042, "secretName": "prod-db-svc", "result": "success" }

These are the highest-priority SIEM alert rules to configure for Secret Server events:

Alert RuleTrigger ConditionPriority
Mass Secret Access>20 secret views by 1 user in 5 minP1
Admin Role GrantedAny Administer Users or Unlimited Admin role assignedP1
Configuration WeakenedSecurity config change that reduces restrictionsP1
Secret Bulk Delete>5 secrets deleted in a single sessionP1
After-Hours Privileged AccessSecret VIEW/EDIT outside 08:00โ€“18:00 localP2
Authentication Brute Force>5 failed logins in 10 min from same IPP2
Discovery Scope ReductionDiscovery scanner range reduced or disabledP2
Heartbeat Engine DownHeartbeat background thread Error/Fatal in system logP2
Session Recording DisabledSession recording policy changed to offP1
MFA BypassBypass MFA role granted to any accountP1
๐Ÿ’ก

Auditor Best Practices

Proven strategies for leveraging Secret Server audit logs during compliance assessments and investigations.

01

Establish Log Forwarding Before the Audit Period Begins

Ensure SIEM forwarding is configured before audit scope periods start. Auditors often request 90-day or 12-month windows. Logs only in the SS database are subject to database access restrictions; SIEM copies are independent of SS access and provide tamper-evidence.

02

Run User Access Reviews (UARs) Quarterly

Use the Secret Permissions by User and User Role Assignments reports. Export to CSV and have business owners certify that each user's access level is appropriate. This directly satisfies SOX and ISO 27001 A.9 periodic access review requirements.

03

Enable and Enforce "Reason Required" Comments

Configure Secret Policies to require a comment/reason when viewing privileged passwords. This adds the Notes field to every Secret Activity log entry โ€” turning raw access logs into meaningful audit evidence with business justification attached to each access event.

04

Use the Checkout Workflow for High-Risk Secrets

Exclusive checkout means only one user can hold a privileged credential at a time. The Checkout Log provides precise timestamps of who held each credential and for exactly how long โ€” ideal for change-window accountability required by SOX and ITIL change management.

05

Document "Unmanaged Account" Discovery Findings

Run Discovery scans before audits and export the Discovery Import Report. Accounts found but not onboarded must have documented business justification. This satisfies auditor questions about PAM scope and provides evidence that all privileged accounts have been identified.

06

Schedule Critical Reports to Auto-Email

Schedule Heartbeat Failures, Expired Secrets, and Users With No MFA to email the security team weekly. This demonstrates continuous monitoring rather than point-in-time snapshots, which is specifically required by frameworks like NIST 800-53 CA-7 (Continuous Monitoring).

07

Preserve Session Recordings for the Full Retention Period

Configure the Session Recording Server's retention policy to align with your longest compliance mandate. PCI-DSS requires 12 months; HIPAA requires 6 years. Use tiered storage: hot storage for 90 days (immediate playback) + cold archive for the remainder. Recordings are your strongest non-repudiation evidence.

08

Test Log Completeness Regularly

Periodically perform test accesses (view a test secret, trigger a failed login) and verify those events appear in both the SS UI and the SIEM within expected latency. This proves to auditors that logging is actively functioning, not just configured. Document these tests as part of your continuous monitoring program.

โœ…

Audit Readiness Checklist

Click each item to mark it complete. Use this before every compliance audit.

Category: Log Infrastructure

โœ“
SIEM / Syslog forwarding is enabled and delivery verified within last 30 days
Admin โ†’ Configuration โ†’ Application Settings โ†’ Syslog/SIEM
โœ“
Log retention in SIEM meets compliance mandate (minimum 12 months)
Check SIEM retention policy documentation
โœ“
SS database backups are current and include tbSecretAudit table
Admin โ†’ Backup โ†’ Verify last backup timestamp
โœ“
Session Recording server has sufficient storage and recordings are retained
Admin โ†’ Session Recording โ†’ Storage Status

Category: Access Review Evidence

โœ“
User Access Review (UAR) completed for audit period using Secret Permissions by User report
Admin โ†’ Reports โ†’ Secret Permissions by User โ†’ Export CSV
โœ“
All users with admin-level roles are documented and approved by management
Admin โ†’ Reports โ†’ Admin Users โ†’ Export and get sign-off
โœ“
All terminated employees have been removed/disabled in Secret Server
Admin โ†’ Reports โ†’ Users With No Last Login โ†’ cross-reference with HR
โœ“
MFA is enforced for all users, especially privileged administrators
Admin โ†’ Reports โ†’ Users With No MFA โ†’ remediate any exceptions

Category: Credential Management

โœ“
No active heartbeat failures โ€” all credential validations passing
Admin โ†’ Reports โ†’ Heartbeat Failures โ†’ should be zero or documented
โœ“
No expired secrets in production folders
Admin โ†’ Reports โ†’ Expired Secrets โ†’ remediate or document exceptions
โœ“
Password rotation policy is enforced โ€” RPC failure count is below threshold
Admin โ†’ Reports โ†’ RPC Failures โ†’ investigate any failures
โœ“
Discovery scan has been run within the last 30 days with findings documented
Admin โ†’ Discovery โ†’ Discovery Log โ†’ export latest scan results

Category: Evidence Packages for Auditors

โœ“
Secret Activity report exported for audit period (CSV)
Admin โ†’ Reports โ†’ Secret Activity โ†’ set audit period โ†’ Export CSV
โœ“
User Audit log exported for audit period
Admin โ†’ Reports โ†’ User Audit โ†’ Export CSV
โœ“
Configuration Audit log exported showing no unauthorized changes
Admin โ†’ System Log + Configuration Audit โ†’ Export
โœ“
Access Request workflow log exported showing approval evidence
Admin โ†’ Reports โ†’ Workflow Activity โ†’ Export CSV
โœ“
Session Recording metadata exported and sample recordings available for auditor review
Admin โ†’ Reports โ†’ Session Recording Activity โ†’ Export
๐ŸŽ“ Training Complete! You now have a comprehensive understanding of all 14 logging options in Delinea Secret Server, 60+ built-in reports, SIEM integration patterns, and how to leverage audit logs across 8 compliance frameworks. Use the checklist above before every external audit.