voged01

Tech Tip:  Integrating Splunk with PAM

Discussion created by voged01 Employee on Mar 2, 2018
Latest reply on Apr 19, 2018 by prira01

There are two ways to implement Splunk within PAM. The first is to configure you Splunk server as a Syslog server. On the Config --> Logging page, you can configure up to two systems as syslog servers. One of these may be you Splunk server. Once this is running you can filter on the syslog entries in Splunk. By default, this method uses the default syslog port, udp 514. You may change it to match the port on which Splunk is configured to receive syslog.

 

The second method is to use PAM's built in Splunk Forwarder. This depends on you configuring a receiver in Splunk, which will require you to specify a tcp port. You'll the configure address and port on the Config --> 3rd Party page. The link below is to the Splunk Configuration page in the PAM wiki. https://docops.ca.com/ca-privileged-access-manager/3-1-1/EN/implementing/configure-your-server/logging-server-activity/splunk-server-configuration-for-logging

 

There is nothing further for you to configure in PAM. PAM will essentially send messages corresponding to what goes into the Session Log, regardless of which method you choose. There may not be a 100% match, but it should be close.

 

This should get you going, but if you still have problems please open a Support ticket.

Outcomes