CA PAM and Splunk integration
search cancel

CA PAM and Splunk integration

book

Article ID: 126311

calendar_today

Updated On:

Products

CA Privileged Access Manager - Cloakware Password Authority (PA) CA Privileged Access Manager (PAM)

Issue/Introduction

PAM Administrator needs to integrate PAM into Splunk and wants to understand the steps.

Environment

PAM 3.x, 4.x

Resolution

In Splunk, set a SPLUNK TCP:

  1. Log into Splunk with an Admin User

  2. Click on "Settings".



  3. Locate "Data" --> "Indexes" section.

  4. Create a new Index for CA PAM, so that it would be easy to perform a search, let the default options exist. You also have an option for creating a new index later on as well. In case of changes to the options for creating the index, refer to the documentation from Splunk.

  5. Next, Locate "Data" --> "Data inputs" section.

  6. On the "Local inputs" page, locate "TCP" and click the "+Add new" symbol to add a new TCP input.


  7. Choose the Protocol "TCP" and provide the required inputs.



  8. Select the source as "syslog" and follow the instructions.



  9. For the index, select the index that was created earlier, if not created earlier create a new index now by clicking "Create a new index"

  10. Review the setting before the final submission.



  11. Follow the next steps and complete the process, once completed you would see like below.




In PAM:

  1. Login with an Admin User
  2. Click on "Configuration"
  3. Click on "3rd Party"
  4. Click "Splunk"
  5. Click "Add" 
  6. Add the Splunk servername\ip address and the port you had configured in the above steps
  7. Click OK

Please restart of network and/or PAM appliance.

Additional Information

Alternatively if you are looking to integrate into Splunk via Syslog, please see KB 97550.

Powered by Wolken Software