Using Splunk, customers want to set up monitoring of the CA Strong/Risk Authentication logs for failure/exception events.  The question is two part 

1. Customer wants to know if there are known slew of exceptions they can configure Splunk to monitor failures ?

2. Customer wants to know if any specific configuration from Product point of view to use Splunk for monitoring ? 

Release :

Component : AuthMinder(Arcot WebFort)

For both the questions the answer is "No"  

1. AA does not require any specific configuration to use Splunk. 

2. Exceptions to monitor are not called out as every customers authentication flow and architecture (say Distributed or not, using Load Ba-lancers or not etc) can be different. 

Spunk requires no product related set up. Just point Splunk to product logs and set up monitoring. So at a high level identify the Authentication flows and  CA Strong/Risk Authentication components that are used in your authentication flow. For example 

1. Adaptershim (arcotadaptershim.log) -- if siteminder integrated

2. SMPS (smps.log) ---  if siteminder integrated

2. UDS (arcotuds.log)

3. AFM (arcotafm.log)

4. SM (arcotsm.log)

5. RiskMinder (arotriskfort.log)

6. Authminder (arcotwebfort.log) 

Use the docops.ca.com links to review the error codes for various components and configure Splunk to point to these logs for any error code as called called out in this documentation or your current logs.