Questions about the remote syslog option in PAM

Question

I need to send to my syslog server only the PAM's AUDIT log. It's possible? How?

Then I also need to estimate the daily log volume for PAM's application log. How can I do that?

Release : 3.4

Component : PRIVILEGED ACCESS MANAGEMENT

For the first question, In PAM there is only an on/off switch for syslog server integration. Any filtering has to be done on the syslog server side.

Regarding the second question:
PAM-internal syslog traffic is minimal, the volume is driven by user activity, which is customer-specific. Checking the daily number of session log messages, and reviewing the various Credential Management reports for daily activity will give a good idea on how much traffic volume there will be to the syslog server.