Questions about the remote syslog option in PAM
Release : 3.4
Component : PRIVILEGED ACCESS MANAGEMENT
Question
I need to send to my syslog server only the PAM's AUDIT log. It's possible? How?
Then I also need to estimate the daily log volume for PAM's application log. How can I do that?
For the first question, In PAM there is only an on/off switch for syslog server integration. Any filtering has to be done on the syslog server side.
Regarding the second question:
PAM-internal syslog traffic is minimal, the volume is driven by user activity, which is customer-specific. Checking the daily number of session log messages, and reviewing the various Credential Management reports for daily activity will give a good idea on how much traffic volume there will be to the syslog server.