Here are the complete steps for both Splunk and PAM:
- Splunk Server:
Run the following command:
/opt/splunk/bin/splunk add udp 516 -sourcetype syslog
Note: you will be prompted for you admin credentials
- PAM Server:
PAM UI -> Please go into "Configuration" >> Logs >> Syslog
Here configure the "Hostname or IP Address" and the port as 516 (or the port# you configured above).
Then click update.
- Force some logging updates to be forwarded:
Example: Please log out and log back in.
To verify that the messages were forwarded -> In Splunk Home Page >> Click "Search & Reporting" >> "Data Summary" >> Here you should see the PAM hostname listed here and messages coming from PAM.