How to: Forward PAM's syslog to Splunk for data analytics
Article ID: 97550
Updated On:
Products
CA Privileged Access Manager - Cloakware Password Authority (PA)
CA Privileged Access Manager (PAM)
Issue/Introduction
How do I forward PAM's syslog messages to Splunk?
IT Department has a business requirement to forward its syslog to Splunk to do data analytics.
Environment
PAM 3.x, 4.x
Resolution
Here are the complete steps for both Splunk and PAM:
- Splunk Server:
Run the following command:
/opt/splunk/bin/splunk add udp 516 -sourcetype syslog
Note: you will be prompted for you admin credentials
/opt/splunk/bin/splunk add udp 516 -sourcetype syslog
Note: you will be prompted for you admin credentials
- PAM Server:
PAM UI -> Please go into "Configuration" >> Logs >> Syslog
Here configure the "Hostname or IP Address" and the port as 516 (or the port# you configured above).
Then click update.
Here configure the "Hostname or IP Address" and the port as 516 (or the port# you configured above).
Then click update.
- Force some logging updates to be forwarded:
Example: Please log out and log back in.
To verify that the messages were forwarded -> In Splunk Home Page >> Click "Search & Reporting" >> "Data Summary" >> Here you should see the PAM hostname listed here and messages coming from PAM.
Feedback
Yes
No
Powered by
