Symantec Privileged Access Management

  • 1.  Tech Tip:  Integrating Splunk with PAM

    Posted Mar 02, 2018 02:54 PM

    There are two ways to implement Splunk within PAM. The first is to configure you Splunk server as a Syslog server. On the Config --> Logging page, you can configure up to two systems as syslog servers. One of these may be you Splunk server. Once this is running you can filter on the syslog entries in Splunk. By default, this method uses the default syslog port, udp 514. You may change it to match the port on which Splunk is configured to receive syslog.

     

    The second method is to use PAM's built in Splunk Forwarder. This depends on you configuring a receiver in Splunk, which will require you to specify a tcp port. You'll the configure address and port on the Config --> 3rd Party page. The link below is to the Splunk Configuration page in the PAM wiki. https://docops.ca.com/ca-privileged-access-manager/3-1-1/EN/implementing/configure-your-server/logging-server-activity/splunk-server-configuration-for-logging

     

    There is nothing further for you to configure in PAM. PAM will essentially send messages corresponding to what goes into the Session Log, regardless of which method you choose. There may not be a 100% match, but it should be close.

     

    This should get you going, but if you still have problems please open a Support ticket.



  • 2.  Re: Tech Tip:  Integrating Splunk with PAM

    Broadcom Employee
    Posted Mar 05, 2018 04:16 PM

    Thanks for the share.

     

    Mike Pass



  • 3.  Re: Tech Tip:  Integrating Splunk with PAM

    Broadcom Employee
    Posted Apr 19, 2018 12:51 PM

    Ed,

     

    Based on your original tech tip, it appears that only "session log" information will be sent to SPLUNK.  Is this the only data that is sent to splunk?  What about any of the Tomcat logs?  Any Debian Session Logs?  How about cluster log information?  Is there a list of what logs are being forwarded by Splunk?



  • 4.  Re: Tech Tip:  Integrating Splunk with PAM

    Broadcom Employee
    Posted Apr 19, 2018 01:35 PM

    Peter, Cluster logs are in the session logs. And the problem with missing Password Management messages has been resolved in 3.1.1, see https://docops.ca.com/ca-privileged-access-manager/3-1-1/EN/release-information/resolved-issues-in-3-1-1 and look for "Splunk”. We forward messages that go into the uag.log (session log), cspm.metric and cspm.auditlog database tables. We don't forward messages that go into log files.