There are two ways to implement Splunk within PAM. The first is to configure you Splunk server as a Syslog server. On the Config --> Logging page, you can configure up to two systems as syslog servers. One of these may be you Splunk server. Once this is running you can filter on the syslog entries in Splunk. By default, this method uses the default syslog port, udp 514. You may change it to match the port on which Splunk is configured to receive syslog.
The second method is to use PAM's built in Splunk Forwarder. This depends on you configuring a receiver in Splunk, which will require you to specify a tcp port. You'll the configure address and port on the Config --> 3rd Party page. The link below is to the Splunk Configuration page in the PAM wiki. https://docops.ca.com/ca-privileged-access-manager/3-1-1/EN/implementing/configure-your-server/logging-server-activity/splunk-server-configuration-for-logging
There is nothing further for you to configure in PAM. PAM will essentially send messages corresponding to what goes into the Session Log, regardless of which method you choose. There may not be a 100% match, but it should be close.
This should get you going, but if you still have problems please open a Support ticket.
Thanks for the share.
Based on your original tech tip, it appears that only "session log" information will be sent to SPLUNK. Is this the only data that is sent to splunk? What about any of the Tomcat logs? Any Debian Session Logs? How about cluster log information? Is there a list of what logs are being forwarded by Splunk?
Peter, Cluster logs are in the session logs. And the problem with missing Password Management messages has been resolved in 3.1.1, see https://docops.ca.com/ca-privileged-access-manager/3-1-1/EN/release-information/resolved-issues-in-3-1-1 and look for "Splunk”. We forward messages that go into the uag.log (session log), cspm.metric and cspm.auditlog database tables. We don't forward messages that go into log files.