We have integrated CA PAM with splunk through inbuilt forwarder included in CA PAM but the logs are not getting parsed and we are looking for parser as well as pre-configured dashboards for CA PAM in splunk.
If there is any option please let us know how to incorporate with SPLUNK.
Splunk Version: 7.0.1
CA PAM Version: 3.1
First suggestion is to read the Splunk documentation.
Second suggestion is to use Google about how to setup Splunk Enterprise.
When you know how you have configured your Splunk server, you can configure PAM to talk to it.
In addition to setting up the syslog forwarding in PAM, you need to set up the corresponding facility in Splunk.
For syslog (Config > Logs), you create a listener.
For Logs from the PAM Splunk Forwarder (Config > 3rd Party) you need to set up an indexer.
These are two separate and distinct facilities in Splunk.
There are two ways to implement Splunk within PAM. The first is to configure your Splunk server as a Syslog server. On the Config --> Logging page, you can configure up to two systems as syslog servers. One of these may be your Splunk server. Once this is running you can filter on the syslog entries in Splunk. By default, this method uses the default syslog port, UDP 514. You may change it to match the port on which Splunk is configured to receive syslog.
The second method is to use PAM's built in Splunk Forwarder. This depends on you configuring a receiver in Splunk, which will require you to specify a tcp port. You'll the configure address and port on the Config --> 3rd Party page. The link below is to the Splunk Configuration page in the PAM wiki.
Hope this helps,
Thanks for you response. We are using the PAM built it in configuration to forward logs to Splunk. The Splunk server is getting the logs from PAM but in Splunk we are unable to understand the log contents.
Is the any splunk specific addon provided from CA (like something I heard name Splunk App from CA), so that we can import in Splunk to read the log contents and display it in Splunk dashboard for the User understandable information.?
I know what you are asking but am not able to find the piece you are looking for at this time but I will keep looking...Sorry!
I created a Tech Tip in the PAM Community, Tech Tip: Integrating Splunk with PAM. There isn't much to do in PAM. This document describes the two ways to configure PAM to send data to Splunk. For one it's just a matter of filtering the syslog messages from the PAM instance. For the other it's a matter of configuring a Receiver in Splunk to correspond to the Forwarder configured in PAM.