Anyone sending TSS violation messages or SMF type 80 records to Splunk?
If, so how are the messages being sent?
CA Top Secret (TSS) does not have the ability to send violation messages directly to Splunk out of the box, but using CA Compliance Event Manager (CEM), you can.
CA CEM has comprehensive policy capabilities related to sending security events to Splunk in Syslog or other formats.
Some event types that can be sent to Splunk are Sign on success/violations (VERIFY), Object access success/violations (AUTH), Admin success/violations (TSS commands), etc.
For a complete list of the events and filtering capabilities of CA CEM, please see docops.ca.com and in the ‘Select a product list’ drop down, select CA Compliance Event Manager.
I believe your site already licenses CA CEM. If you have any follow up questions, I’d be happy to setup a conference call to review.
Also, there is a CA Partner Portal that identifies other 3rd party software options that augment the capabilities provided by CA TSS and CA CEM.
Sr Principal Architect
CA Compliance Event Manager
Thank you Mitchell. That is good to hear about CA-CEM, we purchased it for other requirements, but now the Splunk feature is the top requirement.
I should have also mentioned that CA Compliance Event Manager (CEM) is not CA Top Secret specific. CA CEM works with all 3 external security managers, CA ACF2, CA Top Secret and IBM RACF. It normalizes the actions (email, wto, SIEM, etc) into a common format for all 3 external security managers. Sample Syslog formatted output to Splunk is also provided with CA CEM that can be used as is or modified as desired.