Splunk add-on for Fudo PAM | How to parse logs fro...

splunky_diamond · ‎05-17-2024

Hello splunkers!

Has anyone had experience with getting data in Splunk from PAM (Privileged Access Management) systems? I want to do the integration of Splunk with Fudo PAM. Question of getting logs from Fudo to Splunk is not a problem at all, it's easily done over syslog. However, I don't know how to parse these logs. The syslog sourcetype doesn't properly parse the events, it misses a lot of useful information such as: users, processes, action done, accounts, basically almost everything except for the IP of the node and the timestamp of the event.

Does anyone know if there is a good add-on for parsing logs from Fudo PAM? Or any other good way how to parse its logs?

Thanks for taking time reading and replying to my post ❤️

tej57 · ‎05-20-2024

Hello @splunky_diamond ,

I am unsure if there are any apps/TAs available for Fudo PAM data. The best would be to write magic 8 props for parsing the data. You can find the relevant documentation links below:

- https://docs.splunk.com/Documentation/Splunk/latest/Data/WhatSplunkdoeswithyourdata

- https://docs.splunk.com/Documentation/Splunk/latest/Data/Overviewofeventprocessing

- https://docs.splunk.com/Documentation/Splunk/latest/Data/Createsourcetypes

- https://lantern.splunk.com/Splunk_Platform/Product_Tips/Data_Management/Configuring_new_source_types

Thanks,
Tejas.

---

If the above solution helps, an upvote is appreciated.