topic Re: Splunk Add-on for CyberArk: data not parsing correctly. Alternatives or guidance? in All Apps and Add-ons

Splunk Add-on for CyberArk: data not parsing correctly. Alternatives or guidance?

kiran331 — Mon, 11 Sep 2017 16:05:04 GMT

Has anyone successfully integrated cyberark with Splunk? I tried the add-on, but its not useful, its not parsing the data correctly with CIM? Is there any alternative approach for integration?

Re: Splunk Add-on for CyberArk: data not parsing correctly. Alternatives or guidance?

koshyk — Mon, 11 Sep 2017 20:56:40 GMT

we had few issues as well, but it was related to syslog format. Inorder to help, need to know
- how you are collecting the data from cyberark? via syslog?
- Put some sample of your data
- which version of Splunk and Cyberark Addon you are using?

Re: Splunk Add-on for CyberArk: data not parsing correctly. Alternatives or guidance?

kiran331 — Mon, 11 Sep 2017 21:23:33 GMT

We are collecting data through syslog. Splunk version is 6.6.1, CIM is 4.8 and Splunk add-on for Cyberark 1.0.

Here's the sample event,

Re: Splunk Add-on for CyberArk: data not parsing correctly. Alternatives or guidance?

jtnull — Tue, 12 Sep 2017 18:26:23 GMT

What is your version of CyberArk PAS?
Are you trying to send syslog data from the Vault or via Splunk Universal Forwarder on the component servers?
If syslog, what is your configuration in the dbparm.ini? And Is the SplunkCIM.xsl file in the \PrivateArk\server\syslog directory with the other translator files?
If UF on component, what log files are you monitoring?

Here is a sample configuration that works:

[SYSLOG]
UseLegacySyslogFormat=Yes
SysLogServerIP=ipaddress of splunk indexer
SysLogServerProtocol=UDP
SysLogServerPort=514
SysLogTranslatorFile=Syslog\SplunkCIM.xsl

Re: Splunk Add-on for CyberArk: data not parsing correctly. Alternatives or guidance?

lfedak_splunk — Wed, 13 Sep 2017 00:36:47 GMT

Hey @kiran331, Please be sure that when responding to someone's answer or comment, click on "Add comment," or if you're responding to someone's comment, type in the "Add your comment..." box directly below their comment. You typed your last response in the "Enter your answer here..." box at the very bottom of the page which, instead, posts a brand new answer each time. This will help with a clean continuous flow of the conversation. I already converted your "answer" to a comment, so just something to keep in mind from here on out. Thanks and happy Splunking!

Re: Splunk Add-on for CyberArk: data not parsing correctly. Alternatives or guidance?

gurlest — Thu, 10 Oct 2019 18:24:21 GMT

We are having the same issue. Did you ever get this fixed?

I've heard suggestions from someone that it could be the syslog message length is too short, but I cannot find any guidance from CyberArk for how to set that. Someone also suggested that it could be the UseLegacySyslogFormat parameter, but again - not sure what the current settings are and am not seeing much guidance one way or the other (except for this article and its unaccepted answer).

Note - our events were correct at one time, but must have been borked with an upgrade or some other configuration change. However, we have also lost our CyberArk admin since then and the new admins are - new.

Re: Splunk Add-on for CyberArk: data not parsing correctly. Alternatives or guidance?

jtnull — Thu, 10 Oct 2019 19:51:39 GMT

We did get it resolved with the assistance of Splunk Level 3 Support. We had to configure line breaking on the input.

See https://docs.splunk.com/Documentation/Splunk/7.3.1/Data/Configureeventlinebreaking

Re: Splunk Add-on for CyberArk: data not parsing correctly. Alternatives or guidance?

gurlest — Thu, 10 Oct 2019 21:02:13 GMT

Did you just manually break the event after msg= ?