topic Re: How to forward events from Splunk Indexer to CyberArk PTA? in Getting Data In

How to forward events from Splunk Indexer to CyberArk PTA?

potnuru — Tue, 07 Jul 2020 07:43:55 GMT

Q: Need to forward the data from all the indexes (Windows, Linux, etc...) to CyberArk PTA via Syslog or any other from the Splunk Indexer as we don't have HF in our Environment.

I have followed the documentation given by CyberArk on PTA Splunk Integration, but it is not working (logs are not forwarding to PTA server) for me.

Link: https://docs.cyberark.com/Product-Doc/OnlineHelp/PAS/11.2/en/Content/PTA/Configuring-Splunk-Forward-syslog-messages.htm

Configuration on Indexer:

In the SPLUNK_HOME/etc/system/local

-->outputs.conf

[syslog:pta_syslog]
server = <PTA Server IP>:<port>
indexAndForward=true
type=tcp
timestampformat = %s

syslogSourceType=sourcetype:: linux:messages

---->props.conf

[source::WinEventLog:Security]
TRANSFORMS-pta = pta_syslog_filter

----->transforms.conf

[pta_syslog_filter]
REGEX = .*EventCode=4624|4720|4723|4724|4732.*
DEST_KEY = _SYSLOG_ROUTING
FORMAT = pta_syslog

Re: How to forward events from Splunk Indexer to CyberArk PTA?

richgalloway — Mon, 06 Jul 2020 18:34:15 GMT

Since we don't have the documentation given by Cyberark, please elaborate on the steps you took to forward data from Splunk Cyberark. What part is failing? What error messages do you get?

Re: How to forward events from Splunk Indexer to CyberArk PTA?

potnuru — Tue, 07 Jul 2020 07:49:43 GMT

Hi @richgalloway I have updated the question with complete details, could you check and help me in finding the resolution.

Basically PTA server is listening (Syslog) on some port let's say 514.

We need to forward all the logs in/coming to Splunk Indexer to PTA Syslog server on some port (514) .

Re: How to forward events from Splunk Indexer to CyberArk PTA?

richgalloway — Tue, 07 Jul 2020 13:34:20 GMT

I suspect the REGEX line in transforms.conf is to blame. The leading and trailing ".*" are not needed. Have you verified the remainder matches what you want to forward? It won't match Linux logs.

Re: How to forward events from Splunk Indexer to CyberArk PTA?

potnuru — Wed, 08 Jul 2020 08:37:02 GMT

Hi @richgalloway The Regex is working fine and it is applied to only Windows Events Source Type but not other Source Types.

Re: How to forward events from Splunk Indexer to CyberArk PTA?

suresh301086 — Wed, 16 Sep 2020 08:32:16 GMT

Is it working for you ?

Re: How to forward events from Splunk Indexer to CyberArk PTA?

suresh301086 — Wed, 16 Sep 2020 08:33:18 GMT

Windows logs are properly parsing where Linu/Unix logs are not parsing to PTA from Splunk

Re: How to forward events from Splunk Indexer to CyberArk PTA?

potnuru — Wed, 16 Sep 2020 10:00:25 GMT

@suresh301086 By default PTA won't support Linux Events. We need to develop custom plugin on PTA to understand Linux Events.

Re: How to forward events from Splunk Indexer to CyberArk PTA?

potnuru — Wed, 16 Sep 2020 10:03:02 GMT

@suresh301086 For me PTA functionality is working for Windows Events and not for Linux Events. Currently we are working on developing custom plugin for Linux Events.

Could you please share your forwarding configuration that you defined on Splunk Indexer/HF?

Re: How to forward events from Splunk Indexer to CyberArk PTA?

Atavius — Fri, 18 Dec 2020 16:31:39 GMT

@potnuru Could you please explain how did you got those Windows Events to work?

I am having exactly the same problem as you described in your first post - everything is configured per PTA documentation, but Splunk is unable to send messages to PTA.

Re: How to forward events from Splunk Indexer to CyberArk PTA?

potnuru — Tue, 12 Jan 2021 08:15:44 GMT

Hi @Atavius

I have followed the CyberArk documentation and it worked for me for Windows Events. Please check the below configuration for your reference.

#outputs.conf

[syslog]

defaultGroup = noforward

[syslog:pta_syslog]

server = PTA-IP:514

type = tcp

timestampformat = %s

syslogSourceType = sourcetype::linux:messages

#props.conf

[source::WinEventLog:Security]

TRANSFORMS-win = pta_syslog_win

#transforms.conf

[pta_syslog_win]

REGEX = .*<your filter>*

DEST_KEY = _SYSLOG_ROUTING

FORMAT = pta_syslog

Re: How to forward events from Splunk Indexer to CyberArk PTA?

kcooper — Wed, 12 Mar 2025 12:43:24 GMT

question - why wasn't the data sent directly to the PTA server from the Windows servers via outputs.conf?