topic Re: How would I configure CyberArk TA, Search Head, and Syslog Server? in Splunk Search

How would I configure CyberArk TA, Search Head, and Syslog Server?

SplunkDash — Mon, 29 Aug 2022 20:27:48 GMT

Hello,

Data in CyberArk comes through the Syslog Server and CyberArk TA needs to be installed into Search head (or search head cluster) based on the SPLUNK web site (https://docs.splunk.com/Documentation/AddOns/released/CyberArk/Installation). I installed this TA directly into the Syslog server, but not working as expected. How I would configure, Syslog, SHC, and CyberArk? Any help would be highly appreciated. Thank you!

Re: How would I configure CyberArk TA, Search Head, and Syslog Server?

gcusello — Tue, 30 Aug 2022 07:32:33 GMT

Hi @SplunkDash,

As described in documentation, this TA must be installed in all Search Heads (clustered or not) because there are some parsing actions made at search time.

In addition, there are some parsing actions made at index time, for this reason it must be also installed on the first Heavy Forwarders (if present) between the syslog server and Indexers.

If there isn't any HF (syslogs are taken by an Universal Forwarder that send them to Indexers), it must be installed on Indexers.

Ciao.

Giuseppe

Re: How would I configure CyberArk TA, Search Head, and Syslog Server?

SplunkDash — Tue, 30 Aug 2022 22:26:04 GMT

Hello @gcusello

I have one more question on CyberArk TA.

We typically have 2 types of CyberArk logs PTA and EPV, but the CyberArk TA we have, has only one source type cyberark.pta:cef. It means that CyberArk TA is associated with only PTA logs. My question is, if this is the case we won't need to have EPV logs? Your thoughts and recommendation will be highly appreciated. Thank you!

Re: How would I configure CyberArk TA, Search Head, and Syslog Server?

gcusello — Wed, 31 Aug 2022 06:16:10 GMT

Hi @SplunkDash,

as you can read in the link you shared:

The Splunk Add-on for CyberArk allows a Splunk software administrator to pull system logs and traffic statistics from Privileged Threat Analytics (PTA) 12.2 and Enterprise Password Vault (EPV) 12.2 using syslog in Common Event Format (CEF). This add-on extracts CyberArk real-time privileged account activities (such as individual user activity when using shared accounts) into the Splunk platform and Splunk Enterprise Security, providing a single place to analyze unusual account activity.

using this TA you have both EPV and PTA logs in CEF format.

Ciao.

Giuseppe

Re: How would I configure CyberArk TA, Search Head, and Syslog Server?

SplunkDash — Wed, 31 Aug 2022 12:54:52 GMT

Hello @gcusello ,

Thank you so much for detail clarifications. I have 2 more questions, do these PTA and EPV events coming under cyberark.pta:cef source type, I just see one source type in CyberArk TA? and what is the latest version for CyberArk TA? Thank you again and appreciate your support in these efforts.

Re: How would I configure CyberArk TA, Search Head, and Syslog Server?

gcusello — Wed, 31 Aug 2022 13:48:20 GMT

Hi @SplunkDash,

yes: using the cyberark.pta:cef sourcetype you have both PTA and EPV events.

You can find the latest version of this TA (1.2.0) at https://splunkbase.splunk.com/app/2891/

ciao.

Giuseppe

Re: How would I configure CyberArk TA, Search Head, and Syslog Server?

SplunkDash — Wed, 31 Aug 2022 13:50:13 GMT

@gcusello

This is extra ordinarily helpful, much appreciated!

Re: How would I configure CyberArk TA, Search Head, and Syslog Server?

SplunkDash — Thu, 01 Sep 2022 16:16:19 GMT

Hello @gcusello,

I have a few use cases to send data from SPLUNK to consumers in real time, and consumers have both Linux/Windows OS. Does SPLUNK has any options to do that? Or how would I do it? I also posted this question. But, sending you here, just wanted to make sure you have it. Any help will be highly appreciated. Thank you so much.

Re: How would I configure CyberArk TA, Search Head, and Syslog Server?

gcusello — Fri, 02 Sep 2022 06:47:22 GMT

Hi @SplunkDash,

this is a new and different question, so I hint to create a new question, in this way you'll surely have a quicker and probably better answer from more people of Community.

Anyway, what do you mea with "send data from SPLUNK to consumers in real time"?

if you mean forwarding all (or a part of) events via syslog or to anothe Splunk, it's possible, could you better describe your request?

Ciao.

Giuseppe

Re: How would I configure CyberArk TA, Search Head, and Syslog Server?

SplunkDash — Sun, 18 Sep 2022 22:41:15 GMT

Hello @gcusello

On CyberArk TA, we are getting data through syslog servers where UFs (no HFs there) installed on them, so data is in syslog servers. Based on your recommendations, I am planning to Install this TA on SH and Indexer clusters. We also have deployment servers with HFs installed on them and syslog servers are also be used as Deployment Clients. Should I also need to install this TA on Deployment Servers as well? Thank you so much for your support in these efforts, truly appreciate it.

Re: How would I configure CyberArk TA, Search Head, and Syslog Server?

gcusello — Mon, 19 Sep 2022 06:33:54 GMT

Hi @SplunkDash,

you don't need to install any app or Add-On of the Deployment Server for itself,

if you have to deploy apps to UFs or HFs you have to use the DS to deploy these apps: so you have to copy the apps to deploy in $SPLUNK_HOME/etc/deployment-apps,

but you don't need to install on it.

Ciao.

Giuseppe

Re: How would I configure CyberArk TA, Search Head, and Syslog Server?

SplunkDash — Mon, 19 Sep 2022 10:23:36 GMT

@gcusello

Thank you so much for your quick response. Just a quick question, installation apps in SHC and Indexer cluster meant unzip the .tgz file and copy/transfer the unzip files there, right?

Re: How would I configure CyberArk TA, Search Head, and Syslog Server?

gcusello — Mon, 19 Sep 2022 11:12:52 GMT

Hi @SplunkDash,

to install an App in SHC, you have to copy it in the $SPLUNK_HOME/etc/shcluster of the Deployer and deploy it following the instructions at https://docs.splunk.com/Documentation/Splunk/9.0.1/DistSearch/PropagateSHCconfigurationchanges

For indexer Cluester, , you have to copy it in the $SPLUNK_HOME/etc/master-apps of the master Node and deploy it following the instructions at https://docs.splunk.com/Documentation/Splunk/9.0.1/Indexer/Updatepeerconfigurations

In few words, you have to untar the Apps in the above folders and then run a command by CLi or by GUI.

Ciao.

Giuseppe

P.S.: Karma Points are appreciated 😉

Re: How would I configure CyberArk TA, Search Head, and Syslog Server?

SplunkDash — Mon, 19 Sep 2022 11:59:01 GMT

Hello @gcusello

I uploaded one more question in SPLUNK community page with tittle

"How would I assign 1 sourcetype 2 different indexes?"

I would appreciate your feedback/recommendation when you have a chance, Thank you!