All Apps and Add-ons

Is there any way to monitor cyberark logs?

agentsofshield
Path Finder

Hello! So I installed the Cyberark add on in order to monitor Cyberark.

I already have a syslog server which produces .log files from Cyberark. Is there any way to monitor it directly from the .log files, or do I absolutely have to do it they way they specified in: https://docs.splunk.com/Documentation/AddOns/released/CyberArk/Setup (translating the files)?

It's just, so much easier if I could just translate the log files locally on the syslog server. Thank you!

0 Karma
1 Solution

koshyk
Super Champion

Why you want to translate the file in your syslog server? Splunk is the best regex engine and you could do within Splunk

If you need to use CyberArk addon directly is:
1. Put the Translator (xsl) file in the CyberARk Vault System. This has to be done by your cyberark admin.
2. After you put the translator file, it will send syslog message to the destination & port
3. Use your syslog server to capture this message. Please use rfc5424 if possible. This will put all the data correctly in your syslog server
4. Use Splunk to index this data and put the sourcetype as mentioned in CyberArk addon.

If you don't want to use CyberARk addon
1. You need to put some translator file in cyberark and point to your syslog. Try to use a key-value translator if possible
2. Just use inputs.conf and collect into Splunk into an index and put your own sourcetype eg. custom:cyberark:vault
3. You can write your own extraction rules in your TA and is flexible. Ensure you collect important fields including safe-name, address,messageId,requestorId etc.

View solution in original post

koshyk
Super Champion

Why you want to translate the file in your syslog server? Splunk is the best regex engine and you could do within Splunk

If you need to use CyberArk addon directly is:
1. Put the Translator (xsl) file in the CyberARk Vault System. This has to be done by your cyberark admin.
2. After you put the translator file, it will send syslog message to the destination & port
3. Use your syslog server to capture this message. Please use rfc5424 if possible. This will put all the data correctly in your syslog server
4. Use Splunk to index this data and put the sourcetype as mentioned in CyberArk addon.

If you don't want to use CyberARk addon
1. You need to put some translator file in cyberark and point to your syslog. Try to use a key-value translator if possible
2. Just use inputs.conf and collect into Splunk into an index and put your own sourcetype eg. custom:cyberark:vault
3. You can write your own extraction rules in your TA and is flexible. Ensure you collect important fields including safe-name, address,messageId,requestorId etc.

deva1995
Explorer

How to capture those messages on the syslog server? PLease help. thanks in advance

0 Karma

rajanala
Path Finder

Account activities are successfully collected using the Splunk add-on for CyberArk.
Is there a way to ingest CyberArk's ITA logs into Splunk ?

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

(view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...