All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Is there any way to monitor cyberark logs?

agentsofshield
Path Finder
‎08-12-2018 07:47 AM

Hello! So I installed the Cyberark add on in order to monitor Cyberark.

I already have a syslog server which produces .log files from Cyberark. Is there any way to monitor it directly from the .log files, or do I absolutely have to do it they way they specified in: https://docs.splunk.com/Documentation/AddOns/released/CyberArk/Setup (translating the files)?

It's just, so much easier if I could just translate the log files locally on the syslog server. Thank you!

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

koshyk
Super Champion
‎08-12-2018 10:36 AM

Why you want to translate the file in your syslog server? Splunk is the best regex engine and you could do within Splunk

If you need to use CyberArk addon directly is:
1. Put the Translator (xsl) file in the CyberARk Vault System. This has to be done by your cyberark admin.
2. After you put the translator file, it will send syslog message to the destination & port
3. Use your syslog server to capture this message. Please use rfc5424 if possible. This will put all the data correctly in your syslog server
4. Use Splunk to index this data and put the sourcetype as mentioned in CyberArk addon.

If you don't want to use CyberARk addon
1. You need to put some translator file in cyberark and point to your syslog. Try to use a key-value translator if possible
2. Just use inputs.conf and collect into Splunk into an index and put your own sourcetype eg. custom:cyberark:vault
3. You can write your own extraction rules in your TA and is flexible. Ensure you collect important fields including safe-name, address,messageId,requestorId etc.

View solution in original post

Reply
Solved! Jump to solution
Solution

koshyk
Super Champion
‎08-12-2018 10:36 AM

Why you want to translate the file in your syslog server? Splunk is the best regex engine and you could do within Splunk

If you need to use CyberArk addon directly is:
1. Put the Translator (xsl) file in the CyberARk Vault System. This has to be done by your cyberark admin.
2. After you put the translator file, it will send syslog message to the destination & port
3. Use your syslog server to capture this message. Please use rfc5424 if possible. This will put all the data correctly in your syslog server
4. Use Splunk to index this data and put the sourcetype as mentioned in CyberArk addon.

If you don't want to use CyberARk addon
1. You need to put some translator file in cyberark and point to your syslog. Try to use a key-value translator if possible
2. Just use inputs.conf and collect into Splunk into an index and put your own sourcetype eg. custom:cyberark:vault
3. You can write your own extraction rules in your TA and is flexible. Ensure you collect important fields including safe-name, address,messageId,requestorId etc.

Reply
Solved! Jump to solution

deva1995
Explorer
‎10-04-2019 03:54 AM

How to capture those messages on the syslog server? PLease help. thanks in advance

0 Karma
Reply
Solved! Jump to solution

rajanala
Path Finder
‎06-11-2019 09:02 AM

Account activities are successfully collected using the Splunk add-on for CyberArk.
Is there a way to ingest CyberArk's ITA logs into Splunk ?

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Admins and App Developers | Earn a $35 gift card!

Splunk, in collaboration with ESG (Enterprise Strategy Group) by TechTarget, is excited to announce a ...

Enterprise Security Content Update (ESCU) | New Releases

In October, the Splunk Threat Research Team had one release of new security content via the Enterprise ...

Monitoring MariaDB and MySQL

In a previous post, we explored monitoring PostgreSQL and general best practices around which metrics to ...