All Apps and Add-ons

Splunk Add-on for CyberArk: data not parsing correctly. Alternatives or guidance?

kiran331
Builder

Has anyone successfully integrated cyberark with Splunk? I tried the add-on, but its not useful, its not parsing the data correctly with CIM? Is there any alternative approach for integration?

0 Karma

jtnull
New Member

We did get it resolved with the assistance of Splunk Level 3 Support. We had to configure line breaking on the input.

See https://docs.splunk.com/Documentation/Splunk/7.3.1/Data/Configureeventlinebreaking

0 Karma

gurlest
Path Finder

Did you just manually break the event after msg= ?

0 Karma

gurlest
Path Finder

We are having the same issue. Did you ever get this fixed?

I've heard suggestions from someone that it could be the syslog message length is too short, but I cannot find any guidance from CyberArk for how to set that. Someone also suggested that it could be the UseLegacySyslogFormat parameter, but again - not sure what the current settings are and am not seeing much guidance one way or the other (except for this article and its unaccepted answer).

Note - our events were correct at one time, but must have been borked with an upgrade or some other configuration change. However, we have also lost our CyberArk admin since then and the new admins are - new.

0 Karma

jtnull
New Member

What is your version of CyberArk PAS?
Are you trying to send syslog data from the Vault or via Splunk Universal Forwarder on the component servers?
If syslog, what is your configuration in the dbparm.ini? And Is the SplunkCIM.xsl file in the \PrivateArk\server\syslog directory with the other translator files?
If UF on component, what log files are you monitoring?

Here is a sample configuration that works:

[SYSLOG]
UseLegacySyslogFormat=Yes
SysLogServerIP=ipaddress of splunk indexer
SysLogServerProtocol=UDP
SysLogServerPort=514
SysLogTranslatorFile=Syslog\SplunkCIM.xsl

0 Karma

kiran331
Builder

We are collecting data through syslog. Splunk version is 6.6.1, CIM is 4.8 and Splunk add-on for Cyberark 1.0.

Here's the sample event,

alt text

0 Karma

lfedak_splunk
Splunk Employee
Splunk Employee

Hey @kiran331, Please be sure that when responding to someone's answer or comment, click on "Add comment," or if you're responding to someone's comment, type in the "Add your comment..." box directly below their comment. You typed your last response in the "Enter your answer here..." box at the very bottom of the page which, instead, posts a brand new answer each time. This will help with a clean continuous flow of the conversation. I already converted your "answer" to a comment, so just something to keep in mind from here on out. Thanks and happy Splunking!

0 Karma

koshyk
Super Champion

we had few issues as well, but it was related to syslog format. Inorder to help, need to know
- how you are collecting the data from cyberark? via syslog?
- Put some sample of your data
- which version of Splunk and Cyberark Addon you are using?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...