We are having the same issue. Did you ever get this fixed?

I've heard suggestions from someone that it could be the syslog message length is too short, but I cannot find any guidance from CyberArk for how to set that. Someone also suggested that it could be the UseLegacySyslogFormat parameter, but again - not sure what the current settings are and am not seeing much guidance one way or the other (except for this article and its unaccepted answer).

Note - our events were correct at one time, but must have been borked with an upgrade or some other configuration change. However, we have also lost our CyberArk admin since then and the new admins are - new.

What is your version of CyberArk PAS?
Are you trying to send syslog data from the Vault or via Splunk Universal Forwarder on the component servers?
If syslog, what is your configuration in the dbparm.ini? And Is the SplunkCIM.xsl file in the \PrivateArk\server\syslog directory with the other translator files?
If UF on component, what log files are you monitoring?

Here is a sample configuration that works:

[SYSLOG]
UseLegacySyslogFormat=Yes
SysLogServerIP=ipaddress of splunk indexer
SysLogServerProtocol=UDP
SysLogServerPort=514
SysLogTranslatorFile=Syslog\SplunkCIM.xsl

We are collecting data through syslog. Splunk version is 6.6.1, CIM is 4.8 and Splunk add-on for Cyberark 1.0.

Here's the sample event,

we had few issues as well, but it was related to syslog format. Inorder to help, need to know
- how you are collecting the data from cyberark? via syslog?
- Put some sample of your data
- which version of Splunk and Cyberark Addon you are using?