All Apps and Add-ons
Highlighted

Splunk Add-on for CyberArk: data not parsing correctly. Alternatives or guidance?

Builder

Has anyone successfully integrated cyberark with Splunk? I tried the add-on, but its not useful, its not parsing the data correctly with CIM? Is there any alternative approach for integration?

0 Karma
Highlighted

Re: Splunk Add-on for CyberArk: data not parsing correctly. Alternatives or guidance?

Super Champion

we had few issues as well, but it was related to syslog format. Inorder to help, need to know
- how you are collecting the data from cyberark? via syslog?
- Put some sample of your data
- which version of Splunk and Cyberark Addon you are using?

0 Karma
Highlighted

Re: Splunk Add-on for CyberArk: data not parsing correctly. Alternatives or guidance?

Builder

We are collecting data through syslog. Splunk version is 6.6.1, CIM is 4.8 and Splunk add-on for Cyberark 1.0.

Here's the sample event,

alt text

0 Karma
Highlighted

Re: Splunk Add-on for CyberArk: data not parsing correctly. Alternatives or guidance?

Splunk Employee
Splunk Employee

Hey @kiran331, Please be sure that when responding to someone's answer or comment, click on "Add comment," or if you're responding to someone's comment, type in the "Add your comment..." box directly below their comment. You typed your last response in the "Enter your answer here..." box at the very bottom of the page which, instead, posts a brand new answer each time. This will help with a clean continuous flow of the conversation. I already converted your "answer" to a comment, so just something to keep in mind from here on out. Thanks and happy Splunking!

0 Karma
Highlighted

Re: Splunk Add-on for CyberArk: data not parsing correctly. Alternatives or guidance?

New Member

What is your version of CyberArk PAS?
Are you trying to send syslog data from the Vault or via Splunk Universal Forwarder on the component servers?
If syslog, what is your configuration in the dbparm.ini? And Is the SplunkCIM.xsl file in the \PrivateArk\server\syslog directory with the other translator files?
If UF on component, what log files are you monitoring?

Here is a sample configuration that works:

[SYSLOG]
UseLegacySyslogFormat=Yes
SysLogServerIP=ipaddress of splunk indexer
SysLogServerProtocol=UDP
SysLogServerPort=514
SysLogTranslatorFile=Syslog\SplunkCIM.xsl

0 Karma
Highlighted

Re: Splunk Add-on for CyberArk: data not parsing correctly. Alternatives or guidance?

Path Finder

We are having the same issue. Did you ever get this fixed?

I've heard suggestions from someone that it could be the syslog message length is too short, but I cannot find any guidance from CyberArk for how to set that. Someone also suggested that it could be the UseLegacySyslogFormat parameter, but again - not sure what the current settings are and am not seeing much guidance one way or the other (except for this article and its unaccepted answer).

Note - our events were correct at one time, but must have been borked with an upgrade or some other configuration change. However, we have also lost our CyberArk admin since then and the new admins are - new.

0 Karma
Highlighted

Re: Splunk Add-on for CyberArk: data not parsing correctly. Alternatives or guidance?

New Member

We did get it resolved with the assistance of Splunk Level 3 Support. We had to configure line breaking on the input.

See https://docs.splunk.com/Documentation/Splunk/7.3.1/Data/Configureeventlinebreaking

0 Karma
Highlighted

Re: Splunk Add-on for CyberArk: data not parsing correctly. Alternatives or guidance?

Path Finder

Did you just manually break the event after msg= ?

0 Karma