We did get it resolved with the assistance of Splunk Level 3 Support. We had to configure line breaking on the input.
We are having the same issue. Did you ever get this fixed?
I've heard suggestions from someone that it could be the syslog message length is too short, but I cannot find any guidance from CyberArk for how to set that. Someone also suggested that it could be the
UseLegacySyslogFormat parameter, but again - not sure what the current settings are and am not seeing much guidance one way or the other (except for this article and its unaccepted answer).
Note - our events were correct at one time, but must have been borked with an upgrade or some other configuration change. However, we have also lost our CyberArk admin since then and the new admins are - new.
What is your version of CyberArk PAS?
Are you trying to send syslog data from the Vault or via Splunk Universal Forwarder on the component servers?
If syslog, what is your configuration in the dbparm.ini? And Is the SplunkCIM.xsl file in the \PrivateArk\server\syslog directory with the other translator files?
If UF on component, what log files are you monitoring?
Here is a sample configuration that works:
SysLogServerIP=ipaddress of splunk indexer
Hey @kiran331, Please be sure that when responding to someone's answer or comment, click on "Add comment," or if you're responding to someone's comment, type in the "Add your comment..." box directly below their comment. You typed your last response in the "Enter your answer here..." box at the very bottom of the page which, instead, posts a brand new answer each time. This will help with a clean continuous flow of the conversation. I already converted your "answer" to a comment, so just something to keep in mind from here on out. Thanks and happy Splunking!
we had few issues as well, but it was related to syslog format. Inorder to help, need to know
- how you are collecting the data from cyberark? via syslog?
- Put some sample of your data
- which version of Splunk and Cyberark Addon you are using?