We're sending CyberArk Vault data to Splunk via a syslog-ng server. We have a number of sources going to the syslog server. CyberArk logs are delayed from writing to the directory by over an hour. The other issue is Splunk_TA_CyberArk doesn't appear to be splitting up the vault log files like it should. CyberArk is running 9.10. Splunk is running 7.0. Any help would be appreciated.
Issue was with the syslog config on Cyberark.
There is another answer, with some focus on rsyslog, here:
https://answers.splunk.com/answers/334193/splunk-add-on-for-cyberark-i-made-changes-in-props.html