CyberArk Audit for Splunk

vh · ‎03-26-2025

Is there any documentation on creating an input for this app? (https://splunkbase.splunk.com/app/6608)

I installed the app.

Upon launching, it's asking for certificate and private key.

There is no place for me to configure the API endpoint.

thanks,

luizlimapg · ‎03-26-2025

Hello @vh ,

It took some work, but I finally got this addon up and running.
On the addon's setup screen, you need to paste the contents of the certificate and the private key generated in the CyberArk console.

The certificate and private key contents are in the following format:
-----BEGIN%20CERTIFICATE-----xxxxxxxxxxxxxxxxxx-----END%20CERTIFICATE-----%0A

To generate the necessary information in the CyberArk console, follow the procedure available at the following link:
https://docs.cyberark.com/admin-space/latest/en/content/siem-integration/siem-export-splunk.htm

After the setup, you can create the input at Settings > Data Input > CyberArk Audit for Splunk, filling in the fields with the data generated in the CyberArk console.

You can monitor the addon's operation through the logs available at:
index=_internal source="*splunkd.log" cyberark

If you need to redo the addon's setup, you can do so by clicking the "Setup" link under Apps > Manage Apps.

vh · ‎03-27-2025

Hi @luizlimapg

Thank you for the response.

Upon launching the app for the first time, I got prompted to enter the cert and private key, which I did.

After this process, it is supposed to take me to an input page so I can fill in the rest of the information generated on the CyberArk side.

However, the Input page is showing a 404 Error stead.

I have removed and reinstalled this app a few times with no success.

The server I'm having this issue is running Splunk Enterprise version 9.3.2.

I installed this app on an older version of Splunk Enterprise, version 9.2.3, and got the expected inputs screen.

So, I'm wondering if it's a versioning info.

I don't want to downgrade Splunk Enterprise to test this.

I plan to upgrade the problematic server to 9.4.1 later anyway (for other reasons too.)

Any more thoughts on this?

Thanks again.

luizlimapg · ‎03-27-2025

Hey @vh,

Quite strange behavior. Here I'm using version 1.0.23 of the add-on and 9.2.4 of Splunk Enterprise.

You could try installing an earlier version of the add-on, it might work.
On Splunkbase, the last version that supports only Splunk Enterprise is 1.0.24, that's a good version to try

As a last resort, you could have only the heavy forwarder running version 9.2.3 of Splunk with the add-on installed. It would work, but it's not ideal.

Let me know if it works

kiran_panchavat · ‎03-26-2025

@vh

I’ve set up this add-on in my lab environment and can see the data input option listed below. Could you please take a look and confirm?

Navigate to Settings > Data Inputs.

Multiple CyberArk data inputs.

Did this help? If yes, please consider giving kudos, marking it as the solution, or commenting for clarification — your feedback keeps the community going!

PickleRick · ‎03-26-2025

I have no idea what they mean by "certificate" and "private key" since the fields are just text fields (and neither splunkbase page nor Cyberark's docs help here). But when you type anything in and click save, you'll get to the "add input" dialog, where you can type in stuff like API endpoint or region.

vh · ‎03-27-2025

Yes, that's the expected behavior.

Instead, after entering the cert and key info, I'm redirected to a 404 error page (where it's supposed to display the input page.)

thanks for the response.

CyberArk Audit for Splunk

data

inputs.conf

modular input

other

scripted input

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

What’s New in Splunk Observability – September 2025

Fun with Regular Expression - multiples of nine

Are you a member of the Splunk Community?

CyberArk Audit for Splunk