Re: How to forward events from Splunk Indexer to C...

potnuru · ‎07-06-2020

Q: Need to forward the data from all the indexes (Windows, Linux, etc...) to CyberArk PTA via Syslog or any other from the Splunk Indexer as we don't have HF in our Environment.

I have followed the documentation given by CyberArk on PTA Splunk Integration, but it is not working (logs are not forwarding to PTA server) for me.

Link: https://docs.cyberark.com/Product-Doc/OnlineHelp/PAS/11.2/en/Content/PTA/Configuring-Splunk-Forward-...

Configuration on Indexer:

In the SPLUNK_HOME/etc/system/local

-->outputs.conf

[syslog:pta_syslog]
server = <PTA Server IP>:<port>
indexAndForward=true
type=tcp
timestampformat = %s

syslogSourceType=sourcetype:: linux:messages

---->props.conf

[source::WinEventLog:Security]
TRANSFORMS-pta = pta_syslog_filter

----->transforms.conf

[pta_syslog_filter]
REGEX = .*EventCode=4624|4720|4723|4724|4732.*
DEST_KEY = _SYSLOG_ROUTING
FORMAT = pta_syslog

richgalloway · ‎07-06-2020

Since we don't have the documentation given by Cyberark, please elaborate on the steps you took to forward data from Splunk Cyberark. What part is failing? What error messages do you get?

---
If this reply helps you, Karma would be appreciated.

potnuru · ‎07-07-2020

Hi @richgalloway I have updated the question with complete details, could you check and help me in finding the resolution.

Basically PTA server is listening (Syslog) on some port let's say 514.

We need to forward all the logs in/coming to Splunk Indexer to PTA Syslog server on some port (514) .

richgalloway · ‎07-07-2020

I suspect the REGEX line in transforms.conf is to blame. The leading and trailing ".*" are not needed. Have you verified the remainder matches what you want to forward? It won't match Linux logs.

---
If this reply helps you, Karma would be appreciated.

potnuru · ‎07-08-2020

Hi @richgalloway The Regex is working fine and it is applied to only Windows Events Source Type but not other Source Types.

suresh301086 · ‎09-16-2020

Windows logs are properly parsing where Linu/Unix logs are not parsing to PTA from Splunk

potnuru · ‎09-16-2020

@suresh301086 By default PTA won't support Linux Events. We need to develop custom plugin on PTA to understand Linux Events.

suresh301086 · ‎09-16-2020

Is it working for you ?

potnuru · ‎09-16-2020

@suresh301086 For me PTA functionality is working for Windows Events and not for Linux Events. Currently we are working on developing custom plugin for Linux Events.

Could you please share your forwarding configuration that you defined on Splunk Indexer/HF?

Atavius · ‎12-18-2020

@potnuru Could you please explain how did you got those Windows Events to work?

I am having exactly the same problem as you described in your first post - everything is configured per PTA documentation, but Splunk is unable to send messages to PTA.

potnuru · ‎01-12-2021

Hi @Atavius

I have followed the CyberArk documentation and it worked for me for Windows Events. Please check the below configuration for your reference.

#outputs.conf

[syslog]

defaultGroup = noforward

[syslog:pta_syslog]

server = PTA-IP:514

type = tcp

timestampformat = %s

syslogSourceType = sourcetype::linux:messages

#props.conf

[source::WinEventLog:Security]

TRANSFORMS-win = pta_syslog_win

#transforms.conf

[pta_syslog_win]

REGEX = .*<your filter>*

DEST_KEY = _SYSLOG_ROUTING

FORMAT = pta_syslog

How to forward events from Splunk Indexer to CyberArk PTA?

heavy forwarder

Linux

syslog

Windows

Splunk Custom Visualizations App End of Life

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk