Hello @gcusello 

I uploaded one more question in SPLUNK community page  with tittle

"How would I assign 1 sourcetype 2 different indexes?"

I would appreciate your feedback/recommendation when you have a chance, Thank you!

Hello @gcusello

On CyberArk TA,  we are getting data through syslog servers where UFs (no HFs there) installed on them, so data is in syslog servers. Based on your recommendations, I am planning to Install this TA on SH and Indexer clusters. We also have deployment servers with HFs installed on them and syslog servers are also be used  as Deployment Clients. Should I also need to install this TA on Deployment Servers as well? Thank you so much for your support in these efforts, truly appreciate it.   

Hi @SplunkDash,

you don't need to install any app or Add-On of the Deployment Server for itself,

if you have to deploy apps to UFs or HFs you have to use the DS to deploy these apps: so you have to copy the apps to deploy in $SPLUNK_HOME/etc/deployment-apps,

but you don't need to install on it.

Ciao.

Giuseppe

@gcusello 

Thank you so much for your quick response. Just a quick question, installation apps in SHC and Indexer cluster meant unzip the .tgz file and copy/transfer the unzip  files there, right?

Hi @SplunkDash,

to install an App in SHC, you have to copy it in the $SPLUNK_HOME/etc/shcluster of the Deployer and deploy  it following the instructions at https://docs.splunk.com/Documentation/Splunk/9.0.1/DistSearch/PropagateSHCconfigurationchanges

For indexer Cluester, , you have to copy it in the $SPLUNK_HOME/etc/master-apps of the master Node and deploy  it following the instructions at https://docs.splunk.com/Documentation/Splunk/9.0.1/Indexer/Updatepeerconfigurations

In few words, you have to untar the Apps in the above folders and then run a command by CLi or by GUI.

Ciao.

Giuseppe

P.S.: Karma Points are appreciated 😉

Hello @gcusello 

I have one more question on CyberArk TA.

We typically have 2 types of CyberArk logs PTA and EPV, but the CyberArk TA we have,  has only one source type cyberark.pta:cef. It means that CyberArk TA is associated with only PTA logs. My question is, if this is the case we won't need to have EPV logs? Your thoughts and recommendation will be highly appreciated. Thank you!

Hi @SplunkDash,

as you can read in the link you shared:

The Splunk Add-on for CyberArk allows a Splunk software administrator to pull system logs and traffic statistics from Privileged Threat Analytics (PTA) 12.2 and Enterprise Password Vault (EPV) 12.2 using syslog in Common Event Format (CEF). This add-on extracts CyberArk real-time privileged account activities (such as individual user activity when using shared accounts) into the Splunk platform and Splunk Enterprise Security, providing a single place to analyze unusual account activity.

using this TA you have both EPV and PTA logs in CEF format.

Ciao.

Giuseppe

Hello @gcusello ,

Thank you so much for detail clarifications. I have 2 more questions, do these PTA and EPV events coming under cyberark.pta:cef  source type, I just see one source type in CyberArk TA? and what is the latest version for CyberArk TA? Thank you again and appreciate your support in these efforts.

Hi @SplunkDash,

yes: using the cyberark.pta:cef sourcetype you have both PTA and EPV events.

You can find the latest version of this TA (1.2.0) at https://splunkbase.splunk.com/app/2891/

ciao.

Giuseppe

@gcusello 

This is extra ordinarily helpful, much appreciated!

Hello @gcusello,

I have a few use cases to send data from SPLUNK to consumers in real time, and consumers have both Linux/Windows OS. Does SPLUNK has any options to do that? Or how would I do it? I also posted this question. But, sending you here, just wanted to make sure you have it. Any help will be highly appreciated. Thank you so much.

Hi @SplunkDash,

this is a new and different question, so I hint to create a new question, in this way you'll surely have a quicker and probably better answer from more people of Community.

Anyway, what do you mea with "send data from SPLUNK to consumers in real time"?

if you mean forwarding all (or a part of) events via syslog or to anothe Splunk, it's possible, could you better describe your request?

Ciao.

Giuseppe