Splunk Search

How would I configure CyberArk TA, Search Head, and Syslog Server?

SplunkDash
Motivator

Hello,

Data in CyberArk comes through the Syslog Server and CyberArk TA needs to be installed into Search head (or search head cluster) based on the SPLUNK web site (https://docs.splunk.com/Documentation/AddOns/released/CyberArk/Installation). I installed this TA directly into the Syslog server, but not working as expected. How I would configure, Syslog, SHC, and CyberArk? Any help would be highly appreciated. Thank you! 

Labels (1)
Tags (1)
0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi @SplunkDash,

As described in documentation, this TA must be installed in all Search Heads (clustered or not) because there are some parsing actions made at search time.

In addition, there are some parsing actions made at index time, for this reason it must be also installed on the first Heavy Forwarders (if present) between the syslog server and Indexers.

If there isn't any HF (syslogs are taken by an Universal Forwarder that send them to Indexers), it must be installed on Indexers.

Ciao.

Giuseppe

View solution in original post

gcusello
SplunkTrust
SplunkTrust

Hi @SplunkDash,

As described in documentation, this TA must be installed in all Search Heads (clustered or not) because there are some parsing actions made at search time.

In addition, there are some parsing actions made at index time, for this reason it must be also installed on the first Heavy Forwarders (if present) between the syslog server and Indexers.

If there isn't any HF (syslogs are taken by an Universal Forwarder that send them to Indexers), it must be installed on Indexers.

Ciao.

Giuseppe

SplunkDash
Motivator

Hello @gcusello 

I uploaded one more question in SPLUNK community page  with tittle

"How would I assign 1 sourcetype 2 different indexes?"

I would appreciate your feedback/recommendation when you have a chance, Thank you!

 

0 Karma

SplunkDash
Motivator

Hello @gcusello

On CyberArk TA,  we are getting data through syslog servers where UFs (no HFs there) installed on them, so data is in syslog servers. Based on your recommendations, I am planning to Install this TA on SH and Indexer clusters. We also have deployment servers with HFs installed on them and syslog servers are also be used  as Deployment Clients. Should I also need to install this TA on Deployment Servers as well? Thank you so much for your support in these efforts, truly appreciate it.   

 

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @SplunkDash,

you don't need to install any app or Add-On of the Deployment Server for itself,

if you have to deploy apps to UFs or HFs you have to use the DS to deploy these apps: so you have to copy the apps to deploy in $SPLUNK_HOME/etc/deployment-apps,

but you don't need to install on it.

Ciao.

Giuseppe

SplunkDash
Motivator

@gcusello 

Thank you so much for your quick response. Just a quick question, installation apps in SHC and Indexer cluster meant unzip the .tgz file and copy/transfer the unzip  files there, right?

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @SplunkDash,

to install an App in SHC, you have to copy it in the $SPLUNK_HOME/etc/shcluster of the Deployer and deploy  it following the instructions at https://docs.splunk.com/Documentation/Splunk/9.0.1/DistSearch/PropagateSHCconfigurationchanges

For indexer Cluester, , you have to copy it in the $SPLUNK_HOME/etc/master-apps of the master Node and deploy  it following the instructions at https://docs.splunk.com/Documentation/Splunk/9.0.1/Indexer/Updatepeerconfigurations

In few words, you have to untar the Apps in the above folders and then run a command by CLi or by GUI.

Ciao.

Giuseppe

P.S.: Karma Points are appreciated 😉

SplunkDash
Motivator

Hello @gcusello 

I have one more question on CyberArk TA.

We typically have 2 types of CyberArk logs PTA and EPV, but the CyberArk TA we have,  has only one source type cyberark.pta:cef. It means that CyberArk TA is associated with only PTA logs. My question is, if this is the case we won't need to have EPV logs? Your thoughts and recommendation will be highly appreciated. Thank you!

 

 

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @SplunkDash,

as you can read in the link you shared:

The Splunk Add-on for CyberArk allows a Splunk software administrator to pull system logs and traffic statistics from Privileged Threat Analytics (PTA) 12.2 and Enterprise Password Vault (EPV) 12.2 using syslog in Common Event Format (CEF). This add-on extracts CyberArk real-time privileged account activities (such as individual user activity when using shared accounts) into the Splunk platform and Splunk Enterprise Security, providing a single place to analyze unusual account activity.

using this TA you have both EPV and PTA logs in CEF format.

Ciao.

Giuseppe

0 Karma

SplunkDash
Motivator

Hello @gcusello ,

Thank you so much for detail clarifications. I have 2 more questions, do these PTA and EPV events coming under cyberark.pta:cef  source type, I just see one source type in CyberArk TA? and what is the latest version for CyberArk TA? Thank you again and appreciate your support in these efforts.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @SplunkDash,

yes: using the cyberark.pta:cef sourcetype you have both PTA and EPV events.

You can find the latest version of this TA (1.2.0) at https://splunkbase.splunk.com/app/2891/

ciao.

Giuseppe

SplunkDash
Motivator

@gcusello 

This is extra ordinarily helpful, much appreciated!

0 Karma

SplunkDash
Motivator

Hello @gcusello,

I have a few use cases to send data from SPLUNK to consumers in real time, and consumers have both Linux/Windows OS. Does SPLUNK has any options to do that? Or how would I do it? I also posted this question. But, sending you here, just wanted to make sure you have it. Any help will be highly appreciated. Thank you so much.

 

 

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @SplunkDash,

this is a new and different question, so I hint to create a new question, in this way you'll surely have a quicker and probably better answer from more people of Community.

Anyway, what do you mea with "send data from SPLUNK to consumers in real time"?

if you mean forwarding all (or a part of) events via syslog or to anothe Splunk, it's possible, could you better describe your request?

Ciao.

Giuseppe

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...