Splunk® Supported Add-ons

Splunk Add-on for CyberArk

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

Configure inputs for Splunk Add-on for CyberArk

The Splunk Add-on for CyberArk handles inputs through syslog. There are three ways to capture this data.

1. Using Splunk Connect for Syslog, this is the recommended option.

2. Use a syslog aggregator with a Splunk forwarder installed on it. Configure a monitor input to monitor the file or files generated by the aggregator.

3. Create a set of TCP or UDP inputs to capture the data sent on the ports you have configured in CyberArk.


Splunk Connect for Syslog

Splunk recommends you use (Splunk Connect for Syslog) SC4S for data collection. Follow the steps in the doc link below to configure SC4S.

https://splunk.github.io/splunk-connect-for-syslog/main/sources/vendor/CyberArk/epv/

Monitor input

If you are using a syslog aggregator, install a forwarder on that machine and set up two monitor inputs to monitor the files that are generated. Set your source type to cyberark:epv:cef for the output from EPV and cyberark:pta:cef for the output from PTA. The CIM is dependent on these source types.

See Monitor files and directories in the Getting Data In manual for information about setting up a monitor input.

TCP/UDP input

In the Splunk platform node handling data collection, configure two inputs to match your protocol and port configurations in CyberArk. PTA only supports UDP, and EPV supports either TCP or UDP, if possible, use TCP, becuase UDP doesn't ensure delivery and logs may be lost in transit as a result. Match the protocol for EPV to the one you configured in the CyberArk Admin Console.

Set your source type to cyberark:epv:cef for the output from EPV and cyberark:pta:cef for the output from PTA. The CIM mapping is dependent on these source types.

For information on how to configure a Splunk forwarder or single-instance to receive a syslog input using the CLI for the configuration files, see Get data from TCP and UDP ports in the Getting Data In manual. You can also configure syslog inputs using the Splunk Web UI if you have access to Splunk Web on your collection node as described in Monitor network ports in the Getting Data In manual.

Validate data collection

Once you have configured the inputs, run this search to check that you are ingesting the data that you expect.

sourcetype=cyberark:*

Last modified on 01 June, 2022
PREVIOUS
Configure CyberArk to produce syslog for the Splunk Add-on for CyberArk 		  NEXT
Troubleshoot the Splunk Add-on for CyberArk

This documentation applies to the following versions of Splunk® Supported Add-ons: released

Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters