Splunk® Supported Add-ons

Splunk Add-on for CyberArk

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

Configure CyberArk to produce syslog for the Splunk Add-on for CyberArk

To enable the Splunk Add-on for CyberArk to collect data from your EPV and PTA instances, you need to configure your CyberArk devices to produce syslog output and push it to a data collection node of your Splunk platform installation.

Configure EPV to produce syslog

For EPV, apply the translator file provided in the forExport folder of the Splunk Add-on for CyberArk, then see "Integrating with SIEM Applications" in the Privileged Account Security Implementation Guide to configure syslog output.

1. Copy the SplunkCIM.xsl file to the folder %ProgramFiles%\PrivateArk\Server\Syslog of the Vault Server.

2. Follow the instructions in "Integrating with SIEM Applications" in the Privileged Account Security Implementation Guide to configure the DBParm.ini.

3. For the SyslogTranslatorFile parameter, enter SplunkCIM.xsl.

4. For the SyslogServerIP and SyslogServerPort parameters, enter the address of your SC4S server (recommended) or syslog aggregator or specify a Splunk platform instance that you want to use to receive syslog directly.

5. Restart your CyberArk Vault server service.

Configure PTA to produce syslog

For PTA, see "Sending PTA syslog records to SIEM" in the Privileged Threat Analytics (PTA) Implementation Guide and follow the instructions to configure syslog output. For the Host and Port parameters, enter the address of your syslog aggregator, or specify the address of your SC4S server (recommended) or syslog aggregator that you want to use to receive syslog directly.

Last modified on 10 March, 2021
PREVIOUS
Install the Splunk Add-on for CyberArk
  NEXT
Configure inputs for Splunk Add-on for CyberArk

This documentation applies to the following versions of Splunk® Supported Add-ons: released


Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters