Configure CyberArk to produce syslog for the Splunk Add-on for CyberArk
To enable the Splunk Add-on for CyberArk to collect data from your EPV and PTA instances, configure your CyberArk devices to produce syslog output and push it to a data collection node of your Splunk platform installation.
Configure EPV to produce syslog
- Copy the
SplunkCIM.xslfile provided in the
forExportfolder of the Splunk Add-on for CyberArk to the folder
%ProgramFiles%\PrivateArk\Server\Syslogof the Vault Server.
- Follow the instructions in "Integrating with SIEM Applications" in the Privileged Account Security Implementation Guide to configure the
- For the SyslogTranslatorFile parameter, enter
- For the SyslogServerIP and SyslogServerPort parameters, enter the address of your syslog aggregator, or specify a Splunk platform instance that you want to use to receive syslog directly.
- Restart your CyberArk Vault server service.
Configure PTA to produce syslog
For PTA, see "Sending PTA syslog records to SIEM" in the Privileged Threat Analytics (PTA) Implementation Guide and follow the instructions to configure syslog output. For the Host and Port parameters, enter the address of your syslog aggregator, or specify a Splunk platform instance that you want to use to receive syslog directly.
Install the Splunk Add-on for CyberArk
Configure inputs for Splunk Add-on for CyberArk
This documentation applies to the following versions of Splunk® Supported Add-ons: released