To configure CyberArk Vault to forward syslog events, you must edit a file to specify parameters.
Procedure
- Log in to your CyberArk device.
- The PTA (Privileged Threat Analytics) syslog parameters are available in the dbparm.sample.ini file. Copy the parameters to the dbparm.ini configuration file.
[SYSLOG]
SyslogTranslatorFile=Syslog\PTA.xsl
SyslogServerPort=11718
SyslogServerIP=<Forwarder IP>
SyslogServerProtocol=UDP
SyslogMessageCodeFilter=295,308,7,24,31,428,361,372,373,359,436,412,411,300,302,294,427,471
UseLegacySyslogFormat=No
3. To forward Vault syslogs to multiple machines (for instance to your SIEM solution as well as to PTA), you can specify multiple values for the following parameters and separate each value with a comma.
-
- All destinations must use the same port and protocol specified in the SyslogServerPort and SyslogServerProtocol fields.
- The specified values will apply to all destinations configured in SyslogServerIP, using the translator files specified in SysLogTranslator File.
- The following example shows how to send different syslog messages to multiple syslog servers
[SYSLOG]
SysLogTranslatorFile=Syslog\Arcsight.sample.xsl,Syslog\QRadar.xsl,Syslog\PTA.xsl
SyslogServerPort=11718
SysLogServerIP=1.1.1.1,1.1.2.2,1.1.3.3
SyslogServerProtocol=UDP
UseLegacySyslogFormat=Yes,Yes,No
SyslogMessageCodeFilter=7,8,295|295-296|295,308,7,24,31,428,361,372,373,359,436,412,411,300,302,294,427,471
4. To send secured syslog data to PTA, see below Configure Vault Trusted Connection to PTA.
5. Save the file and close it.
6. Restart the Vault.
7. Once the configuration is completed, need to validate the logs in chronicle using a regular expression as (".*") or with specific hostname, will provide the log source types which are ingesting to chronicle, below is the screen shot for reference.
Reference Links:
Import your Organization's SSL Certificate
Configure Vault Trusted Connection to PTA
Comments
0 comments
Please sign in to leave a comment.