CyberArk PAM

Configure the Vault to Forward syslog Messages to PTA

The system logger of the Vault must be configured to send logging data to the PTA machine for real-time data analysis.

When PTA is configured with Vaults deployed in a distributed environment, configure the primary and satellite Vaults.

[SYSLOG]
SyslogTranslatorFile=Syslog\PTA.xsl
SyslogServerPort=<port number>
SyslogServerIP=<server IP>
SyslogServerProtocol=UDP
SyslogMessageCodeFilter=4,17,22,24,31,38,57,60,88,130,142,145,148,149,170,183,185,295,300,301,302,303,306,307,308,344,346,359,360,361,362,372,373,374,375,376,377,378,379,380,381,411,412,414,416,418,426,434,463
UseLegacySyslogFormat=No

Specify the following information:

Parameter Name

Define or Select

SyslogServerIP

The IP address(es) of the PTA machine where messages will be sent.

SyslogServerPort

The port number through which the syslog will be sent.

Specify 514 to send syslogs to the default PTA port.

SyslogServerProtocol

The protocol used to transfer the syslog records.

Specify: tcp or udp.

PTA does not support the SSL protocol.

SyslogMessageCodeFilter

Defines which message codes will be sent from the Vault Machine to PTA through Syslog protocol.

You can specify message numbers, separated by commas. You can also specify range of numbers using ‘-‘.

Message codes are sent for the following events:

Code	Activity
4	User Authentication
17	Add Safe (Unauthorized)
22	CPM Verify Password
24	CPM Change Password
31	CPM Reconcile Password
38	CPM Verify Password Failure
57	CPM Change Password Failure
60	CPM Reconcile Password Failure
88	Set Password
130	CPM Disable Password
142, 145, 148, 149, 170	Delete Safe Failure
183	Delete Safe
185	Add Safe
295	Retrieve Password
300	PSM Connect
301	PSM Connect Failure
302	PSM Disconnect
303	PSM Disconnect Failure
306, 307, 308	Use Password
344	Privileged Command Initiated
346	Privileged Command Completed
359	PSM SQL Command
360	PSM SQL Command Failure
361	PSM Keystrokes
362	PSM Keystrokes Failure
372	Terminate session
373	Terminate session Failure
374	Start Monitor session
375	Start Monitor session Failure
376	End Monitor session
377	End Monitor session Failure
378	PSM Secure Connect Session Start
379	PSM secure Connect session start Failure
380	PSM Secure Connect Session End
381	PSM secure Connect session End Failure
411	PSM Window Title
412	PSM Windows Title Failure
414	CPM Verify SSH Key
416	CPM Rotate SSH Key
418	CPM Reconcile SSH Key
426	CPM Disable SSH Key
434	CPM has deleted the public SSH key
463	Agent successfully changed the password for account

SyslogTranslatorFile

Specifies the XSL file used to parse Vault records data into Syslog protocol.

UseLegacySyslogFormat

Controls the format of the syslog message, and defines whether it will be sent in a newer syslog format (RFC 5424) or in a legacy format.

Required value: No. This enables the Vault to work with the newer syslog format.

To forward Vault syslogs to multiple machines (for instance to your SIEM solution as well as to PTA), you can specify multiple values for the following parameters and separate each value with a comma.

■

This requires a CyberArk Vault version 7.2.5 or higher.

■

All destinations must use the same port and protocol, which are specified in the SyslogServerPort and SyslogServerProtocol fields.

■

The specified values will apply to all destinations configured in SyslogServerIP, using the translator files specified in SysLogTranslatorFile.

Parameter Name	Comments
SyslogServerIP
SyslogTranslatorFile
UseLegacySyslogFormat
SyslogMessageCodeFilter	Separate multiple values with a comma, and separate sets of multiple values with a pipe-line, as shown in the example below.

The following example shows how to send different syslog messages to multiple syslog servers.

[SYSLOG]
SysLogTranslatorFile=Syslog\Arcsight.sample.xsl,Syslog\QRadar.xsl,Syslog\PTA.xsl
SyslogServerPort=<port number>
SysLogServerIP=1.1.1.1,1.1.2.2,1.1.3.3
SyslogServerProtocol=UDP
UseLegacySyslogFormat=Yes,Yes,No
SyslogMessageCodeFilter=7,8,295|295-296|295,308,7,24,31,428,361,372,373,359,436,412,411,300,302,294,427

For more detailed instructions about integrating SIEM applications, see Security Information and Event Management Applications.

[SYSLOG]
SyslogTranslatorFile=Syslog\PTA.xsl
SyslogServerPort=<port number>
SyslogServerIP=<server IP>
SyslogServerProtocol=UDP
SyslogMessageCodeFilter=295,308,7,24,31,428,361,372,373,359,436,412,411,300,302,294,427,471
UseLegacySyslogFormat=No

■

All destinations must use the same port and protocol, which are specified in the SyslogServerPort and SyslogServerProtocol fields.

■

The specified values will apply to all destinations configured in SyslogServerIP, using the translator files specified in SysLogTranslatorFile.

Parameter Name	Comments
SyslogServerIP
SyslogTranslatorFile
UseLegacySyslogFormat
SyslogMessageCodeFilter	Separate multiple values with a comma, and separate sets of multiple values with a pipe-line, as shown in the example below.

The following example shows how to send different syslog messages to multiple syslog servers.

For more detailed instructions about integrating SIEM applications, see Security Information and Event Management Applications.

Source: https://docs.cyberark.com/pam-self-hosted/11.3/en/content/pta/configuring-vault-forward-syslog-messages.htm

CyberArk PAM Integration Procedures

Please provide the following information to CyTech:

Requirements:Collect logs via syslog over UDP or TCP

*Syslog Host-> Syslog Collector IP address where the Elastic-Agent is installed.
*Syslog Port-> Port Number (Please identify if TCP or UDP)

If you need further assistance, kindly contact our support at support@cytechint.com for prompt assistance and guidance.

Revision #6
Created 16 January 2025 08:49:02 by Richmond Abella
Updated 12 February 2025 12:00:00 by Richmond Abella