CyberArk PAM
Configure the Vault to Forward syslog Messages to PTA
The system logger of the Vault must be configured to send logging data to the PTA machine for real-time data analysis.
|
When PTA is configured with Vaults deployed in a distributed environment, configure the primary and satellite Vaults. |
| 1. | From the installation package, copy PTA.xsl to the Syslog subdirectory of the Vault installation folder. By default, the subdirectory is: C:\Program Files (x86)\PrivateArk\Server\Syslog. |
| 2. | In the same server installation folder,by default C:\Program Files (x86)\PrivateArk\Server, open dbparm.ini and add the following lines: |
[SYSLOG]
SyslogTranslatorFile=Syslog\PTA.xsl
SyslogServerPort=<port number>
SyslogServerIP=<server IP>
SyslogServerProtocol=UDP
SyslogMessageCodeFilter=295,308,7,24,31,428,361,372,373,359,436,412,411,300,302,294,427
UseLegacySyslogFormat=No
Specify the following information:
|
Parameter Name |
Define or Select |
||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
SyslogServerIP |
The IP address(es) of the PTA machine where messages will be sent. |
||||||||||||||||||||||||||||||||||||
|
SyslogServerPort |
The port number through which the syslog will be sent. Specify 514 to send syslogs to the default PTA port. |
||||||||||||||||||||||||||||||||||||
|
SyslogServerProtocol |
The protocol used to transfer the syslog records. Specify: tcp or udp.
|
||||||||||||||||||||||||||||||||||||
|
SyslogMessageCodeFilter |
Defines which message codes will be sent from the Vault Machine to PTA through Syslog protocol. You can specify message numbers, separated by commas. You can also specify range of numbers using ‘-‘. Message codes are sent for the following events:
|
||||||||||||||||||||||||||||||||||||
|
SyslogTranslatorFile |
Specifies the XSL file used to parse Vault records data into Syslog protocol. |
||||||||||||||||||||||||||||||||||||
|
UseLegacySyslogFormat |
Controls the format of the syslog message, and defines whether it will be sent in a newer syslog format (RFC 5424) or in a legacy format. Required value: No. This enables the Vault to work with the newer syslog format. |
| 3. | To forward Vault syslogs to multiple machines (for instance to your SIEM solution as well as to PTA), you can specify multiple values for the following parameters and separate each value with a comma. |
| ■ | This requires a CyberArk Vault version 7.2.5 or higher. |
| ■ | All destinations must use the same port and protocol, which are specified in the SyslogServerPort and SyslogServerProtocol fields. |
| ■ | The specified values will apply to all destinations configured in SyslogServerIP, using the translator files specified in SysLogTranslatorFile. |
|
Parameter Name |
Comments |
|---|---|
|
SyslogServerIP |
|
|
SyslogTranslatorFile |
|
|
UseLegacySyslogFormat |
|
|
SyslogMessageCodeFilter |
Separate multiple values with a comma, and separate sets of multiple values with a pipe-line, as shown in the example below. |
The following example shows how to send different syslog messages to multiple syslog servers.
[SYSLOG]
SysLogTranslatorFile=Syslog\Arcsight.sample.xsl,Syslog\QRadar.xsl,Syslog\PTA.xsl
SyslogServerPort=<port number>
SysLogServerIP=1.1.1.1,1.1.2.2,1.1.3.3
SyslogServerProtocol=UDP
UseLegacySyslogFormat=Yes,Yes,No
SyslogMessageCodeFilter=7,8,295|295-296|295,308,7,24,31,428,361,372,373,359,436,412,411,300,302,294,427
| 4. | Save the file and close it. |
| 5. | Restart the Vault. |
For more detailed instructions about integrating SIEM applications, see Security Information and Event Management Applications.
| 1. | The PTA syslog parameters are available in the dbparm.sample.ini file. Copy the parameters to the dbparm.ini configuration file. |
[SYSLOG]
SyslogTranslatorFile=Syslog\PTA.xsl
SyslogServerPort=<port number>
SyslogServerIP=<server IP>
SyslogServerProtocol=UDP
SyslogMessageCodeFilter=295,308,7,24,31,428,361,372,373,359,436,412,411,300,302,294,427,471
UseLegacySyslogFormat=No
| 2. | To forward Vault syslogs to multiple machines (for instance to your SIEM solution as well as to PTA), you can specify multiple values for the following parameters and separate each value with a comma. |
| ■ | All destinations must use the same port and protocol, which are specified in the SyslogServerPort and SyslogServerProtocol fields. |
| ■ | The specified values will apply to all destinations configured in SyslogServerIP, using the translator files specified in SysLogTranslatorFile. |
|
Parameter Name |
Comments |
|---|---|
|
SyslogServerIP |
|
|
SyslogTranslatorFile |
|
|
UseLegacySyslogFormat |
|
|
SyslogMessageCodeFilter |
Separate multiple values with a comma, and separate sets of multiple values with a pipe-line, as shown in the example below. |
The following example shows how to send different syslog messages to multiple syslog servers.
[SYSLOG]
SysLogTranslatorFile=Syslog\Arcsight.sample.xsl,Syslog\QRadar.xsl,Syslog\PTA.xsl
SyslogServerPort=<port number>
SysLogServerIP=1.1.1.1,1.1.2.2,1.1.3.3
SyslogServerProtocol=UDP
UseLegacySyslogFormat=Yes,Yes,No
SyslogMessageCodeFilter=7,8,295|295-296|295,308,7,24,31,428,361,372,373,359,436,412,411,300,302,294,427,471
| 3. | To send secured syslog data to PTA, see Configure Vault Trusted Connection to PTA. |
| 4. | Save the file and close it. |
| 5. | Restart the Vault. |
For more detailed instructions about integrating SIEM applications, see Security Information and Event Management Applications.
Source: https://docs.cyberark.com/pam-self-hosted/11.3/en/content/pta/configuring-vault-forward-syslog-messages.htm