Splunk Add-on for CyberArk

Ratings:
(4)
Views: 0
Banner-Img
Share this blog:

Inorder to complete the following steps to install and configure this add-on:

  • Review the Hardware and software requirements for the Splunk Add-on for CyberArk
  • Install the Splunk Add-on for CyberArk.
  • Configure CyberArk to produce syslog for the Splunk Add-on for CyberArk.
  • Configure inputs for Splunk Add-on for CyberArk.

How to install the Splunk Add-on for CyberArk?

  • Get the Splunk Add-on for CyberArk by downloading it from http://splunkbase.splunk.com/app/2891 or browsing to it using the app browser within Splunk Web.
  • Figure out where and how to install this add-on, utilizing the tables on this page.
  • Play out any essential strides before installing, if required and indicated in the tables below.
  • Finish your installation.

 

Distributed deployments:

Use the tables below to find where and how to install this add-on in a distributed deployment of Splunk Enterprise or any deployment for which you are utilizing forwarders to get your data in. Contingent on your environment, your preferences, and the requirements of the add-on, you may need to install the add-on in multiple places.

 

If you want to enrich your career and become a professional in CyberArk, then visit Tekslate - a global online training platform: "CyberArk Training"   This course will help you to achieve excellence in this domain.

 

Where to install this add-on

Unless otherwise noted, all supported add-ons can be safely installed to all tiers of a distributed Splunk platform deployment. See Where to install Splunk add-ons in Splunk Add-ons for more information.

This table provides a reference for installing this specific add-on to a distributed deployment of Splunk Enterprise.

Splunk instance type Supported Required Comments
Search Heads Yes Yes  Whereever CyberArk knowledge management is required, Install this add-on to all search heads.
Indexers Yes No Not required, as this add-on does not include any index-time operations.
Heavy Forwarders Yes - Here all forwarder types are supported
Universal Forwarders Yes - Here all forwarder types are supported
Light Forwarders Yes - Here all forwarder types are supported

 

Distributed deployment feature compatibility

This table describes the compatibility of this add-on with Splunk distributed deployment features.

Distributed deployment feature Supported Action Required
Search Head Clusters Yes For all search-time functionality, you can install this add-on on a search head cluster, but configure inputs only on a forwarder to avoid duplicate data collection. But before installing this add-on to a cluster, remove the eventgen.conffile and all files in the samples folder
Indexer Clusters Yes Before installing this add-on to a cluster, remove the eventgen.conffile and all files in the samples folder.
Deployment Server Yes Supported for deploying configured add-on to multiple nodes.

Installation walkthroughs

The Splunk Add-Ons manual includes an Installing add-ons guide that helps you successfully install any Splunk-supported add-on to your Splunk platform.

For a walkthrough of the installation procedure, follow the link that matches your deployment scenario:

  • Single-instance Splunk Enterprise
  • Distributed Splunk Enterprise
  • Splunk Cloud
  • Splunk Light

Configure CyberArk to produce syslog for the Splunk Add-on for CyberArk

Inorder to enable the Splunk Add-on for CyberArk need to collect data from your EPV and PTA instances and configure your CyberArk devices to produce syslog output and push it to a data collection node of your Splunk platform installation.

 

Configure EPV to produce syslog

  1. Copy the SplunkCIM.xsl file provided in the forExport folder of the Splunk Add-on for CyberArk to the folder %ProgramFiles%PrivateArkServerSyslog of the Vault Server.
  2. Follow the instructions in "Integrating with SIEM Applications" in the Privileged Account Security Implementation Guide to configure the DBParm.ini.
  3. For the SyslogTranslatorFile parameter, enter SplunkCIM.xsl.
  4. For the SyslogServerIP and SyslogServerPort parameters, enter the address of your syslog aggregator, or specify a Splunk platform instance that you want to use to receive syslog directly.
  5. Restart your CyberArk Vault server service.

 

Configure PTA to produce syslog

For PTA, see "Sending PTA syslog records to SIEM" in the Privileged Threat Analytics (PTA) Implementation Guide and follow the instructions to configure syslog output. Enter the address of your syslog aggregator, for the Host and Port parameters, or To receive syslog directly you can specify a Splunk platform instance that you wanted to use.

 

Configure inputs for Splunk Add-on for CyberArk

The Splunk Add-on for CyberArk handles inputs through syslog. There are two ways to capture this data.

  • Monitor input: Use a syslog aggregator with a Splunk forwarder installed on it. Configure a monitor input to monitor the file or files generated by the aggregator.
  • UDP/TCP input: Create a set of UDP/TCP inputs to capture the data sent on the ports you have configured in CyberArk.

 

Monitor Input

Install a forwarder on the machine, if you are using a syslog aggregator and also  set up two monitor inputs to monitor the files that are generated. Set your source type to cyberark:epv:cef for the output from EPV and cyberark:pta:cef for the output from PTA. The CIM mapping and dashboard panels are dependent on these source types.

 

UDP/TCP Input

In the Splunk platform node handling data collection, configure two inputs to match your protocol and port configurations in CyberArk. PTA supports only UDP, and EPV supports either UDP or TCP. Match the protocol for EPV to the one you configured in the CyberArk Admin Console.

Set your source type to cyberark:epv:cef for the output from EPV and cyberark:pta:cef for the output from PTA. The CIM mapping and dashboard panels are dependent on these source types.

 

Validate data collection

After configuring the inputs, run this search inorder to check that you are ingesting the data that you expect:

sourcetype=cyberark:*

 

Get In-Depth Knowledge on CyberArk Click Here:

You liked the article?

Like: 0

Vote for difficulty

Current difficulty (Avg): Medium

EasyMediumHardDifficultExpert
IMPROVE ARTICLEReport Issue

About Author

Authorlogo
Name
TekSlate
Author Bio

TekSlate is the best online training provider in delivering world-class IT skills to individuals and corporates from all parts of the globe. We are proven experts in accumulating every need of an IT skills upgrade aspirant and have delivered excellent services. We aim to bring you all the essentials to learn and master new technologies in the market with our articles, blogs, and videos. Build your career success with us, enhancing most in-demand skills in the market.