Inorder to complete the following steps to install and configure this add-on:
Use the tables below to find where and how to install this add-on in a distributed deployment of Splunk Enterprise or any deployment for which you are utilizing forwarders to get your data in. Contingent on your environment, your preferences, and the requirements of the add-on, you may need to install the add-on in multiple places.
| If you want to enrich your career and become a professional in CyberArk, then visit Tekslate - a global online training platform: "CyberArk Training" This course will help you to achieve excellence in this domain. |
Unless otherwise noted, all supported add-ons can be safely installed to all tiers of a distributed Splunk platform deployment. See Where to install Splunk add-ons in Splunk Add-ons for more information.
This table provides a reference for installing this specific add-on to a distributed deployment of Splunk Enterprise.
| Splunk instance type | Supported | Required | Comments |
| Search Heads | Yes | Yes | Whereever CyberArk knowledge management is required, Install this add-on to all search heads. |
| Indexers | Yes | No | Not required, as this add-on does not include any index-time operations. |
| Heavy Forwarders | Yes | - | Here all forwarder types are supported |
| Universal Forwarders | Yes | - | Here all forwarder types are supported |
| Light Forwarders | Yes | - | Here all forwarder types are supported |
This table describes the compatibility of this add-on with Splunk distributed deployment features.
| Distributed deployment feature | Supported | Action Required |
| Search Head Clusters | Yes | For all search-time functionality, you can install this add-on on a search head cluster, but configure inputs only on a forwarder to avoid duplicate data collection. But before installing this add-on to a cluster, remove the eventgen.conffile and all files in the samples folder |
| Indexer Clusters | Yes | Before installing this add-on to a cluster, remove the eventgen.conffile and all files in the samples folder. |
| Deployment Server | Yes | Supported for deploying configured add-on to multiple nodes. |
The Splunk Add-Ons manual includes an Installing add-ons guide that helps you successfully install any Splunk-supported add-on to your Splunk platform.
For a walkthrough of the installation procedure, follow the link that matches your deployment scenario:
Inorder to enable the Splunk Add-on for CyberArk need to collect data from your EPV and PTA instances and configure your CyberArk devices to produce syslog output and push it to a data collection node of your Splunk platform installation.
SplunkCIM.xsl file provided in the forExport folder of the Splunk Add-on for CyberArk to the folder %ProgramFiles%PrivateArkServerSyslog of the Vault Server.DBParm.ini.SplunkCIM.xsl.For PTA, see "Sending PTA syslog records to SIEM" in the Privileged Threat Analytics (PTA) Implementation Guide and follow the instructions to configure syslog output. Enter the address of your syslog aggregator, for the Host and Port parameters, or To receive syslog directly you can specify a Splunk platform instance that you wanted to use.
The Splunk Add-on for CyberArk handles inputs through syslog. There are two ways to capture this data.
Install a forwarder on the machine, if you are using a syslog aggregator and also set up two monitor inputs to monitor the files that are generated. Set your source type to cyberark:epv:cef for the output from EPV and cyberark:pta:cef for the output from PTA. The CIM mapping and dashboard panels are dependent on these source types.
In the Splunk platform node handling data collection, configure two inputs to match your protocol and port configurations in CyberArk. PTA supports only UDP, and EPV supports either UDP or TCP. Match the protocol for EPV to the one you configured in the CyberArk Admin Console.
Set your source type to cyberark:epv:cef for the output from EPV and cyberark:pta:cef for the output from PTA. The CIM mapping and dashboard panels are dependent on these source types.
After configuring the inputs, run this search inorder to check that you are ingesting the data that you expect:
sourcetype=cyberark:*
Get In-Depth Knowledge on CyberArk Click Here:
You liked the article?
Like: 0
Vote for difficulty
Current difficulty (Avg): Medium
TekSlate is the best online training provider in delivering world-class IT skills to individuals and corporates from all parts of the globe. We are proven experts in accumulating every need of an IT skills upgrade aspirant and have delivered excellent services. We aim to bring you all the essentials to learn and master new technologies in the market with our articles, blogs, and videos. Build your career success with us, enhancing most in-demand skills in the market.
