Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

CyberArk Vault

 

The CyberArk Vault DSM for JSA accepts events by using syslog that is formatted for Log Enhanced Event Format (LEEF).

JSA records both user activities and safe activities from the CyberArk Vault in the audit event logs. CyberArk Vault integrates with JSA to forward audit logs by using syslog to create a detailed log of privileged account activities.

Event Type Format

CyberArk Vault must be configured to generate events in Log Enhanced Event Protocol (LEEF) and to forward these events by using syslog. The LEEF format consists of a pipe ( | ) delimited syslog header, and tab separated fields in the log payload section.

If the syslog events from CyberArk Vault are not formatted properly, examine your device configuration or software version to ensure that your appliance supports LEEF. Properly formatted LEEF event messages are automatically discovered and added as a log source to JSA.

Configuring Syslog for CyberArk Vault

To configure CyberArk Vault to forward syslog events to JSA:

  1. Log in to your CyberArk device.
  2. Edit the DBParm.ini file.
  3. Configure the following parameters:

    Table 1: Syslog Parameters

    Parameter

    Description

    SyslogServerIP

    Type the IP address of JSA.

    SyslogServerPort

    Type the UDP port that is used to connect to JSA. The default value is 514.

    SyslogMessageCodeFilter

    Configure which message codes are sent from the CyberArk Vault to JSA. You can define specific message numbers or a range of numbers. By default, all message codes are sent for user activities and safe activities.

    To define a message code of 1,2,3,30 and 5-10, you must
    type: 1,2,3,5-10,30.

    SyslogTranslatorFile

    Type the file path to the LEEF.xsl translator file. The translator file is used to parse CyberArk audit records data in the syslog protocol.

  4. Copy LEEF.xsl to the location specified by the SyslogTranslatorFile parameter in the DBParm.ini file.

The configuration is complete. The log source is added to JSA as CyberArk Vault events are automatically discovered. Events that are forwarded by CyberArk Vault are displayed on the Log Activity tab of JSA.

Configuring a Log Source for CyberArk Vault

JSA automatically discovers and creates a log source for syslog events from CyberArk Vault.

The following configuration steps are optional.

  1. Log in to JSA.
  2. Click the Admin tab.
  3. On the navigation menu, click Data Sources.
  4. Click the Log Sources icon.
  5. Click Add.
  6. In the Log Source Name field, type a name for your log source.
  7. In the Log Source Description field, type a description for the log source.
  8. From the Log Source Type list, select CyberArk Vault.
  9. Using the Protocol Configuration list, select Syslog.
  10. Configure the following values:

    Table 2: Syslog Parameters

    Parameter

    Description

    Log Source Identifier

    Type the IP address or host name for the log source as an identifier for events from your CyberArk Vault appliance.

  11. Click Save.
  12. On the Admin tab, click Deploy Changes.