The CyberArk Vault DSM for JSA accepts events by using syslog that is formatted for Log Event Extended Format (LEEF).
JSA records both user activities and safe activities from the CyberArk Vault in the audit event logs. CyberArk Vault integrates with JSA to forward audit logs by using syslog to create a detailed log of privileged account activities.
Event Type Format
CyberArk Vault must be configured to generate events in Log Event Extended (LEEF) and to forward these events by using syslog. The LEEF format consists of a pipe ( | ) delimited syslog header, and tab separated fields in the log payload section.
If the syslog events from CyberArk Vault are not formatted properly, examine your device configuration or software version to ensure that your appliance supports LEEF. Properly formatted LEEF event messages are automatically discovered and added as a log source to JSA.
Configuring Syslog for CyberArk Vault
To configure CyberArk Vault to forward syslog events to JSA:
- Log in to your CyberArk device.
- Edit the
- Configure the following parameters:
Table 1: Syslog Parameters
Type the IP address of JSA.
Type the UDP port that is used to connect to JSA. The default value is 514.
Configure which message codes are sent from the CyberArk Vault to JSA. You can define specific message numbers or a range of numbers. By default, all message codes are sent for user activities and safe activities.
To define a message code of 1,2,3,30 and 5-10, you must type: 1,2,3,5-10,30.
Type the file path to the
LEEF.xsltranslator file. The translator file is used to parse CyberArk audit records data in the syslog protocol.
LEEF.xslto the location specified by the SyslogTranslatorFile parameter in the
The configuration is complete. The log source is added to JSA as CyberArk Vault events are automatically discovered. Events that are forwarded by CyberArk Vault are displayed on the Log Activity tab of JSA.
Syslog Log Source Parameters for CyberArk Vault
If JSA does not automatically detect the log source, add a CyberArk Vault log source on the JSA Console by using the syslog protocol.
When using the syslog protocol, there are specific parameters that you must use.
The following table describes the parameters that require specific values to collect syslog events from CyberArk Vault:
Table 2: Syslog Log Source Parameters for the CyberArk Vault DSM
Log Source type
Log Source Identifier
Type the IP address or host name for the log source.
The identifier helps you determine which events came from your CyberArk Vault devices.