- Review the Hardware and software requirements for the Splunk Add-on for CyberArk
- Install the Splunk Add-on for CyberArk.
- Configure CyberArk to produce syslog for the Splunk Add-on for CyberArk.
- Configure inputs for Splunk Add-on for CyberArk.
How to install the Splunk Add-on for CyberArk?
- Get the Splunk Add-on for CyberArk by downloading it from http://splunkbase.splunk.com/app/2891 or browsing to it using the app browser within Splunk Web.
- Figure out where and how to install this add-on, utilizing the tables on this page.
- Play out any essential strides before installing, if required and indicated in the tables below.
- Finish your installation.
Distributed deployments:
Use the tables below to find where and how to install this add-on in a distributed deployment of Splunk Enterprise or any deployment for which you are utilizing forwarders to get your data in. Contingent on your environment, your preferences, and the requirements of the add-on, you may need to install the add-on in multiple places.
Where to install this add-on
Unless otherwise noted, all supported add-ons can be safely installed to all tiers of a distributed Splunk platform deployment. See Where to install Splunk add-ons in Splunk Add-ons for more information.
This table provides a reference for installing this specific add-on to a distributed deployment of Splunk Enterprise.
Splunk
instance type
| Supported | Required | Comments |
Search Heads | Yes | Yes | Whereever CyberArk knowledge management is required, Install this add-on to all search heads. |
Indexers | Yes | No | Not required, as this add-on does not include any index-time operations. |
Heavy Forwarders | Yes | - | Here all forwarder types are supported |
Universal Forwarders | Yes | - | Here all forwarder types are supported |
Light Forwarders | Yes | - | Here all forwarder types are supported |
Distributed deployment feature compatibility
This table describes the compatibility of this add-on with Splunk distributed deployment features.
Distributed deployment feature | Supported | Action Required |
Search Head Clusters | Yes | For all search-time functionality, you can install this add-on on a search head cluster, but configure inputs only on a forwarder to avoid duplicate data collection.
But before installing this add-on to a cluster, remove the
eventgen.conf file and all files in the samples folder |
Indexer Clusters | Yes | Before installing this add-on to a cluster, remove the eventgen.conf file and all files in the samples folder. |
Deployment Server | Yes | Supported for deploying configured add-on to multiple nodes. |
Installation walkthroughs
The Splunk Add-Ons manual includes an Installing add-ons guide that helps you successfully install any Splunk-supported add-on to your Splunk platform.
For a walkthrough of the installation procedure, follow the link that matches your deployment scenario:
- Single-instance Splunk Enterprise
- Distributed Splunk Enterprise
- Splunk Cloud
- Splunk Light
These core tutorials will help you to learn the fundamentals of CyberArk.For an in-depth understanding and practical experience, explore CyberArk Training Online.
Configure CyberArk to produce syslog for the Splunk Add-on for CyberArk
Inorder to enable the Splunk Add-on for CyberArk need to collect data from your EPV and PTA instances and configure your CyberArk devices to produce syslog output and push it to a data collection node of your Splunk platform installation.
Configure EPV to produce syslog
- Copy the
SplunkCIM.xsl
file provided in theforExport
folder of the Splunk Add-on for CyberArk to the folder%ProgramFiles%\PrivateArk\Server\Syslog
of the Vault Server. - Follow the instructions in "Integrating with SIEM Applications" in the Privileged Account Security Implementation Guide to configure the
DBParm.ini
. - For the SyslogTranslatorFile parameter, enter
SplunkCIM.xsl
. - For the SyslogServerIP and SyslogServerPort parameters, enter the address of your syslog aggregator, or specify a Splunk platform instance that you want to use to receive syslog directly.
- Restart your CyberArk Vault server service.
Configure PTA to produce syslog
For PTA, see "Sending PTA syslog records to SIEM" in the Privileged Threat Analytics (PTA) Implementation Guide and follow the instructions to configure syslog output. Enter the address of your syslog aggregator, for the Host and Port parameters, or To receive syslog directly you can specify a Splunk platform instance that you wanted to use.
Configure inputs for Splunk Add-on for CyberArk
The Splunk Add-on for CyberArk handles inputs through syslog. There are two ways to capture this data.
- Monitor input: Use a syslog aggregator with a Splunk forwarder installed on it. Configure a monitor input to monitor the file or files generated by the aggregator.
- UDP/TCP input: Create a set of UDP/TCP inputs to capture the data sent on the ports you have configured in CyberArk.
Monitor input
Install a forwarder on the machine, if you are using a syslog aggregator and also set up two monitor inputs to monitor the files that are generated. Set your source type to
cyberark:epv:cef
for the output from EPV and cyberark:pta:cef
for the output from PTA. The CIM mapping and dashboard panels are dependent on these source types.UDP/TCP input
In the Splunk platform node handling data collection, configure two inputs to match your protocol and port configurations in CyberArk. PTA supports only UDP, and EPV supports either UDP or TCP. Match the protocol for EPV to the one you configured in the CyberArk Admin Console.
Set your source type to
cyberark:epv:cef
for the output from EPV and cyberark:pta:cef
for the output from PTA. The CIM mapping and dashboard panels are dependent on these source types.Validate data collection
After configuring the inputs, run this search inorder to check that you are ingesting the data that you expect:
No comments:
Post a Comment