Skip to content

Configure inputs for Splunk Add-on for CyberArk

The Splunk Add-on for CyberArk handles inputs through syslog. There are three ways to capture this data.

  1. Using Splunk Connect for Syslog, this is the recommended option.

  2. Use a syslog aggregator with a Splunk forwarder installed on it. Configure a monitor input to monitor the file or files generated by the aggregator.

  3. Create a set of TCP or UDP inputs to capture the data sent on the ports you have configured in CyberArk.

Splunk Connect for Syslog

Use (Splunk Connect for Syslog) SC4S for data collection. Follow the steps in the provided documentation to configure SC4S: https://splunk.github.io/splunk-connect-for-syslog/main/sources/vendor/CyberArk/epv/.

Monitor input

If you are using a syslog aggregator, install a forwarder on that machine and set up two monitor inputs to monitor the files that are generated. Set your source type to cyberark:epv:cef for the output from EPV and cyberark:pta:cef for the output from PTA. The CIM is dependent on these source types.

See Monitor files and directories in the Getting Data In manual for information about setting up a monitor input.

TCP/UDP input

In the Splunk platform node handling data collection, configure two inputs to match your protocol and port configurations in CyberArk. PTA only supports UDP, and EPV supports either TCP or UDP, if possible, use TCP, because UDP doesn’t ensure delivery and logs may be lost in transit as a result. Match the protocol for EPV to the one you configured in the CyberArk Admin Console.

Set your source type to cyberark:epv:cef for the output from EPV and cyberark:pta:cef for the output from PTA. The CIM mapping is dependent on these source types.

For information on how to configure a Splunk forwarder or single-instance to receive a syslog input using the CLI for the configuration files, see Get data from TCP and UDP ports in the Getting Data In manual. You can also configure syslog inputs using the Splunk Web UI if you have access to Splunk Web on your collection node as described in Network ports and Splunk Enterprise in the Getting Data In manual.

Validate data collection

Once you have configured the inputs, run this search to check that you are ingesting the data that you expect.

Search

sourcetype=cyberark:*