Skip to content

Configure CyberArk to produce syslog for the Splunk Add-on for CyberArk

To enable the Splunk Add-on for CyberArk to collect data from your EPV and PTA instances, you need to configure your CyberArk devices to produce syslog output and push it to a data collection node of your Splunk platform installation.

Configure EPV to produce syslog

For EPV, apply the translator file provided in the forExport folder of the Splunk Add-on for CyberArk, then see “Integrating with SIEM Applications” in the Privileged Account Security Implementation Guide to configure syslog output.

  1. Copy the SplunkCIM.xsl file to the folder %ProgramFiles%\PrivateArk\Server\Syslog of the Vault Server.

  2. Follow the instructions in “Integrating with SIEM Applications” in the Privileged Account Security Implementation Guide to configure the DBParm.ini.

  3. For the SyslogTranslatorFile parameter, enter SplunkCIM.xsl.

  4. For the SyslogServerIP and SyslogServerPort parameters, enter the address of your SC4S server (recommended) or syslog aggregator or specify a Splunk platform instance that you want to use to receive syslog directly.

  5. Restart your CyberArk Vault server service.

Configure PTA to produce syslog

For PTA, see “Sending PTA syslog records to SIEM” in the Privileged Threat Analytics (PTA) Implementation Guide and follow the instructions to configure syslog output. For the Host and Port parameters, enter the address of your syslog aggregator, or specify the address of your SC4S server (recommended) or syslog aggregator that you want to use to receive syslog directly.