How to forward CyberArk Vault logs to SplunkCloud

In trying to set up things for my own home lab, I figured I would blog this for others to help get their lab environment set up as well.

WHY should you set up log forwarding to SplunkCloud?

Splunk offers a SplunkCloud trial instance that you can utilize for getting familiar with Splunk, and this also allows you to forward events to then troubleshoot or visualize your related application or log data in form of Splunk Dashboards. In this case, we’re setting this all up for CyberArk Vault syslog data.

Please try these items in your lab before deploying to production. I’m configuring this with just UDP and non-TLS for syslog for my lab. You should secure this better if using in an actual corporate environment. I’m not responsible for your own actions. If in doubt, contact CyberArk or Splunk Support!

Prerequisites —

  • CyberArk Vault
  • PVWA — Windows Server (note the IP address). I just did this for my lab…you should use a standalone server just for log forwarding.
  • SplunkCloud Trial (https://www.splunk.com/en_us/download/splunk-cloud/cloud-trial.html)
  • Cyberark splunk add-on app (includes splunk.xsl file)
  • Splunk universal forwarder for Windows server.

CyberArk Vault pieces:

  1. Log into your CyberArk Vault server as the local admin account
  2. Navigate to your <drive>:\Program files (x86)\PrivateArk\Server\conf\ path and make a copy of your dbparm.ini file as a backup.
  3. Update your dbparm.ini file to include this info (update server IP as needed):
    [SYSLOG]
    SyslogTranslatorFile=Syslog\Splunk.xsl
    SyslogServerPort=514
    SyslogServerIP=192.168.65.132
    SyslogServerProtocol=UDP
    SyslogMessageCodeFilter=0–999
    UseLegacySyslogFormat=Yes
    SendMonitoringMessage=Yes
  4. Navigate to your <drive>:\Program files (x86)\PrivateArk\Server\syslog\ path. Place the Splunk.xsl file there. If you don’t have it, you can utilize the arcsight.xsl sample file.
  5. Open the “PrivateArk Server” application to stop and start the vault server service.

Splunk Universal Forwarder pieces:

  1. Log into your Windows Server
  2. Open “Windows Defender Firewall with Advanced Security”
  3. Create a new inbound firewall rule
  4. Select Port, click next
  5. Select UDP and select specific ports: 514, click next
  6. Select “Allow the connection”, click next
  7. Click next
  8. Name the rule “Allow Syslog port 514 UDP”, click finish
  9. Install the Splunk universal forwarder (UF), choose the SplunkCloud option at the beginning. Enter a username and password to set for the Splunk UF. Finish the install with defaults.
  10. Open CMD — run as admin.
  11. Install the splunkclouduf.spl app by entering the following command: <drive>:\Program Files\SplunkUniversalFowarder\bin\splunk.exe install app <drive>:\Users\<userprofilename>\Downloads\splunkclouduf.spl
  12. Type the username and password you set for the Splunk UF.
  13. Navigate to <drive>:\Program Files\SplunkUniversalFowarder\etc\apps\<splunkcloudnamehere>\local\
  14. Create a text file in this folder called inputs.conf
  15. Update the file to include these lines, then save:
    [udp:514]
    Index=cyberark
  16. Open Services.msc and restart the “SplunkForwarder Service” for things to take effect.

SplunkCloud pieces:

  1. Log into your SplunkCloud instance.
  2. Click Apps, find more apps.
  3. Search for CyberArk Splunk add-on.
  4. Install the app in SplunkCloud.
  5. Click on settings>indexes
  6. Click new index
  7. Create a new index called cyberark. Set the max retention days to 365. Save.
  8. Wait ~5 minutes
  9. Click apps>search & reporting. Click search.
  10. Type out your starter search: index=cyberark …choose the last 7 days for your time picker.

PVWA pieces:

  1. Log into PVWA
  2. Perform various actions (CPM, PSM, add account, etc.) to trigger the events you want to see forwarded to SplunkCloud into the cyberark index.
  3. Wait ~1–5 minutes for events to populate within SplunkCloud.
  4. Search SplunkCloud again for cyberark events.

Visuals for your reference

SplunkCloud -> Access Instance
SploudCloud -> Download Universal Forwarder for use
Splunk Universal Forwarder Credentials file
Create an inputs.conf file under your related SplunkCloud app\local\
Setup CyberArk index in SplunkCloud — click Settings>Indexes
SplunkCloud -> click New Index
SplunkCloud -> create cyberark Index, click save.
Vault -> place Splunk.xsl file within PrivateArk>Server>Syslog folder
Vault dbparm.ini syslog example

Looking for a partner in your Privileged Access Management rollout?

Check out my site here — https://www.keyvaultsolutions.com/pages/contact-us

Additional thoughts —

  1. If needed, check out the official CyberArk documentation.
  2. If needed, check out the official Splunk documentation.
  3. If needed, contact CyberArk or Splunk support.
  4. Don’t deploy insecure settings to your corporate environment.
  5. To keep your searches and dashboards separate from other Splunk items and allow you to control who has access to the items…consider creating a new CyberArk Splunk app for use. Use the sample app template.

Related Links —

  1. https://www.splunk.com/en_us/download/splunk-cloud/cloud-trial.html
  2. https://docs.splunk.com/Documentation/Forwarder/9.0.4/Forwarder/ConfigSCUFCredentials
  3. https://docs.splunk.com/Documentation/Forwarder/9.0.4/Forwarder/HowtoforwarddatatoSplunkCloud?ref=hk#HowtoforwarddatatoSplunkCloud#How_to_forward_data_to_Splunk_Cloud
  4. https://docs.splunk.com/Documentation/SplunkCloud/9.0.2303/Admin/Configureinputs
Back to blog

Leave a comment

Please note, comments need to be approved before they are published.