Hi All,
We are trying to ingest the cyberark data into Splunk. CyberArk is sending logs into a syslog server from where we have tried to ingest into Splunk. But the logs are coming into the syslog server where we find the below issue of getting square braces like below .
|Backup[Metadata|5|act="Backup]
Prepare[Backup] Backup Metadata"
Monitor[FW] end|5|act="Monitor FW Rules end"
Retrieve[File|5|act="Retrieve]
Due to this the field "cef_name" is coming as below
Backup[Metadata
Retrieve[File
Monitor[FW
So please let me know if the above format is correct and accepted? If not then we will check in the CyberArk if there is an issue in the log format.
Regards,
Abheek
Hi Abheek,
In CyberArk you can load an xsl document which configures the CEF format to an appropriate type.
If you are planning on using the CyberArk TA, the TA comes with a file named SplunkCIM.xsl which will allow the TA to normalise your events into the CIM compliant format.
It seems possible you may have a different xsl file loaded which is amending the log format CyberArk is sending.
With it configured correctly, your CyberArk logs should look like this in Splunk. [REDACTED]
Jan 12 12:56:42 IP.IP.IP.IP 1 2018-01-12T12:56:42Z HOSTNAME CEF:0|Cyber-Ark|Vault|VERSION|106|Update File Category|5|act="Update File Category" suser=USERNAME fname=Root\268\CyberArk.Reports.xml dvc= shost=HOSTIP dhost= duser= externalId= app= reason= cs1Label="Affected User Name" cs1= cs2Label="Safe Name" cs2="SAFENAME" cs3Label="Device Type" cs3= cs4Label="Database" cs4= cs5Label="Other info" cs5="ReportFailureReason" cn1Label="Request Id" cn1= cn2Label="Ticket Id" cn2= msg=
http://docs.splunk.com/Documentation/AddOns/released/CyberArk/Setup#Configure_EPV_to_produce_syslog