Q: Need to forward the data from all the indexes (Windows, Linux, etc...) to CyberArk PTA via Syslog or any other from the Splunk Indexer as we don't have HF in our Environment.
I have followed the documentation given by CyberArk on PTA Splunk Integration, but it is not working (logs are not forwarding to PTA server) for me.
Configuration on Indexer:
In the SPLUNK_HOME/etc/system/local
-->outputs.conf
[syslog:pta_syslog]
server = <PTA Server IP>:<port>
indexAndForward=true
type=tcp
timestampformat = %s
syslogSourceType=sourcetype:: linux:messages
---->props.conf
[source::WinEventLog:Security]
TRANSFORMS-pta = pta_syslog_filter
----->transforms.conf
[pta_syslog_filter]
REGEX = .*EventCode=4624|4720|4723|4724|4732.*
DEST_KEY = _SYSLOG_ROUTING
FORMAT = pta_syslog
Hi @richgalloway I have updated the question with complete details, could you check and help me in finding the resolution.
Basically PTA server is listening (Syslog) on some port let's say 514.
We need to forward all the logs in/coming to Splunk Indexer to PTA Syslog server on some port (514) .
Hi @richgalloway The Regex is working fine and it is applied to only Windows Events Source Type but not other Source Types.
Windows logs are properly parsing where Linu/Unix logs are not parsing to PTA from Splunk
@suresh301086 By default PTA won't support Linux Events. We need to develop custom plugin on PTA to understand Linux Events.
Is it working for you ?
@suresh301086 For me PTA functionality is working for Windows Events and not for Linux Events. Currently we are working on developing custom plugin for Linux Events.
Could you please share your forwarding configuration that you defined on Splunk Indexer/HF?
@potnuru Could you please explain how did you got those Windows Events to work?
I am having exactly the same problem as you described in your first post - everything is configured per PTA documentation, but Splunk is unable to send messages to PTA.
Hi @Atavius
I have followed the CyberArk documentation and it worked for me for Windows Events. Please check the below configuration for your reference.
#outputs.conf
[syslog]
defaultGroup = noforward
[syslog:pta_syslog]
server = PTA-IP:514
type = tcp
timestampformat = %s
syslogSourceType = sourcetype::linux:messages
#props.conf
[source::WinEventLog:Security]
TRANSFORMS-win = pta_syslog_win
#transforms.conf
[pta_syslog_win]
REGEX = .*<your filter>*
DEST_KEY = _SYSLOG_ROUTING
FORMAT = pta_syslog