Monitor the Credential Provider

This topic describes how to configure monitoring for the Credential Provider.

Monitor the CyberArk application password provider service

The Credential Provider runs the CyberArk Application Password Provider (appprovider) service which can be monitored by standard enterprise monitoring tools that enable you to track its status.

This enables you to know when the Credential Provider is active and responsive to password requests, and when a problem occurs that prevents the Credential Provider from functioning properly and causes the Credential Provider to stop.

Message are identifiable by their source name, which is CyberArkAIM. These messages include:

  • Status messages such as Server is starting and Server is shutting down
  • Error messages that occur because the Credential Provider cannot supply the password to the application due to authorization or configuration issues

To configure monitoring and alerts, see:

Configure monitoring and alerts in Windows

Informational messages can be viewed in the Windows Event Viewer. This section describes how to use the Windows Task Manager and the Windows Performance Monitor to trigger alerts and display them in the Windows Event Viewer.

 

This section describes Windows 10 tools. The instructions and images may differ if you are on a different Windows environment.

To set up monitoring and alerts in Windows:

  1. Define the log source.

    On the Credential Provider machine, define the log source:

      
    New-EventLog -LogName Application -Source "CyberArkAIM"

  2. Create a script that writes alerts to the Windows Event Viewer.

    Copy the following script into a .txt file, and save the file using the following naming convention: <filename>.ps1, for example, cp-event-alerts.ps1. This script writes alerts to the Windows Event Viewer when the AppProvider service exceeds specified limits.

      
    $counter = $Args[0]
$datentime = $Args[1]
$counterName = $Args[2]
$threshold = $Args[3]
$value = $Args[4]

 

$Body = "Date and Time of Alert: $datentime`nPerfmon Counter: $counterName`nThreshold Value: $threshold `nCurrent Value: $value"

 

Write-EventLog -LogName Application -Source "Cyberark Alert" -EntryType Error -EventId 258 -Message $Body

  3. Create a task that runs the script.

    In this step you use the Task Scheduler to create a task that runs the script that you created above.

    In the Task Scheduler, create a task called AlertHighPerformance. In the Actions tab, create a Start a program action, and provide the following settings:

    Program/script

    C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

    Add arguments

    The path to the script that you created above.

    -File <path_to_script_alert>.ps1 $(Arg0)

    For example:

    -File C:\cp-event-alerts.ps1 $(Arg0)

  4. Configure alerts.

    In this step you create alerts and configure the counters and limits above which alerts should be activated. The Performance Monitor uses the task you created above to send the an alert to the Windows Event Viewer when a limit is exceeded.

    To configure alerts:

    1. In Performance Monitor, create a Data Collector set, for example, AppProviderData.

    2. Add a Data Collector of type Performance counter alert for each of the following AppProvider's performance counters:

      • CPU usage: % Processor Time

      • Memory usage: Private Bytes

      For CPU usage:

      1. Add a Data Collector, High CPU usage:

      2. Select the AppProvider's % Processor Time counter: Select Process. In the lower box, select AppProvider. Finally, from the Process counters, select % Processor Time.

      3. Set the limit at which point an alert should be triggered.

      Repeat for memory usage (Private Bytes).

    3. Start the Data Collector set.

Every 15 seconds the Performance Monitor reads the counters' values. If a value exceeds its defined limit, an alert is triggered, and an event is sent to the Windows Event Viewer.

Configure monitoring and alerts in UNIX Syslog

On Unix systems, Credential Provider messages can be viewed in the UNIX System Log (syslog).

This section includes:

Configure the syslog

The syslog can be configured to write messages to the messages file in addition to any other daemon facility messages.

The following table displays the options for the Credential Provider:

Facility

Priority

daemon

Info

Err

Warning

You can configure each message priority to write to a custom location.

To configure the syslog for the Credential Provider:

  1. In the syslog configuration file, syslog.conf, add the following line:

      
    <facility>.<priority>[;<facility>.<priority>;…]<file path>

  2. Restart the syslog service.

    The following example writes all daemon facility messages to the /var/log/messages file. This includes information, errors and warnings.

      
    daemon.err;daemon.warning;daemon.info/var/log/messages

Configure monitoring and alert commands

This section describes the commands used for monitoring the Credential Provider and sending alerts to the syslog.

When the CyberArk Application Password Provider service is running, the configured service fields are monitored. If a measurement reaches its limit, an alert is written to the syslog.

You can configure monitoring and alerts for the following fields:

Field (Measurement)

Description

pcpu (CPU%)

CPU utilization of the process, in "##.#" format.

Currently, this is the CPU time used divided by the time the process has been running (cputime/realtime ratio), expressed as a percentage.

It will not add up to 100% unless you are lucky.

Alias: pcpu

%mem/pmem (%MEM)

Ratio of the process's resident set size to the physical memory on the machine, expressed as a percentage.

Alias: pmem

Run the command relevant for your platform:

 
  • You can add the commands to a script.
  • Schedule the commands (or script) to run repeatedly, for example every 15 seconds, using crontab or any other scheduling tool.

The following command defines the measurement to monitor, and the message to write to syslog if it exceeds its limit:

  
ps -eo pid,pcpu,%mem,cmd | grep appprovider | awk '{if($(num_of_field) >= <limit>) system("logger Warning <message including field>")}'

Example:

The following command sends an alert to syslog if the memory exceeds its 50% limit:

  
ps -eo pid,pcpu,%mem,cmd | grep appprovider | awk '{if($3 >= 50) system("logger Warning - high memory performance")}'

This would return the following result:

 

May 24 14:23:48 localhost root: Warning - high memory performance

The following command defines the measurement to monitor, and the message to write to syslog if it exceeds its limit:

  
ps -eo pid,pcpu,%mem,cmd | grep appprovider | awk '{if($(num_of_field) >= <limit>) system("logger <message including field>")}'

Example:

The following command sends an alert to syslog if the memory exceeds its 42% limit:

  
ps -eo pid,pcpu,%mem,cmd | grep appprovider | awk '{if($3 >= 42) system("logger Warning - high memory performance")}'

The following command defines the measurement to monitor, and the message to write to syslog if it exceeds its limit:

  
ps -eo pid,pcpu,pmem,comm | grep appprovider | awk '{if($(num_of_field) >= <limit>) system("logger -p <facility>.<level> <message including field>")}'

Example:

The following command sends an alert to syslog if the CPU usage exceeds its 50% limit:

  
ps -eo pid,pcpu,pmem,comm | grep appprovider | gawk '{if($3 >= 50) system("logger -p daemon.err Warning - high memory performance")}'

Configure authentication warnings

During application authentication, the APPConsole.log displays a warning according to CyberArk's authentication recommendations. This log appears when authentication is successful. It is available in the Windows Event Viewer and syslog.

By default, this log appears once a day per application authentication. You can configure the log using the AuthenticationLogsInterval and AuthenticationLogs parameters. See Credential Provider (CP) configuration files for configuration details.

When the Credential Provider successfully authenticates applications using authentication methods defined in the PVWA, if these authentication methods don’t follow CyberArk’s best practices for defining authentication methods, warnings are logged in the APPConsole.log as follows:

Log level

Action

Message

Warning

No authentication set for the application.

There are no authentication methods defined for this application [app_name]. We recommend combining at least two authentication methods for an application, including either OS User or Allowed Machines authentication, or both.

Warning

Only Hash/Path authentication, without OS User/Allowed Machine.

We recommend combining at least two authentication methods for an application, including either OS User or Allowed Machines authentication, or both.

Log files

To monitor Credential Provider activity and status, the Credential Provider creates the following log files:

File

Description

APPConsole.log

Contains informational messages about the Credential Provider, such as Server is starting and Server is shutting down. This log is meant for system administrators who monitor the status of the Credential Provider, as well as programmers who install their applications on the Credential Provider machine, and write the SDK commands that retrieve passwords.

Errors that refer to Provider function and application authentication are included in this log.

All the messages that are written in the console log file are also written in the UNIX system log. For more information, see Configure monitoring and alerts in UNIX Syslog.

APPTrace.log

Contains errors and trace messages. The types of messages that are included depend on the debug levels specified in the main configuration file.

When these log files reach a predefined maximum size, they are moved to the old subfolder of the Logs folder, and new log files are started automatically. For more information about configuring the maximum log file size, see Configure audit and monitor log files.

To configure debug levels in the logs. see Configure debug levels.