Security Information and Event Management (SIEM) Applications

This topic describes how to integrate the Privileged Access Manager - Self-Hosted solution with Security Information and Event Management (SIEM) applications.

Overview

CyberArk can integrate with SIEM to send audit logs through the syslog protocol, and create a complete audit picture of privileged account activities in the enterprise SIEM solution. These audit logs include user and Safe activities in the Vault, which are transferred by the Vault to various SIEM applications.

CyberArk supports the following out-of-the-box SIEM solutions :

  • HP ArcSight
  • RSA enVision
  • IBM QRadar
  • McAfee ESM

You can also use the sample XSL translator file or create a custom file, as described in Create a Custom XSL Translator File.

CyberArk’s flexible configuration enables you to:

  • Define one or more target syslog servers

  • Specify dynamic format translators

  • Filter the events that are sent to all the configured syslog servers over encrypted or non-encrypted protocols.

The configuration is built as a list of values. Each set of parameter values must be specified in correlation with the other parameter values in the configuration. This allows the system to determine the settings for each target server.

 

For a list of recommended action codes to monitor, see Vault Audit Action Codes.

Supported protocols

The Vault can use any of the following protocols to send messages:

Type

Protocol

Encrypted protocols

TLS

Non-encrypted protocols

TCP

UDP

Syslog messages can be sent to multiple syslog servers in two different ways:

  • A single message can be sent to multiple servers by configuring a single XSLT file.

  • Multiple messages can be sent to different syslog servers, and formatted differently for each server, by configuring multiple XSLT files, formats, and code-message lists. The code-message lists must match, meaning they must contain the same number of items in the same order.

Configure SIEM integration

Review and perform the prerequisites below, and then use the following procedure to configure a SIEM application.

Prerequisites

 

Only TCP and TLS are supported.

Enable and Configure DNS on the Vault Server.

 

  • The procedure must be done on all the Vault Servers.

  • Use DNS only if you have a business or operational justification. Make sure that you follow the Vault security standards. For more information, see Avoid using DNS on the Digital Vault Server.

  1. Configure the DNS Server on the Vault server:

    1. Navigate to Control Panel > Network and Internet > Network and Sharing Center > Change adapter settings.
    2. Right-click Network card > Properties.
    3. Select Internet Protocol Version 4 (TCP/IPv4), and then select Properties.

    4. Select Use the following DNS server addresses, and enter the organization DNS server.

       
      • Add at least two DNS servers for high availability.
      • Add the DNS Server with the best latency to the configured Vault, for best performance.
      • The DNS Servers of all the Vaults must be identical with the resolved assets, otherwise some services may be affected if resolution fails.

      • DNS names can contain only alphabetical characters (A-Z), numeric characters (0-9), the minus sign (-), and the period (.). Period characters are allowed only when they are used to delimit the components of domain style names. For more information, see the Microsoft support topic.

    5. Save the configuration.

  2. Enable DNS resolution:

    1. Navigate to /Server/Conf/ and open DBParm.ini.

    2. Add the following parameter: EnableDNSDynamicResolution=yes

    3. Save the file.

  3. Allow DNS in the firewall:

    1. Navigate to /Server/Conf/ and open DBParm.ini.

    2. Add the following parameter: AllowNonStandardFWAddresses=[DNSServerIP1,DNSServerIP2],Yes,53:outbound/udp

    3. Save the file.

On the syslog server, do the following actions:

  1. Verify that the syslog server is configured for TLS1.2 protocol.
     

    Configuration depends on each specific SIEM vendor. For more information, refer to the vendor's documentation.

  2. Verify that the syslog server is has a certificate from the organization. The Common Name (CN) or Subject Alternative Name (SAN) field must include the IP address, hostname, or FQDN of the syslog server.

     

    Do not use a self-signed certificate.

  3. Verify that the root CA certificate was exported in base64 format and copied to the Vault server. You will specify the path in the DBParm.ini configuration file in a later step.

 
  • For servers that sign using intermediate or subordinate certificate authorities, use the root certificate and not the intermediate or subordinate certificates.
  • You can configure multiple syslog servers but you can only specify one root certificate. The servers must share this root certificate.

Configure encrypted and non-encrypted protocols

  1. Log in to the Vault server with the administrator user.
  2. If you are going to use an encrypted protocol, do the following:

    1. Copy the root certificate of the syslog server to the Vault machine.

    2. Place the root certificate in your required location. This is the location that will be put in the SyslogTrustedCAPath parameter for encrypting the data.

  3. Navigate to the /Server/Syslog folder, and copy the relevant XSL sample translator file to the path and file name that will be used by the Vault application. This is the location that will be put in the SyslogTranslatorFile parameter.

  1. Navigate to /Server/Conf and back up the DBParm.ini file.
  2. Open the DBParm.ini file and configure the parameters that are relevant for syslog.
     

    • The number of values for each parameter must match the number of servers that you specify in the SyslogServerIP parameter.

    • For more information, see DBPARM.ini file parameters.

    Single syslog server

    The following example shows a set of syslog properties that will send different syslog messages to one syslog server using encrypted syslog protocol. The root CA certificate is located in the Vault installation directory.

     
    SyslogServerIP=192.168.1.1 
    SyslogServerPort=514
    SyslogServerProtocol=TLS
    SyslogTranslatorFile=Syslog\Arcsight.sample.xsl
    SyslogMessageCodeFilter=7,8,295
    SyslogTrustedCAPath=    "syslogCA.pem"
    UseLegacySyslogFormat=no

    Multiple syslog servers

    The following example shows a set of syslog properties that will send different syslog messages to multiple syslog servers. The system requires a complete set of values for each process. Therefore, to create more than one process, specify that number of values for each of the dependent parameters, even if some of the values are identical. In addition, the position of each value determines each process. The first value of each parameter comprises the first target server, the second value comprises the second target server, and so on.

     
    SyslogServerIP=1.1.1.0,1.1.1.1  
    SyslogServerPort=514,504
    SyslogServerProtocol=TLS,TLS
    SyslogTranslatorFile=Syslog\Arcsight.sample.xsl,Syslog\Arcsight.sample.xsl
    UseLegacySyslogFormat=no,no
    SyslogMessageCodeFilter=7,8,295|7,8,295
    SyslogTrustedCAPath=    "C:\Program Files (x86)\PrivateArk\Server\syslogCA.pem"

    Multiple syslog servers using different protocols

    The following example shows a set of syslog properties that will send different syslog messages to multiple syslog servers using different protocols, including encrypted syslog protocol, and different ports.

    Messages will be sent to the servers specified in SyslogServerPort and SyslogServerProtocol according to the corresponding order. Using the following example, messages will be sent to the first server in TLS protocol through port 514, to the second server in TCP protocol through port 504, and to the third server in UDP protocol through port 524.

     
    SyslogServerIP=192.168.1.1,192.168.2.2,192.168.3.3
    SyslogServerPort=514,504,524
    SyslogServerProtocol=TLS,TCP,UDP
    SyslogTranslatorFile=Syslog\Arcsight.sample.xsl,Syslog\ QRadar.xsl,Syslog\Arcsight.sample.xsl
    UseLegacySyslogFormat=yes,no,yes
    SyslogMessageCodeFilter=7,8,295|295-296|7
    SyslogTrustedCAPath="C:\Program Files (x86)\PrivateArk\Server\syslogCA.pem"

    Multiple syslog servers sending to different servers using encrypted protocols

    The following example shows a set of syslog properties that will send encrypted syslog messages to multiple syslog servers, to different ports.

    Messages will be sent to the servers specified in SyslogServerPort and SyslogServerProtocol according to the corresponding order. Using the following example, messages are sent to the first server in TLS protocol via port 514, and to the second server in TLS protocol via port 6514. The destination servers must be signed using the same root certificate.

     
    SyslogServerIP=192.168.1.1,192.168.3.3
    SyslogServerPort=514,6514
    SyslogServerProtocol=TLS,TLS
    SyslogTranslatorFile=Syslog\Arcsight.sample.xsl,Syslog\Arcsight.sample.xsl
    UseLegacySyslogFormat=yes,yes
    SyslogMessageCodeFilter=7,8,295|7
    SyslogTrustedCAPath="    C:\Program Files (x86)\PrivateArk\Server\syslogCA.pem"

     

    The .PEM file for the SyslogTrustedCAPath parameter contains the certificate chain for both syslog servers.

  3. Save the DBPARM.ini file.
  4. Restart the Vault server to apply the configuration changes.

  5. Ensure that the Vault starts successfully and that there are no errors in the log.

     

    If you have errors in the log, see Syslog Messages for troubleshooting information.
  6. Perform this procedure on all the Vaults (cluster nodes, DR Vaults, and Satellite Vaults) using the same configuration files.

DBPARM.ini file parameters

The table describes only those file values that are relevant for syslog.

Parameter

Description

Mandatory

SyslogServerIP

The IP address(es), hostname(s), or or Fully Qualified Domain Name(s) (FQDNs) of the syslog servers where messages will be sent. Use commas to separate multiple values.

 

When using encrypted syslog, make sure that it meets the requirements specified in the Encrypted protocol only prerequisites above.

If you specify the FQDN or hostname, the Vault server must be able to resolve it. Configure one of the following.

  • Verify that the syslog server meets the DNS Resolution prerequisites described above.
  • Specify the DNS in the SyslogServerIP parameter.
  1. Open the the %WINDOWS%\System32\Drivers\Etc\hosts file.
  2. Define the IP address and hostname of the syslog server to resolve the DNS name.
 ü

SyslogServerPort

The port(s) used to connect to the syslog server. Separate multiple values with commas.
Default value: 514

Make sure that the order of the specified ports corresponds to the order of the specified IP addresses or hostnames and protocols.

 ü

SyslogServerProtocol

Specifies the syslog protocol(s) that will be used to send audit logs. Separate multiple values with commas.

Valid values: TCP/UDP/TLS

Default value: UDP

Make sure that the order of the specified protocols corresponds to the order of the specified IP addresses or hostnames and ports.

 ü

SyslogTrustedCAPath

The path of the authority trust store that contains the Certificate Authority chain that was signed in the syslog server certificate. If you do not specify this path, the Vault installation path will be used by default.

Example:

-----BEGIN CERTIFICATE-----

public-certificate in base64 format

-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----

public-certificate in base64 format

-----END CERTIFICATE-----

 

This parameter is mandatory when configuring encrypted syslog, and must be in base64 format.
 

SyslogMessageCodeFilter

Defines which message codes will be sent from the Vault to the SIEM application through syslog protocol. You can specify message numbers and/or ranges of numbers, separated by commas. For example, to specify messages 1,2,3,30 and 5-10, specify the following value: 1,2,3,5-10,30. Specify multiple values with pipelines. By default, all message codes are sent for user and Safe activities. For a list of messages and codes, see Vault Audit Action Codes.

 ü

SyslogTranslatorFile

Specifies the XSL file used to parse CyberArk audit records data into syslog protocol. Specify multiple values with commas.

 ü

DebugLevel

Determines the level of debug messages. To include syslog xml messages in the trace file, specify SYSLOG(2).

  

UseLegacySyslogFormat

Controls the format of the syslog message, and defines whether it will be sent in a newer syslog format (RFC 5424) or in a legacy format. The default value is No, which configures the system to work with the newer syslog format (RFC 5424). Specify multiple values with commas.

 ü

SyslogMsgsQueue
NotificationThreshold

The maximum number of syslog messages in the syslog queue, which will generate a threshold notification to ITALog.
Default value: 10,000

  

SyslogProcessingTasks

The total number of parallel tasks that can be assigned when processing audits that are parsed from XML to the final syslog format.

Valid values: 1-600

Default value: <Number of configured servers>

 ü

 

SyslogMessageProcessingLimit

The total number of audit messages allowed to queue for processing from XML to XSL format.

Messages that arrive when the queue is full are truncated, and aren't processed for syslog.

Valid values:  Positive integers only

Default Value: 0 (unlimited)

 ü

 

SyslogServerMessageLimit

The total number of syslog messages allowed to queue to be sent to a single syslog server destination.

Messages that arrive when the queue is full are truncated, and aren't sent to the syslog server destination.

Valid values:  Positive integers only

Default Value: 0 (unlimited)

 ü

 

SyslogLimitNotificationFrequency

How frequently “message queue full” warnings are displayed in the Server Console. This parameter affects both the SyslogProcessingMessagesLimit and SyslogServerMessagesLimit parameters.

The value is in seconds.

Valid values: Positive integers only. 0 = prints every messages. This value is not recommended.

Default value: 900 (15 minutes)

 ü