Send PTA syslog Records to SIEM
PTA can integrate with any SIEM solution that supports RFC3164 or RFC5424 to send detected incidents as syslog messages.
This section describes how to configure outbound integration of PTA with your SIEM solution.
You can identify PTA records by their device vendor name, CyberArk, and their device product name, PTA.
1. | On the PTA machine, open the default systemparm.properties file using the DEFAULTPARM command. |
2. | Copy the line containing the syslog_outbound property, and exit the file. |
3. | Open the local systemparm.properties file using the LOCALPARM command. |
4. | Press i to edit the file. |
5. | Paste the line you copied, uncomment the syslog_outbound property and edit the parameters. Use the following table as a guide. |
Parameter |
Description |
---|---|
siem |
Enter the SIEM system in your organization. |
format |
The message format used to transfer the syslog records to the target SIEM solution. Enter: CEF or LEEF |
host |
The Host/IP address of the target SIEM solution. |
port |
The port number through which the syslog records will be sent to the target SIEM solution. |
protocol |
The protocol used to transfer the syslog records to the target SIEM solution. Enter: TCP , UDP, or TLS PTA supports either unsecured or secured (over TLS 1.2) syslog data. When you set protocol to TLS, ensure that PTA trusts the configured syslog receiver. For details, see Configure PTA trusted connection to SIEM |
syslogType |
The syslog header format. Enter: RFC3164 or RFC5424 This parameter is optional. The default value is RFC3164. |
tcpOctetCounting |
Enable octet-counting for syslog transmission over TCP. When enabled, the syslog message starts with its length. Enter: true or false This parameter is optional. The default value is false. |
Example for: HP ArcSight, McAfee, RSA, Splunk, LogRhythm
syslog_outbound=[{"siem": "McAfee", "format": "CEF", "host": "SIEM_MACHINE_ADDRESS", "port": 1236, "protocol": "TCP"}]
Example for: QRadar
syslog_outbound=[{"siem": "QRadar", "format": "LEEF", "host": "SIEM_MACHINE_ADDRESS", "port": 1236, "protocol": "UDP"}]
Example for: multiple syslog recipients, separated by commas.
syslog_outbound=[{"siem": "RSA", "format": "CEF", "host": "SIEM_MACHINE_ADDRESS", "port": 1236, "protocol": "UDP"}, {"siem": "QRadar", "format": "LEEF", "host": "SIEM_MACHINE_ADDRESS", "port": 1236, "protocol": "TCP"}, …]
In the UI, when the same event occurs multiple times, the events are aggregated. PTA can send each occurrence of the aggregated event as a separate outbound notification or it can send only the first occurrence of the event. To configure this behavior, use the enable_outbound_upon_aggregation_anomalies parameter. |
6. | Save the configuration file and close it. |
7. | Restart PTA. |
8. | To view the syslog records sent by PTA, see: |
■ | CEF-Based Format Definition |
■ | LEEF-Based Format Definition |