Create a Custom XSL Translator File

To control the format of syslog messages generated by the Vault, an XSL translator file can be created and applied. The translator receives the XML stream that is generated by the Vault and creates a syslog output record.

The following examples show the difference between the output XML stream directly from the Vault, and the XSL translator file that changes this information into a syslog output record. A description of each field follows the examples.

Output XML file

The following example shows an output XML generated by the Vault.

1.	<?xml version="1.0" encoding="UTF-8" standalone="no" ?>
2. <syslog>
3. <audit_record>
4. <Rfc5424>yes</Rfc5424>
5. <Timestamp>Sep 09 11:44:21</Timestamp>
6. <IsoTimestamp>2013-09-25T11:44:21Z</IsoTimestamp>
7. <Hostname>MYCOMP</Hostname>
8. <Vendor>CyberArk</Vendor>
9. <Product>Vault</Product>
10. <Version>8.1</Version>
11. <MessageID>4</MessageID>
12. <Desc>Authentication failed</Desc>
13. <Severity>Error</Severity>
14. <OSUser>John</OSUser>
15. <Issuer>Mark</Issuer>
16. <Action>Logon</Action>
17. <SourceUser></SourceUser>
18. <TargetUser></TargetUser>
19. <Safe></Safe>
20. <File></File>
21. <Station></Station>
22. <Location></Location>
23. <Category></Category>
24. <RequestId></RequestId>
25. <Reason></Reason>
26. <PvwaDetails>
27. <RequestReason>
28. <General>
29. <UserReason>I Need to Update this file</UserReason>
30. </General>
31. <ConnectionDetails>
32. <ConnectionAddress></ConnectionAddress>
33. <RemoteMachine></RemoteMachine>
34. <PSMRemoteMachine></PSMRemoteMachine>
35. <ConnectClient>SSH</ConnectClient>
36. </ConnectionDetails>
37. <AdditionalInformation>
38. <Emergency>Emergency string</Emergency>
39. <TicketId>1122</TicketId>
40. </AdditionalInformation>
41. <RequestDetails>
42. <From>6/23/2013 8:00:00 AM</From>
43. <To>6/25/2013 5:00:00 PM</To>
44. <TimeZone>(GMT+2.00)</TimeZone>
45. <Type>Single</Type>
46. </RequestDetails>
47. </RequestReason>
48. </PvwaDetails>
49. <ExtraDetails></ExtraDetails>
50. <Message></Message>
51. <GatewayStation></GatewayStation> //I3293
52. <CAProperties>
53. <CAProperty Name="UserName" Value="PSMConnect"/>
54. <CAProperty Name="Address" Value=""/>
55. <CAProperty Name="LogonDomain" Value="COMPONENTS"/>
56. </CAProperties>
57. </audit_record>
58. </syslog>

XSL translator file

The following example shows an XSL translator that transforms the XML stream sent by the Vault into an HP ArcSight CEF style entry.

1.	<?xml version="1.0" encoding="ISO-8859-1"?>
2. <xsl:stylesheet version="1.0" xmlns:xsl="">
3. <xsl:import href='./Syslog/RFC5424Changes.xsl'/>
4. <xsl:output method='text' version='1.0' encoding='UTF-8' indent='yes'/>
5. <xsl:template match="/">
6. <xsl:apply-imports />
7. <xsl:for-each select="syslog/audit_record">
8.    CEF:0|
9.    <xsl:value-of select="Vendor"/>|
10.    <xsl:value-of select="Product"/>|
11.    <xsl:value-of select="Version"/>|
12.    <xsl:value-of select="MessageID"/>|
13.    <xsl:value-of select="Desc"/>|
14.    <xsl:choose>
15.       <xsl:when test="Severity='Critical'">10</xsl:when>
16.       <xsl:when test="Severity='Error'">7</xsl:when>
17.       <xsl:when test="Severity='Info'">5</xsl:when>
18.       <xsl:otherwise>0</xsl:otherwise>
19.    </xsl:choose>
20.    <!–xsl:value-of select="Severity"/|
21.    suser=<xsl:value-of select="Issuer"/>
22.    act=<xsl:value-of select="Action"/>
23.    duser=<xsl:value-of select="SourceUser"/>
24.    fname=<xsl:value-of select="File"/>
25.    src=<xsl:value-of select="Station"/>
26.    msg=<xsl:value-of select="TargetUser"/>,
27.    <xsl:value-of select="Safe"/>,
28.    <xsl:value-of select="Location"/>,
29.    <xsl:value-of select="Category"/>,
30.    <xsl:value-of select="RequestId"/>,
31.    <xsl:value-of select="Note"/>,
32.    <xsl:value-of select="Reason"/>,
33.    <xsl:value-of select="ExtraDetails"/>,
34.    <xsl:value-of select="Message"/>
35.    <!–xsl:value-of select="OSUser"/
36. </xsl:for-each>
37. </xsl:template>
38. </xsl:stylesheet>

Sample custom XSL translator file fields

The following table describes the fields displayed in the above examples.

Field Description
Rfc5424 Whether the syslog format complies with RFC5424.
Timestamp The timestamp, in MMM DD HH:MM:SS format. For example: Jun 25 10:47:19.
IsoTimestamp The timestamp, in ISO Timestamp format (RFC 3339). For example: 2013-6-25T10:47:19Z.
Hostname The hostname, in upper case. For example: MY-COMPUTER.
Vendor A static value that represents the vendor.
Product A static value that represents the product.
Version A static value that represents the version of the Vault.
MessageID The code ID of the audit records.
Desc A static value that displays a description of the audit codes.
Severity The severity of the audit records. This is either ‘error’ or ‘info’.
Issuer The Vault user who wrote the audit. This is usually the user who performed the operation.
Action A description of the audit record.
SourceUser The name of the Vault user who performed the operation.
TargetUser The name of the Vault user on which the operation was performed.
Safe The name of the target Safe.
File The name of the target file.
Station The IP from where the operation was performed. For PVWA sessions, this will be the real client machine IP.
Location The target Location (for Location operations).
Category The category name (for category-related operations).
RequestId The unique ID of the dual control request (for dual control related audit records).
Reason The reason entered by the user.
PvwaDetails Specific details of the PVWA audit records.
ExtraDetails Specific extra details of the audit records.
Message A description of the audit records (same information as in the Desc field).
GatewayStation The IP of the web application machine (PVWA).
CAProperties Account metadata.