Create a Custom XSL Translator File
To control the format of syslog messages generated by the Vault, an XSL translator file can be created and applied. The translator receives the XML stream that is generated by the Vault and creates a syslog output record.
The following examples show the difference between the output XML stream directly from the Vault, and the XSL translator file that changes this information into a syslog output record. A description of each field follows the examples.
Output XML file
The following example shows an output XML generated by the Vault.
| |
1. <?xml version="1.0" encoding="UTF-8" standalone="no" ?>
2. <syslog>
3. <audit_record>
4. <Rfc5424>yes</Rfc5424>
5. <Timestamp>Sep 09 11:44:21</Timestamp>
6. <IsoTimestamp>2013-09-25T11:44:21Z</IsoTimestamp>
7. <Hostname>MYCOMP</Hostname>
8. <Vendor>CyberArk</Vendor>
9. <Product>Vault</Product>
10. <Version>8.1</Version>
11. <MessageID>4</MessageID>
12. <Desc>Authentication failed</Desc>
13. <Severity>Error</Severity>
14. <OSUser>John</OSUser>
15. <Issuer>Mark</Issuer>
16. <Action>Logon</Action>
17. <SourceUser></SourceUser>
18. <TargetUser></TargetUser>
19. <Safe></Safe>
20. <File></File>
21. <Station></Station>
22. <Location></Location>
23. <Category></Category>
24. <RequestId></RequestId>
25. <Reason></Reason>
26. <PvwaDetails>
27. <RequestReason>
28. <General>
29. <UserReason>I Need to Update this file</UserReason>
30. </General>
31. <ConnectionDetails>
32. <ConnectionAddress>1.1.1.196</ConnectionAddress>
33. <RemoteMachine>1.1.1.120</RemoteMachine>
34. <PSMRemoteMachine>1.1.1.120</PSMRemoteMachine>
35. <ConnectClient>SSH</ConnectClient>
36. </ConnectionDetails>
37. <AdditionalInformation>
38. <Emergency>Emergency string</Emergency>
39. <TicketId>1122</TicketId>
40. </AdditionalInformation>
41. <RequestDetails>
42. <From>6/23/2013 8:00:00 AM</From>
43. <To>6/25/2013 5:00:00 PM</To>
44. <TimeZone>(GMT+2.00)</TimeZone>
45. <Type>Single</Type>
46. </RequestDetails>
47. </RequestReason>
48. </PvwaDetails>
49. <ExtraDetails></ExtraDetails>
50. <Message></Message>
51. <GatewayStation></GatewayStation> //I3293
52. <CAProperties>
53. <CAProperty Name="UserName" Value="PSMConnect"/>
54. <CAProperty Name="Address" Value="10.0.1.12"/>
55. <CAProperty Name="LogonDomain" Value="COMPONENTS"/>
56. </CAProperties>
57. </audit_record>
58. </syslog>
|
XSL translator file
The following example shows an XSL translator that transforms the XML stream sent by the Vault into an HP ArcSight CEF style entry.
| |
1. <?xml version="1.0" encoding="ISO-8859-1"?>
2. <xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
3. <xsl:import href='./Syslog/RFC5424Changes.xsl'/>
4. <xsl:output method='text' version='1.0' encoding='UTF-8' indent='yes'/>
5. <xsl:template match="/">
6. <xsl:apply-imports />
7. <xsl:for-each select="syslog/audit_record">
8. CEF:0|
9. <xsl:value-of select="Vendor"/>|
10. <xsl:value-of select="Product"/>|
11. <xsl:value-of select="Version"/>|
12. <xsl:value-of select="MessageID"/>|
13. <xsl:value-of select="Desc"/>|
14. <xsl:choose>
15. <xsl:when test="Severity='Critical'">10</xsl:when>
16. <xsl:when test="Severity='Error'">7</xsl:when>
17. <xsl:when test="Severity='Info'">5</xsl:when>
18. <xsl:otherwise>0</xsl:otherwise>
19. </xsl:choose>
20. <!–xsl:value-of select="Severity"/|
21. suser=<xsl:value-of select="Issuer"/>
22. act=<xsl:value-of select="Action"/>
23. duser=<xsl:value-of select="SourceUser"/>
24. fname=<xsl:value-of select="File"/>
25. src=<xsl:value-of select="Station"/>
26. msg=<xsl:value-of select="TargetUser"/>,
27. <xsl:value-of select="Safe"/>,
28. <xsl:value-of select="Location"/>,
29. <xsl:value-of select="Category"/>,
30. <xsl:value-of select="RequestId"/>,
31. <xsl:value-of select="Note"/>,
32. <xsl:value-of select="Reason"/>,
33. <xsl:value-of select="ExtraDetails"/>,
34. <xsl:value-of select="Message"/>
35. <!–xsl:value-of select="OSUser"/
36. </xsl:for-each>
37. </xsl:template>
38. </xsl:stylesheet>
|
Sample custom XSL translator file fields
The following table describes the fields displayed in the above examples.
| Field |
Description |
|
Rfc5424
|
Whether the syslog format complies with RFC5424.
|
|
Timestamp
|
The timestamp, in MMM DD HH:MM:SS format. For example: Jun 25 10:47:19.
|
|
IsoTimestamp
|
The timestamp, in ISO Timestamp format (RFC 3339). For example: 2013-6-25T10:47:19Z.
|
|
Hostname
|
The hostname, in upper case. For example: MY-COMPUTER.
|
|
Vendor
|
A static value that represents the vendor.
|
|
Product
|
A static value that represents the product.
|
|
Version
|
A static value that represents the version of the Vault.
|
|
MessageID
|
The code ID of the audit records.
|
|
Desc
|
A static value that displays a description of the audit codes.
|
|
Severity
|
The severity of the audit records. This is either ‘error’ or ‘info’.
|
|
Issuer
|
The Vault user who wrote the audit. This is usually the user who performed the operation.
|
|
Action
|
A description of the audit record.
|
|
SourceUser
|
The name of the Vault user who performed the operation.
|
|
TargetUser
|
The name of the Vault user on which the operation was performed.
|
|
Safe
|
The name of the target Safe.
|
|
File
|
The name of the target file.
|
|
Station
|
The IP from where the operation was performed. For PVWA sessions, this will be the real client machine IP.
|
|
Location
|
The target Location (for Location operations).
|
|
Category
|
The category name (for category-related operations).
|
|
RequestId
|
The unique ID of the dual control request (for dual control related audit records).
|
|
Reason
|
The reason entered by the user.
|
|
PvwaDetails
|
Specific details of the PVWA audit records.
|
|
ExtraDetails
|
Specific extra details of the audit records.
|
|
Message
|
A description of the audit records (same information as in the Desc field).
|
|
GatewayStation
|
The IP of the web application machine (PVWA).
|
|
CAProperties
|
Account metadata.
|
