Security Information and Event Management (SIEM) Applications

This topic describes how to integrate the Privileged Access Security solution with Security Information and Event Management (SIEM) applications.

Overview

CyberArk can integrate with SIEM to send audit logs through the syslog protocol and create a complete audit picture of privileged account activities in the enterprise SIEM solution. These audit logs include user and Safe activities in the Vault, which are transferred by the Vault to various SIEM applications.

CyberArk supports the following SIEM solutions out of the box:

  • HP ArcSight
  • RSA enVision
  • IBM QRadar
  • McAfee ESM

You can also use the sample XSL translator file or create a custom file, as described in Create a Custom XSL Translator File.

CyberArk’s flexible configuration enables you to define one or more target syslog servers, specify dynamic format translators, and filter the events that will be sent to all the configured syslog servers over encryted or non-encryted protocols.

The configuration is built as a list of values, where each set of parameter values must be specified in correlation with the other parameter values in the configuration, so that the system can determine the settings for each target server.

 

For a list of recommended action codes to monitor, see Vault Audit Action Codes.

Supported protocols

The Vault can use any of the following protocols to send messages:

Type

Protocol

Encrypted protocols

TLS

Non-encrypted protocols

TCP

UDP

Syslog messages can be sent to multiple syslog servers in two different ways:

A single message can be sent to multiple servers by configuring a single XSLT file.
Multiple messages can be sent to different syslog servers, and formatted differently for each server, by configuring multiple XSLT files, formats, and code-message lists.The code-message lists must match, meaning they must contain the same number of items in the same order.

Configure SIEM integration

Ensure that prequisites listed below are met. Then use the following procedure to configure a SIEM application.

Prerequisites

Configure encrypted and non-encrypted protocols

  1. Log in to the Vault server with the administrator user.
  2. If you are going to use an encrypted protocol, do the following:
    1. Copy the root certificate of the syslog server to the Vault machine.

    2. Place the root certificate in your required location. This is the location that will be put in the SyslogTrustedCAPath parameter for encrypting the data.

  3. Navigate to the /Server/Syslog folder, and copy the relevant XSL sample translator file to the path and file name that will be used by the Vault application. This is the location that will be put in the SyslogTranslatorFile parameter.

  1. Navigate to /Server/Conf and back up the In DBParm.ini file.
  2. Open the DBParm.ini file and configure the parameters that are relevant for syslog.
     
    • The number of values for each parameter must match the number of servers that you specify in the SyslogServerIP parameter.

    • For more information, see DBPARM.ini file parameters.

  3. Save the DBPARM.ini file .
  4. Restart the Vault server to apply the configuration changes.
  5. Ensure that the Vault starts successfully and that there are no errors in the log.

     

    If you have errors in the log, see Syslog Messages for troubleshooting information.

  6. Perform this procedure on all the Vaults (cluster nodes, DR Vaults, and Satellite Vaults) using the same configuration files.

DBPARM.ini file parameters

The table describes only those file values that are relevant for syslog.

Parameter

Description

Mandatory

SyslogServerIP

The IP address(es), hostname(s), or or Fully Qualified Domain Name(s) (FQDNs) of the syslog servers where messages will be sent. Use commas to separate multiple values.

 

When using encrypted syslog, make sure that it meets the requirements specified in the Encrypted protocol only prerequisites above.

If you specify the FQDN or hostname, the Vault Server must be able to resolve it. Configure one of the following.

ü

SyslogServerPort

The port(s) used to connect to the Syslog server. Separate multiple values with commas.
Default value: 514

Make sure that the order of the specified ports corresponds to the order of the specified IP addresses or hostnames and protocols.

ü

SyslogServerProtocol

Specifies the Syslog protocol(s) that will be used to send audit logs. Separate multiple values with commas.

Valid values: TCP/UDP/TLS
Default value: UDP

Make sure that the order of the specified protocols corresponds to the order of the specified IP addresses or hostnames and ports.

ü

SyslogTrustedCAPath

The path of the root CA certificate that was signed in the syslog server certificate. If you do not specify this path, the Vault installation path will be used by default.

 

This parameter is mandatory when configuring encrypted syslog.

 

SyslogMessageCodeFilter

Defines which message codes will be sent from the Vault to the SIEM application through Syslog protocol. You can specify message numbers and/or ranges of numbers, separated by commas. For example, to specify messages 1,2,3,30 and 5-10, specify the following value: 1,2,3,5-10,30. Specify multiple values with pipelines. By default, all message codes are sent for user and Safe activities. For a list of messages and codes, see Vault Audit Action Codes.

ü

SyslogTranslatorFile

Specifies the XSL file used to parse CyberArk audit records data into Syslog protocol. Specify multiple values with commas.

ü

DebugLevel

Determines the level of debug messages. To include Syslog xml messages in the trace file, specify SYSLOG(2).

 

UseLegacySyslogFormat

Controls the format of the syslog message, and defines whether it will be sent in a newer syslog format (RFC 5424) or in a legacy format. The default value is No, which configures the system to work with the newer syslog format (RFC 5424). Specify multiple values with commas.

ü

SyslogMsgsQueue
NotificationThreshold

The maximum number of syslog messages in the syslog queue, which will generate a threshold notification to ITALog.
Default value: 10,000

 

SyslogProcessingTasks

The total number of parallel tasks that can be assigned when processing audits that are parsed from XML to the final syslog format.

Valid values: 1-600

Default value: <Number of configured servers>

ü

 

SyslogMessageProcessingLimit

The total number of audit messages allowed to queue for processing from XML to XSL format.

Messages that arrive when the queue is full are truncated, and aren't processed for syslog.

Valid values:  Positive integers only

Default Value: 0 (unlimited)

ü

 

SyslogServerMessageLimit

The total number of syslog messages allowed to queue to be sent to a single syslog server destination.

Messages that arrive when the queue is full are truncated, and aren't sent to the syslog server destination.

Valid values:  Positive integers only

Default Value: 0 (unlimited)

ü

 

SyslogLimitNotificationFrequency

How frequently “message queue full” warnings are displayed in the Server Console. This parameter affects both the SyslogProcessingMessagesLimit and SyslogServerMessagesLimit parameters.

The value is in seconds.

Valid values: Positive integers only. 0 = prints every messages. This value is not recommended.

Default value: 900 (15 minutes)

ü