...
Source | Destination | Port |
---|---|---|
CyberArk Enterprise Password Vault (CyberArk EPV) | CyberHub | 601 (TCP) |
CyberArk Enterprise Password Vault (CyberArk Privilege Cloud) | CyberHub | 6514 (TLS) |
To facilitate secure communication and align with our best practice, we strongly encourage the use of Transport Layer Security (TLS) between your security devices and our Adaptive MxDR platform for event forwarding.
While we understand that TLS support may not be available on all devices, if your devices do support TLS communication, we recommend utilizing port 6514 for seamless integration.
In some cases, the upgraded version of the device might incorporate TLS support without prior notice. If you come across such a scenario or for further assistance in configuring TLS, we kindly ask you to reach out to your dedicated Adaptive MxDR Service Delivery Lead.
Device Configuration
To Configure CyberArk EPV to Collect Logs
Syslog messages can be sent to multiple syslog servers in two different ways:
A single message can be sent to multiple servers by configuring a single XSLT file.
...
Logs from the logfile are parsed using a single XSL file (
Archsight.sample.XSL
) and sent to multiple syslog destinations.Logs from the logfile can be sent to different
...
syslog destinations and formatted differently for each
...
destination by configuring multiple
...
XSL files, formats, and code message lists.
...
It is not mandatory to keep the code message lists in the same order as mentioned; it is up to you to set the order to fetch the required activity logs according to codes.
Login to the CyberArk EPV server directly or through RDP as an Administrator.
In
<InstallDir>\PrivateArk\Server\DBParm.sample.ini
, copy the SYSLOG section with all fields. The default install directory is C:\Program Files (x86) \PrivateArk\Server\DBPram.ini.In
<InstallDir> \PrivateArk\Server\DBParm.sample.ini
, paste the SYSLOG section at the bottom.The configuration parameters for SYSLOG are listed below:
SyslogServerIP
- The IP address (es) of the Syslog servers where messages will be sent. We will explicitly specify IP of CyberHub.
a.SyslogServerIP
– CyberHub IP Address. Specify multiple values with commas if needed.
...
SyslogServerProtocol
- Specifies the Syslog protocol that will be used to send audit logs. The default value is UDP. This works with TCP as well.
...
SyslogServerPort
- The port used to connect to the Syslog server. The default value is 514. Customer may change it according to environment.
...
b.SyslogServerProtocol
– TCP
c. SyslogServerPort
– 601
d.SyslogMessageCodeFilter
–We have to set it 0-999 to ensure all possible types of logs are sent over Syslog. Defines which message codes will be sent from the Vault to the SIEM application through Syslog protocol. You can specify message numbers and/or ranges of numbers, separated by commas. Specify multiple values with pipelines. By default, all message codes are sent for user and Safe activities. For a list of messages and codes, refer to the Privileged Account Security Reference Guide.
...
e.SyslogTranslatorFile
...
– Specifies the XSL file used to parse CyberArk audit records data into Syslog protocol. Specify multiple values with commas. We have to set it to
...
<InstallDir>\PrivateArk\Server\Syslog\Arcsight.sample.xsl
. This Translator file is installed at defined location by default with installation, please check with vendor if not present.
...
<InstallDir> \PrivateArk\Server\Syslog\Arcsight.sample.xsl
is the default installation file which should not be changed and must be used in the above SyslogTranslatorFile configuration.
f.SyslogSendBOMPrefix
- Description Whether or not the BOM (Byte Order Mark) prefix will be sent at the beginning of SYSLOG messages. Acceptable Values Yes/No. Recommended Default Value
...
is No.
g.UseLegacySyslogFormat
...
- Set
...
as No. (Defines whether it will be sent in a newer syslog format (RFC 5424) or in a legacy format. We expect logs in newer syslog format
...
)
DebugLevel: Determines the level of debug messages. Specify below values to include all possible logs as standard: PE(1,2,3,4,5,6,7,8,9,10,13),PERF(1,2,3,4),SYSLOG(1,2),UI(8),LDAP(14,15)
Example: DebugLevel=PE(1,2,3,4,5,6,7,8,9,10,13),PERF(1,2,3,4),SYSLOG(1,2),UI(8),LDAP(14,15)
...
Please ensure that you keep Windows Firewall Turned ON to let CyberArk server communicate with firewall and make rules to allow logs to be sent over Syslog on designated port which is
...
TCP/
...
601 by default and CyberHub IP.
Create a rule in same file to allow communication to Syslog Port on CyberHub
...
. Port should be 601. The following configuration must be done at: C:\Program Files(x86)\PrivateArk\Server\DBPram.ini.
...
Info |
---|
CyberArk Client Side Configuration (Step-8) Only |
Additionally, we can control the type of logs we want to read by manually configuring the event types in PrivateArk Client.
a. PrivateArk Client >Tools > Options > Advanced > Log Configuration. For this modification, one must be logged in with Administrator Account. Recommendation is to select all 15 options starting from General Events to Detailed Communication Events.
...
Login to the CyberArk EPV server directly or through RDP and open the Private Ark Server console as an Administrator. Stop and Start
...
the Vault server for changes to take effect.
...
To configure CyberArk Privilege Cloud to collect logs
Privilege Cloud can integrate with SIEM applications to send audit logs through the syslog protocol. Before you can connect to SIEM, you must first deploy the Secure Tunnel for SIEM component.
To configure Secure Tunnel v3.0 or higher
...
Pre-requisites and considerations before installing secure tunnel:
a. The name of the Connector client machine ID must be unique across domains. Only the machine host name is used to generate the tunnel ID and therefore it must be unique, even if the machines are deployed in multiple domains.
b. Secure Tunnel uses port 50000 by default. Check that this port is free for use.
For more details, please refer device documentation: Deploy Secure Tunnel
Ensure that the Connector client machine ID is unique, even when the machines are deployed in multiple domains.
Download the Secure Tunnel zip file by logging into the CyberArk Support Vault, and then unzip the package.
Double-click the Secure Tunnel installation executable file to run the Secure Tunnel installation wizard.
...
In Select Installation
...
Folder, enter the location of the installation folder, and then click Install.
...
In Ready to
...
Install,
...
click Finish.
Info |
---|
When the installation is complete the configuration tool is launched. If you have already installed secure tunnel prior, then you can open the configuration tool either from the desktop shortcut or from the installation folder at any time. |
In Authenticate to Privilege
...
Cloud, enter the credentials provided to you by CyberArk support.
In Configure on-premise
...
components, add the components that you want to connect through the secure tunnel, and then click Configure Components.
Enter the following information:
Component Type: SIEM
Host Address: The hostname or IP address of component server. CyberHub IP Address
Destination Port: The port used for connecting the Secure Tunnel server to the component server. Click Advanced to display this column. Typically, the port used for the SIEM component is 1468. If you are using different port, edit this field for the relevant component. 6514
Remote Port: The port used by the CyberArk to interface with your Secure Tunnel. Click Advanced to display this column. The Remote Port is provided to you by CyberArk support. Each interface has a default port. For multiple instances the ports are numbered sequentially. Typically the port used for SIEM component is: 1468 (first SIEM instance), 1469, etcDefault port is 1468. If other SIEM or service is using this port you can use choose port in incremental order.
Access through Secure Tunnels: You can configure which Secure Tunnels, your servers will access through, even if these Secure Tunnels are running on a different machine.
...
SIEM Integration: Privilege Cloud can use either TLS 1.2 or TCP protocol to send messages. Use the steps below to connect Privilege Cloud to your SIEM servers:
Provide the following information to CyberArk support:
...