Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Next »

About the Device

CyberArk Enterprise Password Vault, part of the CyberArk Privileged Account Security Solution, enables organizations to secure, manage and track the use of privileged credentials whether on premise or in the cloud, across operating systems, databases, applications, hypervisors, network devices and more. The product is built on the CyberArk Shared Technology Platform, delivering scalability, high availability and centralized management and reporting.

Device Information

 Entity

Particulars

Vendor Name

CyberArk

Product Name

Enterprise Password Vault (Now comes under Privileged Access Manager )

Type of Device

Hosted

Collection Method

Log Type

 Ingestion label

Preferred Logging Protocol - Format

Log Collection Method

Cyberark Privilege Cloud

 CYBERARK_PRIVILEGE_CLOUD

Syslog - CEF

CyberHub

Port Requirements

Source

Destination

Port

CyberArk Enterprise Password Vault

CyberHub

6514 (TLS)

Device Configuration

To Configure CyberArk EPV to Collect Logs

Syslog messages can be sent to multiple syslog servers in two different ways:

A single message can be sent to multiple servers by configuring a single XSLT file.

Multiple messages can be sent to different Syslog servers and formatted differently for each server by configuring multiple XSLT files, formats and code message lists. The code-message lists must be matched, meaning they must contain the same number of items in the same order.

  1. In PrivateArk\Server\DBParm.sample.ini, copy the SYSLOG section with all fields.

  2. In PrivateArk\Server\DBParm.sample.ini, paste SYSLOG section at the bottom.

  3. The configuration parameters for SYSLOG are listed below:

    1.  SyslogServerIP - The IP address (es) of the Syslog servers where messages will be sent. We will explicitly specify IP of CyberHub. Specify multiple values with commas if needed.

    2. SyslogServerProtocol - Specifies the Syslog protocol that will be used to send audit logs. The default value is UDP. This works with TCP as well.

    3.  SyslogServerPort - The port used to connect to the Syslog server. The default value is 514. Customer may change it according to environment.

    4. SyslogMessageCodeFilter - We have to set it 0-999 to ensure all possible types of logs are sent over Syslog. Defines which message codes will be sent from the Vault to the SIEM application through Syslog protocol. You can specify message numbers and/or ranges of numbers, separated by commas. Specify multiple values with pipelines. By default, all message codes are sent for user and Safe activities. For a list of messages and codes, refer to the Privileged Account Security Reference Guide.

      image-20240116-135617.png

    5. SyslogTranslatorFile: Specifies the XSL file used to parse CyberArk audit records data into Syslog protocol. Specify multiple values with commas. We have to set it to C:\Program Files (x86)\PrivateArk\Server\Syslog\Arcsight.sample.xsl. This Translator file is installed at defined location by default with installation, please check with vendor if not present.

    6. SyslogSendBOMPrefix: Description Whether or not the BOM (Byte Order Mark) prefix will be sent at the beginning of SYSLOG messages. Acceptable Values Yes/No. Recommended Default Value has to be set as No.

    7. UseLegacySyslogFormat: Set it as No. (Defines whether it will be sent in a newer syslog format (RFC 5424) or in a legacy format. We expect logs in newer syslog format.)

  4. DebugLevel: Determines the level of debug messages. Specify below values to include all possible logs as standard: PE(1,2,3,4,5,6,7,8,9,10,13),PERF(1,2,3,4),SYSLOG(1,2),UI(8),LDAP(14,15)
    Example: DebugLevel=PE(1,2,3,4,5,6,7,8,9,10,13),PERF(1,2,3,4),SYSLOG(1,2),UI(8),LDAP(14,15)

image-20240116-135642.png
  1. Please ensure that you keep Windows Firewall Turned ON to let CyberArk server communicate with firewall and make rules to allow logs to be sent over Syslog on designated port which is UDP/514 by default and CyberHub IP.

  2. Create a rule in same file to allow communication to Syslog Port on CyberHub. Default is UDP 514

image-20240116-135705.png

To configure CyberArk Client Side

Additionally, we can control the type of logs we want to read by manually configuring the event types in PrivateArk Client.

a. PrivateArk Client >Tools > Options > Advanced > Log Configuration. For this modification, one must be logged in with Administrator Account. Recommendation is to select all 15 options starting from General Events to Detailed Communication Events.

image-20240116-140155.png
  1. Stop and Start Vault for changes to take effect.

To configure CyberArk Privilege Cloud to collect logs 

Privilege Cloud can integrate with SIEM applications to send audit logs through the syslog protocol. Before you can connect to SIEM, you must first deploy the Secure Tunnel for SIEM component.

To configure Secure Tunnel v3.0 or higher

Prerequisite

a. The name of the Connector client machine ID must be unique across domains. Only the machine host name is used to generate the tunnel ID and therefore it must be unique, even if the machines are deployed in multiple domains.

b. Secure Tunnel uses port 50000 by default. Check that this port is free for use. 
For more details, please refer device documentation: Deploy Secure Tunnel

  1. Ensure that the Connector client machine ID is unique, even when the machines are deployed in multiple domains. 

  2. Download the Secure Tunnel zip file by logging into the CyberArk Support Vault, and then unzip the package.

  3. Double-click the Secure Tunnel installation executable file to run the Secure Tunnel installation wizard.

  4. On the Select Installation Folder page, enter the location of the installation folder, and then click Install.

  5. On the Ready to Install page, click Finish.

When the installation is complete the configuration tool is launched.

If you have already installed secure tunnel prior, then you can open the configuration tool either from the desktop shortcut or from the installation folder at any time.

  1. In Authenticate to Privilege Cloud page, enter the credentials provided to you by CyberArk support.

  2. In Configure on-premise components page, add the components that you want to connect through the secure tunnel, and then click Configure Components.
    Enter the following information:

  • Component Type: SIEM

  • Host Address: The hostname or IP address of component server. 

  • Destination Port: The port used for connecting the Secure Tunnel server to the component server. Click Advanced to display this column. Typically, the port used for the SIEM component is 1468. If you are using different port, edit this field for the relevant component. 

  • Remote Port: The port used by the CyberArk to interface with your Secure Tunnel. Click Advanced to display this column. The Remote Port is provided to you by CyberArk support. Each interface has a default port. For multiple instances the ports are numbered sequentially. Typically the port used for SIEM component is: 1468 (first SIEM instance), 1469, etc.

  • Access through Secure Tunnels: You can configure which Secure Tunnels, your servers will access through, even if these Secure Tunnels are running on a different machine.

SIEM Integration:

Privilege Cloud can use either TLS 1.2 or TCP protocol to send messages. Use the steps below to connect Privilege Cloud to your SIEM servers:

Provide the following information to CyberArk support:

  • SIEM server IP: <CyberHub_IP>

  • SIEM server Port: 6514 

  • SIEM Server Protocol:  TLS

  • SIEM Type: ArcSight

  • TLS certificates: Contact Accenture device onboarding Team

For more details refer to the following link: Connect to SIEM

Integration Parameters

Parameters required from customer for Integration.

Property

Default Value

Description

IP Address

CyberArk Enterprise Password Vault IP address

Hostname or IP address of the device which forwards logs to the CyberHub

  • No labels