Recent Searches

No recent searches

    Popular Articles

      Articles
      View all
        Topics
        View all
          Tickets
          View all
            no results

            Sorry! nothing found for

            Device Integration: CyberArk Using Syslog

            Modified on Wed, 22 Apr at 2:15 PM

            Table of Contents

            Overview

            To forward logs from CyberArk Vault and Privileged Threat Analytics (PTA) to ADR, configure CyberArk components to emit syslog messages and onboard the device in ADR. This ensures privileged access events, vault activity, and threat anomalies are ingested, normalized, and correlated for proactive threat detection.


            Prerequisites

            • Administrative access to CyberArk Vault server and Privileged Threat Analytics (PTA) console.

            • Administrative access to ADR SIEM UI and CCE server.
            • Firewall rules allowing outbound syslog (UDP or TCP) on port 514 from CyberArk servers to the ADR CCE IP.
            • Sample XSL translator file (e.g., CEFTranslator.xsl) available on the Vault host.


            Configuring CyberArk Vault for Syslog

            1. Edit DBParm.inion the Vault server (path typically C:\Program Files (x86)\CyberArk\Vault\Server\DBParm.ini): 
              SyslogServerIP=10.10.10.50
SyslogServerPort=514
SyslogServerProtocol=UDP
SyslogTranslatorFile=CEFTranslator.xsl
SyslogMessageCodeFilter=1001,1002
            2. Save the file and restart the CyberArk Vault service to apply changes.


            Configuring CyberArk PTA (Privileged Threat Analytics)

            Configuration is done via the PVWA interface.

            1. Log in to the PVWA (Privileged Vault Web Access) console.
            2. Navigate to PTA Administration > SIEM Outbound Connectivity.
            3. Click Add New Connection and enter:
              • Name: ADR
              • IP Address: <CCE_Server_IP>
              • Port: 514
              • Protocol: UDP
              • Syslog/Header Format: CEF
            4. Click Save and Test to verify a sample syslog message is received.


            Onboarding CyberArk in ADR

            1. Log in to the ADR SIEM UI with administrator credentials.
            2. Navigate to Administration > Add-on Store > Add Device.
            3. Select Syslog Device and enter:


            FieldValue
            Device NameCyberArk Vault / PTA
            Device IP<CyberArk_Vault_IP>
            Log Source TypeSyslog
            Log ProtocolUDP
            Port514
            Log FormatCEF
            1. Click Save to register the CyberArk device.


            Verification (MSSP Only)

            On ADR UI

            1. Log in to ADR SIEM UI.
            2. Navigate: System → Logs and Flows Collection Status.
            3. Confirm that CyberArk appears under Source Device IP.


            On ADR CCE CLI

            tcpdump -i any port 514 and host <CyberArk_IP> -AAA

            Verify syslog packets are arriving.


            Referral documents

            link - https://docs.cyberark.com/pam-self-hosted/latest/en/content/pasimp/dv-integrating-with-siem-applications.htm

            Was this article helpful?

            That’s Great!

            Thank you for your feedback

            Sorry! We couldn't be helpful

            Thank you for your feedback

            Let us know how can we improve this article!

            Select at least one of the reasons
            CAPTCHA verification is required.

            Feedback sent

            We appreciate your effort and will try to fix the article

            Preview
            0 of 0