CyberArk Privileged Access Security (PAS)

Samurai [Local] CollectorSamurai [Cloud] CollectorSamurai [Cloud Native] Collector
Picture1.svg

This guide describes the steps required to configure CyberArk PAS to send logs to a Samurai Local Collector deployed on your network. Your CyberArk PAS Vault deployment requires access to the Local Collector via syslog on port 514/UDP.

To complete this Integration you will need to:

1) From CyberArk Vault

Configure Vault to forward syslog messages

Follow the steps below, you may also wish to refer to CyberArk documentation.

  1. Download ntt.xsl.

  2. Log in to the (primary) CyberArk PAS Vault server as the administrator user

  3. Navigate to the <CyberArk install folder>\Server\Syslog directory.

  • By default, the subdirectory is: C:\Program Files (x86)\PrivateArk\Server\Syslog
  1. Copy the ntt.xsl file into the directory.

  2. Navigate to the <CyberArk install folder>\Server\ directory.

  • By default, the subdirector is: C:\Program Files (x86)\PrivateArk\Server\
  1. Copy the existing DBParm.ini file to DBParm.ini.bak file within the same directory (in case you need to rollback)

  2. Edit the DBParm.ini file and make the following configuration changes:

mceclip0.png If you are configuring more than one syslog destination, each parameter must match the number of hosts in SyslogServerIP. Each CSV position in SyslogServerIP will correspond with the same CSV position in other fields.

For example:

SyslogServerIP=1.1.1.1,2.2.2.2

SyslogServerPort=514,6514

In the above example, server 1.1.1.1 would match with port 514, while server 2.2.2.2 would match with port 6514.

  • For SyslogServerIP, enter the IP address of the Samurai Local Collector deployed on your network.
  • For SyslogServerPort, enter 514
  • For SyslogServerProtocol, enter TCP
  • For SyslogTranslatorFile, enter Syslog\ntt.xsl
    This is the file mentioned in step 1 & 4
  • For SyslogMessageCodeFilter, enter 0-999.
  • For UseLegacySyslogFormat, enter No.

The changes to DBParm.ini should look like the following example:

[SYSLOG]SyslogServerIP=1.1.1.1SyslogServerPort=514SyslogServerProtocol=TCPSyslogTranslatorFile=Syslog\ntt.xslSyslogMessageCodeFilter=0-999UseLegacySyslogFormat=No

mceclip0.png Apart from the SyslogServerIP parameter, ensure that the parameter statements match those shown above. If you are copying and pasting from this document, ensure that each parameter statement is on a separate line and that no unwanted spaces are introduced.

  1. Save the file

  2. Restart the Vault server

mceclip0.png Ensure that there are no errors in the log file. A list of possible messages that could appear in the log file are included in CyberArk documentation - Syslog Messages

  1. If applicable. perform the procedure on all Primary and Satellite Vaults.

For integrations that utilize a Local Collector where we ingest syslog only, you do not need to follow specific steps in the Samurai MDR portal as we auto detect the vendor and product. The only reason you need to use the Samurai MDR portal is if you need to determine the Local Collector IP address. Of course you will still need to ensure the integration is functioning! See Integrations for more information on checking status.

Our Integration guide was accurate at the time of writing but vendors change things frequently! If you find errors or anything is outdated, let us know by raising a request in the Samurai MDR application and we shall get it updated.