Our Integration guide was accurate at the time of writing but vendors change things frequently! If you find errors or anything is outdated, let us know by raising a request in the Samurai Help Center and we shall get it updated.
Samurai [Local] Collector
|Samurai [Cloud] Collector|
|CyberArk Privileged Access Security (PAS)||
This guide describes the steps required to configure CyberArk PAS to send logs to a Samurai XDR Local Collector deployed on your network. Your CyberArk PAS Vault deployment requires access to the Local Collector via syslog on port 514/UDP.
To complete this Integration you will need to:
1) From CyberArk Vault
Configure Vault to forward syslog messages
Follow the steps below, you may also wish to refer to CyberArk documentation.
1. Download the ntt.xsl file attached to this article
2. Log in to the (primary) CyberArk PAS Vault server as the administrator user
3. Navigate to the <CyberArk install folder>\Server\Syslog directory.
- By default, the subdirectory is: C:\Program Files (x86)\PrivateArk\Server\Syslog
4. Copy the ntt.xsl file into the directory.
5. Navigate to the <CyberArk install folder>\Server\ directory.
- By default, the subdirector is: C:\Program Files (x86)\PrivateArk\Server\
6. Copy the existing DBParm.ini file to DBParm.ini.bak file within the same directory (in case you need to rollback)
7. Edit the DBParm.ini file and make the following configuration changes:
If you are configuring more than one syslog destination, each parameter must match the number of hosts in SyslogServerIP. Each CSV position in SyslogServerIP will correspond with the same CSV position in other fields.
In the above example, server 184.108.40.206 would match with port 514, while server 220.127.116.11 would match with port 6514.
- For SyslogServerIP, enter the IP address of the Samurai XDR Local Collector deployed on your network.
- For SyslogServerPort, enter 514
- For SyslogServerProtocol, enter TCP
For SyslogTranslatorFile, enter Syslog\ntt.xsl
This is the file mentioned in step 1 & 4
- For SyslogMessageCodeFilter, enter 0-999.
- For UseLegacySyslogFormat, enter No.
The changes to DBParm.ini should look like the following example:
Apart from the SyslogServerIP parameter, ensure that the parameter statements match those shown above. If you are copying and pasting from this document, ensure that each parameter statement is on a separate line and that no unwanted spaces are introduced.
8. Save the file
9. Restart the Vault server
Ensure that there are no errors in the log file. A list of possible messages that could appear in the log file are included in CyberArk documentation - Syslog Messages
10. If applicable. perform the procedure on all Primary and Satellite Vaults.
For integrations that utilize a Local Collector where we ingest syslog only, you do not need to follow specific steps in the Samurai XDR Application as we auto detect the vendor and product. The only reason you need to use the Samurai XDR Application is if you need to determine the Local Collector IP address. Of course you will still need to ensure the integration is functioning! See Integrations for more information on checking status.
Article is closed for comments.