CyberArk Password Vault Configuration
What is Discovered and Monitored
| Protocol | Information discovered | Logs parsed | Used for |
| Syslog (CEF formatted and others) | CyberArk Safe Activity | Security Monitoring and compliance |
Event Types
In CMDB > Event Types, search for “CyberArk-Vault” in the Device Type column to see close to 400 event types associated with this device.
Rules
In Analytics > Rules, search for “CyberArk”:
CyberArk Vault Blocked Failure
CyberArk Vault CPM Password Disables
CyberArk Vault Excessive Failed PSM Connections
CyberArk Vault Excessive Impersonations
CyberArk Vault Excessive PSM Keystroke Logging Failure
CyberArk Vault Excessive PSM Session Monitoring Failure
CyberArk Vault Excessive Password Release Failure
CyberArk Vault File Operation Failure
CyberArk Vault Object Content Validation Failure
CyberArk Vault Unauthorized User Stations
CyberArk Vault User History Clear
Reports
In Analytics > Reports, search for “CyberArk”:
CyberArk Blocked Operations
CyberArk CPM Password Disables
CyberArk CPM Password Retrieval
CyberArk File Operation Failures
CyberArk Impersonations
CyberArk Object Content Validation Failures
CyberArk PSM Monitoring Failures
CyberArk Password Resets
CyberArk Privileged Command Operations
CyberArk Provider Password Retrieval
CyberArk Trusted Network Area Updates
CyberArk Unauthorized Stations
CyberArk User History Clears
CyberArk User/Group Modification Activity
CyberArk Vault CPM Password Reconcilations
CyberArk Vault CPM Password Verifications
CyberArk Vault Configuration Changes
CyberArk Vault Failed PSM connections
CyberArk Vault Modification Activity
CyberArk Vault PSM Keystore Logging Failures
CyberArk Vault Password Changes from CPM
CyberArk Vault Password Release Failures
CyberArk Vault Successful PSM Connections
Top CyberArk Event Types
Top CyberArk Safes, Folders By Activity
Top CyberArk Users By Activity
CyberArk Configuration for sending syslog in a specific format
- Open \PrivateArk\Server\DBParm.ini file and edit the SYSLOG section:
- SyslogServerIP – Specify AccelOps supervisor, workers and collectors separated by commas.
- SyslogServerProtocol – Set to the default value of UDP.
- SyslogServerPort – Set to the default value of 514.
- SyslogMessageCodeFilter – Set to the default range 0-999.
- SyslogTranslatorFile – Set to Syslog\AccelOps.xsl.
- UseLegacySyslogFormat – Set to the default value of No.
- Copy the relevant XSL translator file to the Syslog subfolder specified in the SyslogTranslatorFile parameter in DBParm.ini.
- Stop and Start Vault (Central Server Administration) for the changes to take effect.
Make sure the syslog format is as follows.
<5>1 2016-02-02T17:24:42Z SJCDVVWCARK01 CYBERARK: Product=”Vault”;Version=”9.20.0000″;MessageID=”295″;Message=”Retrieve password”;Issuer=”Administrator”;Station=”10.10.110.11″;File=”Root\snmpC ommunity”;Safe=”TestPasswords”;Reason=”Test”;Severity=”Info” <30>Mar 22 20:13:42 VA461_1022 CyberArk AIM[2453]: APPAP097I Connection to the Vault has been restored <27>Mar 22 20:10:50 VA461_1022 CyberArk AIM[2453]: APPAP289E Connection to the Vault has failed. Further attempts to connect to the Vault will be avoided for [1] minutes. <27>Mar 24 23:41:58 VA461_1022 CyberArk AIM[2453]: APPAU002E Provider
[Prov_VA461_1022] has failed to fetch password with query [Safe=TestPutta;Object=Telnet91] for application [AccelOps]. Fetch reason: [APPAP004E Password object matching query