To configure CyberArk Vault to forward syslog events to IBM®
QRadar®, you must edit a file to
specify parameters.
Procedure
-
Log in to your CyberArk device.
-
Edit the DBParm.ini file.
-
Configure the following parameters:
Table 1. Syslog parameters
|
Parameter
|
Description
|
| SyslogServerIP |
Type the IP address of QRadar.
|
| SyslogServerPort |
Type the UDP port that is used to connect to QRadar. The default value is
514.
|
| SyslogMessageCodeFilter
|
Configure which message codes are sent from the CyberArk Vault to QRadar. You can define specific
message numbers or a range of numbers. By default, all message codes are sent for user activities
and safe activities. Example: To define a message code of 1,2,3,30 and
5-10, you must type: 1,2,3,5-10,30.
|
| SyslogTranslatorFile
|
Type the file path to the LEEF.xsl translator file. The translator file is
used to parse CyberArk audit records data in the syslog protocol.
|
-
Copy LEEF.xsl to the location specified by the
SyslogTranslatorFile parameter in the DBParm.ini
file.
Results
The configuration is complete. The log source is added to QRadar as CyberArk Vault events
are automatically discovered. Events that are forwarded by CyberArk Vault are displayed on the
Log Activity tab of QRadar.