The CyberArk Vault DSM for IBM® QRadar® accepts events by using syslog that is formatted for Log Event Extended Format (LEEF).
QRadar records both user activities and safe activities from the CyberArk Vault in the audit event logs. CyberArk Vault integrates with QRadar to forward audit logs by using syslog to create a detailed log of privileged account activities.
Event type format
CyberArk Vault must be configured to generate events in Log Event Extended Format (LEEF) and to forward these events by using syslog. The LEEF format consists of a pipe ( | ) delimited syslog header, and tab separated fields in the log payload section.
If the syslog events from CyberArk Vault are not formatted properly, examine your device configuration or software version to ensure that your appliance supports LEEF. Properly formatted LEEF event messages are automatically discovered and added as a log source to QRadar.