Cyberark moduleedit

Deprecated in 7.13.0.

This module is deprecated. Use the CyberArk Privileged Account Security module.

This is a module for receiving Cyber-Ark logs over Syslog or a file.

Read the quick start to learn how to configure and run modules.

Configure the moduleedit

You can further refine the behavior of the cyberark module by specifying variable settings in the modules.d/cyberark.yml file, or overriding settings at the command line.

Variable settingsedit

Each fileset has separate variable settings for configuring the behavior of the module. If you don’t specify variable settings, the cyberark module uses the defaults.

For advanced use cases, you can also override input settings. See Override input settings.

When you specify a setting at the command line, remember to prefix the setting with the module name, for example, cyberark.corepas.var.paths instead of corepas.var.paths.

corepas fileset settingsedit

Deprecated in 7.13.0.

This was converted from RSA NetWitness log parser XML "cyberark" device revision 124.

The input from which messages are read. One of file, tcp or udp.
The address to listen to UDP or TCP based syslog traffic. Defaults to localhost. Set to to bind to all available interfaces.
The port to listen for syslog traffic. Defaults to 9527

Ports below 1024 require Filebeat to run as root.

By default, datetimes in the logs will be interpreted as relative to the timezone configured in the host where Filebeat is running. If ingesting logs from a host on a different timezone, use this field to set the timezone offset so that datetimes are correctly parsed. Valid values are in the form ±HH:mm, for example, -07:00 for UTC-7.
Flag to control the addition of non-ECS fields to the event. Defaults to true, which causes both ECS and custom fields under rsa to be added.
Flag to control the addition of the raw parser fields to the event. This fields will be found under rsa.raw. The default is false.


For a description of each field in the module, see the exported fields section.