Cyberark PAS moduleedit

This functionality is in beta and is subject to change. The design and code is less mature than official GA features and is being provided as-is with no warranties. Beta features are not subject to the support SLA of official GA features.

This is a module for receiving CyberArk Privileged Account Security (PAS) logs over Syslog or a file.

The ingest-geoip Elasticsearch plugin is required to run this module.

Read the quick start to learn how to configure and run modules.

Configure the moduleedit

You can further refine the behavior of the cyberarkpas module by specifying variable settings in the modules.d/cyberarkpas.yml file, or overriding settings at the command line.

audit fileset settingsedit

The audit fileset receives Vault Audit logs for User and Safe activities over the syslog protocol.

Vault configurationedit

Follow the steps under Security Information and Event Management (SIEM) Applications documentation to setup the integration:

  • Copy the elastic-json-v1.0.xsl XSL Translator file to the Server\Syslog folder.
  • Sample syslog configuration for DBPARM.ini:
[SYSLOG]
UseLegacySyslogFormat=No
SyslogTranslatorFile=Syslog\elastic-json-v1.0.xsl
SyslogServerIP=<INSERT FILEBEAT IP HERE>
SyslogServerPort=<INSERT FILEBEAT PORT HERE>
SyslogServerProtocol=TCP

For proper timestamping of events, it’s recommended to use the newer RFC5424 Syslog format (UseLegacySyslogFormat=No). To avoid event loss, use TCP or TLS protocols instead of UDP.

Filebeat configurationedit

Edit the cyberarkpas.yml configuration. The following sample configuration will accept TCP protocol connections from all interfaces:

- module: cyberarkpas
  audit:
    enabled: true

    # Set which input to use between tcp (default), udp, or file.
    #
    var.input: tcp
    var.syslog_host: 0.0.0.0
    var.syslog_port: 9301

    # With tcp input, set the optional tls configuration:
    #var.ssl:
    #  enabled: true
    #  certificate: /path/to/cert.pem
    #  key: /path/to/privatekey.pem
    #  key_passphrase: 'password for my key'

    # Uncoment to keep the original syslog event under event.original.
    # var.preserve_original_event: true

    # Set paths for the log files when file input is used.
    # var.paths:

For encrypted communications, use the TLS protocol in the Vault’s DBPARM.ini and use tcp input with var.ssl settings in Filebeat:

- module: cyberarkpas
  audit:
    enabled: true

    # Set which input to use between tcp (default), udp, or file.
    #
    var.input: tcp
    var.syslog_host: 0.0.0.0
    var.syslog_port: 9301

    # With tcp input, set the optional tls configuration:
    var.ssl:
      enabled: true
      certificate: /path/to/cert.pem
      key: /path/to/privatekey.pem
      key_passphrase: 'password for my key'

    # Uncoment to keep the original syslog event under event.original.
    # var.preserve_original_event: true

    # Set paths for the log files when file input is used.
    # var.paths:
Configuration optionsedit

Variable settingsedit

Each fileset has separate variable settings for configuring the behavior of the module. If you don’t specify variable settings, the cyberarkpas module uses the defaults.

For advanced use cases, you can also override input settings. See Override input settings.

When you specify a setting at the command line, remember to prefix the setting with the module name, for example, cyberarkpas.audit.var.paths instead of audit.var.paths.

var.input
The input to use. One of tcp (default), udp or file.
var.syslog_host
The address to listen to UDP or TCP based syslog traffic. Defaults to localhost. Set to 0.0.0.0 to bind to all available interfaces.
var.syslog_port
The port to listen for syslog traffic. Defaults to 9301.

Ports below 1024 require Filebeat to run as root.

var.ssl
Configuration options for SSL parameters to use when acting as a server for TLS protocol. See SSL server configuration options. for a description of the available sub-options.
var.preserve_original_event
Set to true to store the original syslog message under the event.original field. Defaults to false.
var.paths
An array of glob-based paths that specify where to look for the log files. All patterns supported by Go Glob are also supported here. For example, you can use wildcards to fetch all files from a predefined level of subdirectories: /path/to/log/*/*.log. This fetches all .log files from the subfolders of /path/to/log. It does not fetch log files from the /path/to/log folder itself.

This setting is only applicable when file input is configured.

Example dashboardedit

This module comes with a sample dashboard:

filebeat cyberarkpas overview

Fieldsedit

For a description of each field in the module, see the exported fields section.