Elastic
Start free trial Contact Sales
Loading

Cyberark PAS module

Warning

This functionality is in beta and is subject to change. The design and code is less mature than official GA features and is being provided as-is with no warranties. Beta features are not subject to the support SLA of official GA features.

Prefer to use Elastic Agent for this use case?

Refer to the Elastic Integrations documentation.

Learn more

Elastic Agent is a single, unified way to add monitoring for logs, metrics, and other types of data to a host. It can also protect hosts from security threats, query data from operating systems, forward data from remote services or hardware, and more. Refer to the documentation for a detailed comparison of Beats and Elastic Agent.

This is a module for receiving CyberArk Privileged Account Security (PAS) logs over Syslog or a file.

The ingest-geoip Elasticsearch plugin is required to run this module.

Tip

Read the quick start to learn how to configure and run modules.

You can further refine the behavior of the cyberarkpas module by specifying variable settings in the modules.d/cyberarkpas.yml file, or overriding settings at the command line.

You must enable at least one fileset in the module. Filesets are disabled by default.

audit fileset settings

The audit fileset receives Vault Audit logs for User and Safe activities over the syslog protocol.

Vault configuration

Follow the steps under Security Information and Event Management (SIEM) Applications documentation to setup the integration:

  • Copy the elastic-json-v1.0.xsl XSL Translator file to the Server\Syslog folder.
  • Sample syslog configuration for DBPARM.ini:
[SYSLOG]
UseLegacySyslogFormat=No
SyslogTranslatorFile=Syslog\elastic-json-v1.0.xsl
SyslogServerIP=<INSERT FILEBEAT IP HERE>
SyslogServerPort=<INSERT FILEBEAT PORT HERE>
SyslogServerProtocol=TCP

For proper timestamping of events, it’s recommended to use the newer RFC5424 Syslog format (UseLegacySyslogFormat=No). To avoid event loss, use TCP or TLS protocols instead of UDP.

Filebeat configuration

Edit the cyberarkpas.yml configuration. The following sample configuration will accept TCP protocol connections from all interfaces:

- module: cyberarkpas
  audit:
    enabled: true

    # Set which input to use between tcp (default), udp, or file.
    #
    var.input: tcp
    var.syslog_host: 0.0.0.0
    var.syslog_port: 9301

    # With tcp input, set the optional tls configuration:
    #var.ssl:
    #  enabled: true
    #  certificate: /path/to/cert.pem
    #  key: /path/to/privatekey.pem
    #  key_passphrase: 'password for my key'

    # Uncoment to keep the original syslog event under event.original.
    # var.preserve_original_event: true

    # Set paths for the log files when file input is used.
    # var.paths:

For encrypted communications, follow the CyberArk documentation to configure encrypted protocol in the Vault server and use tcp input with var.ssl settings in Filebeat:

- module: cyberarkpas
  audit:
    enabled: true

    # Set which input to use between tcp (default), udp, or file.
    #
    var.input: tcp
    var.syslog_host: 0.0.0.0
    var.syslog_port: 9301

    # With tcp input, set the optional tls configuration:
    var.ssl:
      enabled: true
      certificate: /path/to/cert.pem
      key: /path/to/privatekey.pem
      key_passphrase: 'password for my key'

    # Uncoment to keep the original syslog event under event.original.
    # var.preserve_original_event: true

    # Set paths for the log files when file input is used.
    # var.paths:

Configuration options

Each fileset has separate variable settings for configuring the behavior of the module. If you don’t specify variable settings, the cyberarkpas module uses the defaults.

For advanced use cases, you can also override input settings. See Override input settings.

Tip

When you specify a setting at the command line, remember to prefix the setting with the module name, for example, cyberarkpas.audit.var.paths instead of audit.var.paths.

var.input
The input to use. One of tcp (default), udp or file.
var.syslog_host
The address to listen to UDP or TCP based syslog traffic. Defaults to localhost. Set to 0.0.0.0 to bind to all available interfaces.
var.syslog_port
The port to listen for syslog traffic. Defaults to 9301.
Note

Ports below 1024 require Filebeat to run as root.

var.ssl
Configuration options for SSL parameters to use when acting as a server for TLS protocol. See SSL server configuration options. for a description of the available sub-options.
var.preserve_original_event
Set to true to store the original syslog message under the event.original field. Defaults to false.
var.paths
An array of glob-based paths that specify where to look for the log files. All patterns supported by Go Glob are also supported here. For example, you can use wildcards to fetch all files from a predefined level of subdirectories: /path/to/log/*/*.log. This fetches all .log files from the subfolders of /path/to/log. It does not fetch log files from the /path/to/log folder itself.

This setting is only applicable when file input is configured.

Example dashboard

This module comes with a sample dashboard:

filebeat cyberarkpas overview

Fields

For a description of each field in the module, see the exported fields section.