Idaptive Identity Services platform (IISP)

SIEM Integration Guide

October 2021

Abstract
This guide describes how to configure the OAuth app and the SIEM user on a tenant, install a docked app
that retrieves IISP event logs, and obtain guidelines to set up the CyberArk Identity Services Add-on for
Splunk.
SIEM INTEGRATION GUIDE FOR IDAPTIVE IDENTITY SERVICE

Legal Notice

Conditions and restrictions

This guide is delivered subject to the following conditions and restrictions:

This guide contains proprietary information and ideas belonging to CyberArk Software Ltd. which are supplied solely for the purpose
of assisting explicitly and properly authorized users of the CyberArk software.

No part of its contents may be used for any other purpose, disclosed to any person or firm or reproduced by any means, electronic
and mechanical, without the express prior written permission of CyberArk Software Ltd.

The software described in this document is furnished under a license. The software may be used or copied only in accordance with
the terms of that agreement.

Information in this document, including the text and graphics which are made available for the purpose of illustration and reference
only, is subject to change without notice. Corporate and individual names and data used in examples herein are fictitious unless
otherwise noted.

Third party components used in the CyberArk software may be subject to applicable terms and conditions.

Third-party notices

For a list of third-party components and licenses, see the Third-party notices.

Copyright
Copyright © 1999-2021 CyberArk Software Ltd. All rights reserved.

CyberArk®, the CyberArk logo, and all other names and logos that appear in this Guide are trademarks of CyberArk Software Ltd.
and their respective owners.

Information in this document is subject to change without notice.

COPYRIGHT © 2021 CYBERARK SOFTWARE, LTD. ALL RIGHTS RESERVED. ii

SIEM INTEGRATION GUIDE FOR IDAPTIVE IDENTITY SERVICE

Contents

Legal Notice .......................................................................................................... ii

Conditions and restrictions ............................................................................. ii
Third-party notices .......................................................................................... ii
Copyright ......................................................................................................... ii

Introduction ........................................................................................................... 3
Supported platforms........................................................................................ 3
Linux server hardware requirements .............................................................. 4
Supported Syslog Server projects .................................................................. 4

Set up the SIEM User and the OAuth App on the Tenant................................. 4

Set up the Environment for Linux ..................................................................... 10

Step 1: Set up Docker on Linux .................................................................... 10
Step 2: Set up Syslog Server on Local Host Machine.................................. 10

Set Up the Environment to Forward information from a Windows system to

a Linux system ............................................................................................ 13
Step 1: Set up Docker on a Windows (Machine #1) ..................................... 13
Step 2: Set up a Remote Syslog Server on Linux (Machine #2) .................. 14

Run the CyberArk Syslog Writer ....................................................................... 15

Start the CyberArk Syslog Writer .................................................................. 15
Automatic Restarting..................................................................................... 16
Check Execution Logs .................................................................................. 16
Re-Run Syslog Writer After Cleanup ............................................................ 17
Restart a Stopped Syslog Writer Container.................................................. 17
Stop the Syslog Writer Container ................................................................. 17
Important Parameters in data/config.ini ........................................................ 18
Important note about data load ..................................................................... 18

Run the CyberArk Identity Threat Intelligence Syslog Writer ........................ 19

Step 1: Create an API token in the User Behavior Analytics Portal. ............ 19
Step 2: Download the CyberArk Identity Threat Intelligence Syslog Writer
from the Admin Portal. .......................................................................... 20
Step 3: Run the CyberArk Identity Threat Intelligence Syslog Writer........... 20

CyberArk Identity Services Add-on for Splunk ............................................... 22

COPYRIGHT © 2021 CYBERARK SOFTWARE, LTD. ALL RIGHTS RESERVED. 1

SIEM INTEGRATION GUIDE FOR IDAPTIVE IDENTITY SERVICE

Set Up Splunk Universal Forwarder ............................................................. 22

Install the Splunk Add-on .............................................................................. 23
Configure Data Input ..................................................................................... 23
Search for IISP Events ................................................................................. 24

COPYRIGHT © 2021 CYBERARK SOFTWARE, LTD. ALL RIGHTS RESERVED. 2

SIEM INTEGRATION GUIDE FOR IDAPTIVE IDENTITY SERVICE

Introduction
CyberArk Syslog Writer and CyberArk Identity Threat Intelligence Syslog Wrier are docked
applications that capture events from Idaptive Identity Services and logs them to a syslog server.
The syslog then becomes the data source for a SIEM solution using Splunk or other SIEM
solution.

Syslog Writer is configured to start fetching IISP events from the previous day and then run every
five minutes to fetch events incrementally. Events are fetched from the IISP server using REST
APIs after authenticating via OAuth client credentials. Two syslog writers are available for
download from the CyberArk Identity Admin Portal:

• CyberArk Syslog Writer

The CyberArk Syslog Writer captures CyberArk Identity events and works with CyberArk
Identity Splunk Add-on v1.

• CyberArk Identity Threat Intelligence Syslog Writer

The CyberArk Identity Threat Intelligence Syslog Writer captures CyberArk Identity User
Behavior Analytics (UBA) events and works with CyberArk Identity Splunk Add-on v1 and
other SIEM integrations, such as Qradar.

Note: Although it is possible to run both syslog writers on the same machine, it is best to run
them on separate machines.

This document provides instructions to install and configure Docker and the Syslog server. It
specifically focuses on CentOS 6.9 and docker installed on Windows 10 machine.

This document supplies:

Detailed steps to configure the OAuth app and the SIEM user on a tenant as a prerequisite
for setting up Syslog Writer
Installation procedures for Docker and an interactive configuration to set up the Syslog Writer
on Linux or Windows
Guidelines for the user to set up the CyberArk Identity Services Add-on for Splunk (for Splunk
6.5.x and above)

Supported platforms

The supported platforms to use for Syslog Writer include:

CentOS 6.9, CentOS 7
RHEL 6.5, RHEL 7.x or higher
Any version of Linux or Windows (desktop and server) that supports Docker

COPYRIGHT © 2021 CYBERARK SOFTWARE, LTD. ALL RIGHTS RESERVED. 3

SIEM INTEGRATION GUIDE FOR IDAPTIVE IDENTITY SERVICE

Linux server hardware requirements

The supported Linux server hardware requirements to use Syslog Writer are:
Small: 2 Core 8 GB RAM, 500GB disk
Medium: 4 Core, 16 GB RAM, 500GB disk
Large: 6 Core, 32 GB RAM, 1TB disk

Supported Syslog Server projects

rsyslog
Syslog-ng

Set up the SIEM User and the OAuth App on the Tenant
1. In the CyberArk Identity Admin Portal, go to Apps > Web Apps.

2. Click Add Web Apps, then click Custom.

3. Locate the OAuth2 Client and click Add.

4. When prompted, add the Web App, OAuth2 Client, click Yes.

COPYRIGHT © 2021 CYBERARK SOFTWARE, LTD. ALL RIGHTS RESERVED. 4

SIEM INTEGRATION GUIDE FOR IDAPTIVE IDENTITY SERVICE

5. From the Settings tab, in the Application ID field, enter oauthsiem.

6. From the General Usage tab, leave the defaults as shown.

7. From the Tokens tab, for Auth methods, check Client Creds and click Save

8. From the Scope tab, under Scope definitions, click Add to add a new scope.

9. In the Scope definitions window:

a. In the Name field, enter siem.

b. In the Allowed REST APIs section, click Add, and enter Redrock/query.*

c. Click Save.

10. In the Admin Portal, select Core Services > Users > Add User.

COPYRIGHT © 2021 CYBERARK SOFTWARE, LTD. ALL RIGHTS RESERVED. 5

SIEM INTEGRATION GUIDE FOR IDAPTIVE IDENTITY SERVICE

11. In the Create CyberArk Cloud Directory User page:

a. For the Login Name, enter siemuser.

b. For the Suffix, enter select an available suffix.

c. For the Password and Confirm Password, enter the password of your choice.

d. Check Password never expires.

e. Select Is OAuth confidential client (Preview). This automatically also selects the
options Password never expires and Is Service User

12. In the Admin Portal, select to Core Services > Roles > Add Role.

13. In the Description tab > Name, enter service account and click Save.

This entry serves as the role name.

14. Open the newly created role, and from the Members tab:

a. Click Add and search the siemuser that you created earlier (in Step 11 a).

b. Click Save.

COPYRIGHT © 2021 CYBERARK SOFTWARE, LTD. ALL RIGHTS RESERVED. 6

SIEM INTEGRATION GUIDE FOR IDAPTIVE IDENTITY SERVICE

15. Open the Administrative Rights tab:

a. Click Add.

b. In the Add Rights list, check Read Only System Administration

c. Click Add.

d. Click Save.

COPYRIGHT © 2021 CYBERARK SOFTWARE, LTD. ALL RIGHTS RESERVED. 7

SIEM INTEGRATION GUIDE FOR IDAPTIVE IDENTITY SERVICE

16. On the Assigned Applications tab:

a. Click Add.

b. In Add Applications list, check OAuth2 Client.

c. Click Add.

d. Click Save.

COPYRIGHT © 2021 CYBERARK SOFTWARE, LTD. ALL RIGHTS RESERVED. 8

SIEM INTEGRATION GUIDE FOR IDAPTIVE IDENTITY SERVICE

17. On the CyberArk Identity Admin Portal, from the Core Services > Users tab check the
following:
The siemuser created earlier, is shown as the Cloud Directory User. Click it to open
the user’s page.
In Roles section for this user, the role named service account must be listed, with
Read Only System Administration in Administrative Rights.

18. On the CyberArk Identity Admin Portal, on the Apps > Web Apps tab check the
following:
Select OAuth2 Client
In the Permissions tab > Name column shows the earlier created role service
account with the View permission checked

COPYRIGHT © 2021 CYBERARK SOFTWARE, LTD. ALL RIGHTS RESERVED. 9

SIEM INTEGRATION GUIDE FOR IDAPTIVE IDENTITY SERVICE

Set up the Environment for Linux

Syslog Writer on Linux will most likely involve only one machine, as the Syslog server can be a
local one. This machine will have Docker to run Syslog Writer, and the Syslog server.

Step 1: Set up Docker on Linux

The installation commands in this section are specific to CentOS 6.9. If you have another
supported OS, the following link takes you to the installation instructions for Docker on your OS:

https://docs.docker.com/engine/installation/

1. Make sure that the existing yum packages are updated and that the EPEL repository is
enabled:

sudo yum update

sudo yum install –y epel-release

2. Install Docker:

sudo yum install –y docker-io

3. Start the Docker daemon:

sudo service docker start

4. Make sure that the Docker service is running:

sudo service docker status

Step 2: Set up Syslog Server on Local Host Machine

1. Allow TCP input in the Syslog server configuration.

TCP ensures that no messages are lost even when the load is high, so it is used by Syslog
Writer for logging events to the Syslog server (local or remote). The steps in this section
are specific for setting up rsyslog to receive TCP input.

Note: If you have a different syslog server, you will need to modify the syntax accordingly.

COPYRIGHT © 2021 CYBERARK SOFTWARE, LTD. ALL RIGHTS RESERVED. 10

SIEM INTEGRATION GUIDE FOR IDAPTIVE IDENTITY SERVICE

rsyslog
a. Open the rsyslog configuration file.

sudo vi /etc/rsyslog.conf

b. Uncomment the following two lines in the rsyslog.conf file (if they are commented
out):

$ModLoad imtcp

$InputTCPServerRun 514

c. Restart the rsyslog server.

sudo service rsyslog restart

syslog-ng
a. Open the syslog-ng configuration file.

sudo vi /etc/syslog-ng.conf

b. Look for the following section in the configuration file:

source s_sys {

system();

internal();

# udp(ip(0.0.0.0) port(514));

};

COPYRIGHT © 2021 CYBERARK SOFTWARE, LTD. ALL RIGHTS RESERVED. 11

SIEM INTEGRATION GUIDE FOR IDAPTIVE IDENTITY SERVICE

c. Add the TCP settings to the end of the source s_sys section, so it looks like the
following:

source s_sys {

system();

internal();

# udp(ip(0.0.0.0) port(514));

tcp(ip(127.0.0.1) port(514));

};

d. Restart the syslog-ng server.

sudo service syslog-ng restart

2. Monitor syslog

Before starting Syslog Writer, it is helpful to keep another terminal window open to check
syslog:

sudo tail –f /var/log/messages

Note: The path for Ubuntu is: /var/log/syslog

COPYRIGHT © 2021 CYBERARK SOFTWARE, LTD. ALL RIGHTS RESERVED. 12

SIEM INTEGRATION GUIDE FOR IDAPTIVE IDENTITY SERVICE

Set Up the Environment to Forward information from a

Windows system to a Linux system
Syslog Writer on a Windows system can currently only write the IISP events to a remote syslog
server on Linux, so the setup will involve two machines:
Machine #1 runs Windows with Docker and the Syslog Writer app.
Machine #2 runs Linux with Syslog server and is in the same network.

Step 1: Set up Docker on a Windows (Machine #1)

The installation commands in this section are specific to Windows 10 Professional edition.

Note: A Windows 10 virtual machine running on the same network as the Linux system that
can do virtualization is also sufficient.

If you are using another supported platform, you must modify the syntax for setting up Docker
Desktop for your machine.

1. Install Docker Desktop for Windows by following these instructions:

https://docs.docker.com/docker-for-windows/
2. Open the Docker Quickstart terminal to create a default Docker machine and provide a
prompt for running the Docker commands.
3. You can make a folder using iis-syslog-writer and share it on the network. See
https://docs.docker.com/docker-for-windows/ to install Docker Desktop and then share the
iis-syslog-writer folder. The iis-syslog writer is available from the CyberArk
Identity Admin Portal > Downloads page.

COPYRIGHT © 2021 CYBERARK SOFTWARE, LTD. ALL RIGHTS RESERVED. 13

SIEM INTEGRATION GUIDE FOR IDAPTIVE IDENTITY SERVICE

Step 2: Set up a Remote Syslog Server on Linux (Machine #2)

The steps in this section are specific for setting up rsyslog on CentOS 6.9.

If you have a different syslog server, you must modify the syntax accordingly.

1. Allow TCP input in syslog server configuration:

a. Open the rsyslog configuration file:

sudo vi /etc/rsyslog.conf

b. Uncomment these two lines in the conf file (if they are commented out):

$ModLoad imtcp

$InputTCPServerRun 514

c. Restart the rsyslog server:

sudo service rsyslog restart

2. Allow the firewall to accept TCP input on port 514:

a. Open the iptables config file:

sudo vi /etc/sysconfig/iptables

b. Add this line before the COMMIT line, if it is not present already:

-I INPUT –p tcp -–dport 514 –j ACCEPT

c. Restart iptables:

sudo service iptables restart

3. Before starting syslog writer, it is helpful to keep another terminal window open to check the
syslog:

sudo tail –f /var/log/messages

Note: The path for Ubuntu is /var/log/syslog

COPYRIGHT © 2021 CYBERARK SOFTWARE, LTD. ALL RIGHTS RESERVED. 14

SIEM INTEGRATION GUIDE FOR IDAPTIVE IDENTITY SERVICE

Run the CyberArk Syslog Writer

The commands in this section are shown in Linux format and are run in a terminal window on
Linux. For Windows, open a Docker Quickstart terminal window and enter these commands
without the sudo prefix. To capture User Behavior Analytics events, refer to Run the CyberArk
Identity Threat Intelligence Syslog Writer.

Start the CyberArk Syslog Writer

1. Check the images list.

If the list contains syslogwriter_image, delete it first.

sudo docker images

2. Copy the zip file IIS_syslog_writer.zip from the Downloads page of the CyberArk
Identity Admin Portal.

On a Windows Server VM, make sure that the extracted folder is under the shared folder,
c:\Users.
For example, the extracted folder: C:\Users\<username>\apps\IIS_syslog_writer

3. Load the image from the tar file and make sure that syslogwriter_image is in the
images list:

cd <extracted_path>/IISP_syslog_writer

sudo docker load < syslog-writer-img.tar.gz

sudo docker images

4. Run the Syslog Writer container.

Linux command:

sudo docker run --name syslog-writer -it --log-driver json-fil

e --log-opt max-size=10m --net=host -v `pwd`/data:/home/idapti
ve-syslog-writer/data syslogwriter_image

COPYRIGHT © 2021 CYBERARK SOFTWARE, LTD. ALL RIGHTS RESERVED. 15

SIEM INTEGRATION GUIDE FOR IDAPTIVE IDENTITY SERVICE

Windows command:

docker run --name syslog-writer -it --log-driver json-file --l

og-opt max-size=10m --net=host -v C:\Users\apps\IIS_syslog_wri
ter\data:/home/idaptive-syslog-writer/data syslogwriter_image

5. When prompted, enter:

• The Tenant URL (for example, https://pod0.idaptive.app/my)

• The username and password of the SIEM user
• The IP address of Syslog server if it is remote. Otherwise, just press enter for a local
Syslog server. Note that for Windows, this is the IP address of Machine #2.

6. Check IISP events on the Syslog server.

Congratulations! Your syslog writer is up and running!

The first run starts immediately. Because the default value for the frequency parameter is
five minutes, the Syslog Writer will run once every five minutes.

Automatic Restarting

If you want the container and the Syslog Writer to start automatically, if the Docker daemon
restarts for some reason (like machine restart), you can use the option --restart=always
in the run command, as shown below. Note that the container and the Syslog Writer will not
automatically restart if the container was manually stopped.

sudo docker run --name syslog-writer -it --log-driver json-fil

e --log-opt max-size=10m --net=host --restart=always -v `pwd`/
data:/home/idaptive-syslog-writer/data syslogwriter_image

Check Execution Logs

You can see the current console logs of the syslog writer container by using the logs
command in a Quickstart terminal:

sudo docker logs -f syslog-writer

All execution logs are saved in IISP_syslog_writer/data/logs/ folder on the host

machine.

COPYRIGHT © 2021 CYBERARK SOFTWARE, LTD. ALL RIGHTS RESERVED. 16

SIEM INTEGRATION GUIDE FOR IDAPTIVE IDENTITY SERVICE

Re-Run Syslog Writer After Cleanup

If there was a failure during the initial interactive configuration, or to rerun or configure the Syslog
Writer with a fresh account:

1. Delete the earlier container:

sudo docker rm -f syslog-writer

2. Remove the local conf file in the IISP_syslog_writer/data folder:

sudo rm data/config.ini

3. Run the container again using same run command from the IISP_syslog_writer folder:

sudo docker run --name syslog-writer -it --log-driver json-fil

e --log-opt max-size=10m --net=host -v `pwd`/data:/home/idapti
ve-syslog-writer/data syslogwriter_image

Restart a Stopped Syslog Writer Container

Use this command to start the container/syslog writer, if the container stops (due to the Docker
daemon or machine restart, etc.):

sudo docker start syslog-writer

When the syslog writer restarts, it fetches events beyond the last event fetch date, which is
internally saved on the host machine, during previous run.

Stop the Syslog Writer Container

To stop the container/Syslog Writer:

sudo docker stop syslog-writer

COPYRIGHT © 2021 CYBERARK SOFTWARE, LTD. ALL RIGHTS RESERVED. 17

SIEM INTEGRATION GUIDE FOR IDAPTIVE IDENTITY SERVICE

Important Parameters in data/config.ini

rollback (in hours, default value: 24)

Only applies when syslog writer is started for first time. It is the number of hours before the
current time for the syslog writer to start fetching events. By default, it will fetch for 24 hours
(one day) before the current time in the UTC). If required, you can configure this in
config.ini by creating a copy from the config.ini.default file, before firing the
Docker run command.
batch_size (in minutes, default value: 10)

The number of minutes to fetch data for when the time range is large. By default, it fetches
data in batches of 10 minutes. When there is a larger time range such as 24 hours for the first
time run, it fetches data in batches of 10-minute sizes.

frequency (in minutes, default value: 5)

The frequency (in minutes) for running the Syslog Writer application. By default, it runs every
five minutes. During runtime, a change to this parameter will be reflected after the pending
job run is triggered.

debug (under APP_LOGGER. This feature is disabled by default)

This is for enabling debug level logs. In case of a problem with the behavior of syslog writer,
please set the value of this property to yes (debug = yes) and reproduce the problem. You
can then share an archive of the data/logs folder with Idaptive support for troubleshooting.

Important note about data load

For a data load of 50 events per second and a rollback of 24 hours, it will take approximately 6.5
hours to catch up with current events after starting Syslog Writer. To avoid this delay, you might
want to consider using a smaller rollback value.

COPYRIGHT © 2021 CYBERARK SOFTWARE, LTD. ALL RIGHTS RESERVED. 18

SIEM INTEGRATION GUIDE FOR IDAPTIVE IDENTITY SERVICE

Run the CyberArk Identity Threat Intelligence Syslog Writer

The CyberArk Identity Threat Intelligence Syslog Writer can be used with the Splunk Add-on v1 or
other SIEM integrations, such as Qradar. The syslog writer retrieves CyberArk Identity User
Behavior Analytics (UBA) events using REST APIs and writes those events to the syslog. To
capture CyberArk Identity events, see Run the CyberArk Syslog Writer.

Note: Although it is possible to run the CyberArk Identity Threat Intelligence Syslog Writer on the
same machine as the CyberArk Syslog Writer, it is best to run them on separate machines.

Step 1: Create an API token in the User Behavior Analytics Portal.

To run the CyberArk Identity Threat Intelligence Syslog Writer, you need to create an API token
from the User Behavior Analytics Portal.

1. Sign into the CyberArk Identity Admin Portal and use the portal switcher to select User
Behavior Analytics.

2. Select Settings > API.

3. Click New to create a new API token.

COPYRIGHT © 2021 CYBERARK SOFTWARE, LTD. ALL RIGHTS RESERVED. 19

SIEM INTEGRATION GUIDE FOR IDAPTIVE IDENTITY SERVICE

4. Enter the following information and then click Create:

Field Description
Enter a name for the API token.
Name
Select All from the drop-down menu.
Scopes
Select Unlimited to reuse the same token.
Expiration

If you select Limited, the token expires, and

the syslog writer is not be able to pull the
events after the indicated date is reached.

5. Copy the API token you just created and then click Done.
The API token is required the first time you run the syslog writer.

Step 2: Download the CyberArk Identity Threat Intelligence Syslog

Writer from the Admin Portal.

1. In the CyberArk Identity Admin Portal, go to Downloads > SIEM Integrations.

2. Click Download next to CyberArk Identity Threat Intelligence Syslog Writer.

3. Unzip the file you just downloaded.

Step 3: Run the CyberArk Identity Threat Intelligence Syslog Writer.

1. Locate the cyberark_identity_threat_intel_syslog_writer folder on your system and make

sure there isn’t a syslog wrier already located there.

Command to delete the syslog-writer:

docker rm syslog-writer

Command to delete the syslog writer image:

docker rmi syslogwriter_image:latest

2. Load the docker image from the tar file.

docker load < syslog-writer-img.tar.gz

COPYRIGHT © 2021 CYBERARK SOFTWARE, LTD. ALL RIGHTS RESERVED. 20

SIEM INTEGRATION GUIDE FOR IDAPTIVE IDENTITY SERVICE

3. Run the following command:

sudo docker run --name syslog-writer -it --log-driver json-fil

e --log-opt max-size=10m --net=host -v `pwd`/data:/home/cybera
rk-identity-analytics-syslog-writer/data syslogwriter_image

4. At the prompts, enter the following information (this is only required the first time you run
the syslog writer):

Description
Prompt

Enter Tenant URL: Type:

https://<your tenant name>/admin

Enter API bearer token:

Paste the API token you copied earlier from
the User Behavior Analytics Portal.

Enter IP address of Syslog server • For Linux machines, press Enter.

[Default: 127.0.0.1]:
• For Windows machines, enter the IP
address of the Linux VM.

The Syslog server should now be up and running. You can check the events here:
/var/log/messages

COPYRIGHT © 2021 CYBERARK SOFTWARE, LTD. ALL RIGHTS RESERVED. 21

SIEM INTEGRATION GUIDE FOR IDAPTIVE IDENTITY SERVICE

CyberArk Identity Services Add-on for Splunk

The Splunk Add-on is responsible for data onboarding and parsing IISP logs into Splunk events.
These parsed events can be used for adhoc queries or to create visualizations. This add-on co-
exists with other Splunk add-ons without conflicts.

Apart from data onboarding and parsing, the Splunk Add-on takes care of the following:

• Timestamp correction: The timestamp in Syslog is the time when logging happened
and not the actual time when the event occurred, so the timestamp of the IISP event in
Splunk is corrected by using the WhenOccurred field in the event payload.
• Custom sourcetype assignment: A new sourcetype called idaptive_IISP_syslog
is assigned to IISP events. This ensures that IISP events and other Syslog messages are
not touched unintentionally.
• Applying Idaptive headers: Headers such as product, category, and eventname
present in the payload are assigned to IISP events in Splunk.
• CIM compliance: The add-on maps IISP Authentication events to the Authentication
model of CIM.

Set Up Splunk Universal Forwarder

In a distributed Splunk environment, the Splunk Universal Forwarder must be set up on the
machine with the Syslog server so that the IISP events in syslog get forwarded to the Indexer.

To configure Splunk Universal Forwarder for a distributed setup:

1. In a terminal, navigate to the path of Splunk Universal Forwarder:

cd splunkuniversalforwader/bin

2. Add the Forward server in the bin folder, using the IP address of the Splunk Indexer as the
<ipaddress> and the Receiver port configured on the Splunk Indexer as the <port>
(usually 9997):

./splunk add forward-server <ipaddress>:<port>

3. Add syslog to the monitored files list:

./splunk add monitor /var/log/messages

COPYRIGHT © 2021 CYBERARK SOFTWARE, LTD. ALL RIGHTS RESERVED. 22

SIEM INTEGRATION GUIDE FOR IDAPTIVE IDENTITY SERVICE

Install the Splunk Add-on

The Splunk Add-on must be installed on the indexer, and on the search head.

To install the Splunk Add-on from the Splunk Web UI, go to Apps > Browse, Select CyberArk
Identity Services Add-on for Splunk.

The Splunk Add-on is also available from the Downloads page on the CyberArk Identity Admin
Portal.

Configure Data Input

To configure data input:

In a distributed Splunk environment with a Forward Server:

1. Open Splunk Enterprise in a browser.

2. Go to Settings > Forwarding and receiving > Configure Receiving > Add New.
3. In the Listen to Port text box, enter 9997.
4. Click Save to send messages from the Forward Server to port 9997.

In a stand-alone Splunk environment with a local syslog:

1. Go to Settings > Data Inputs > Files and Directories.

2. Enable /var/log/messages (this is disabled by default).

COPYRIGHT © 2021 CYBERARK SOFTWARE, LTD. ALL RIGHTS RESERVED. 23

SIEM INTEGRATION GUIDE FOR IDAPTIVE IDENTITY SERVICE

Search for IISP Events

To search for IISP events, enter this command:

Search sourcetype = “iis:events”

COPYRIGHT © 2021 CYBERARK SOFTWARE, LTD. ALL RIGHTS RESERVED. 24