FortiSIEM CyberArk Password Vault Configuration

CyberArk Password Vault Configuration

What is Discovered and Monitored

Protocol Information discovered Logs parsed Used for
Syslog (CEF formatted and others)   CyberArk Safe Activity Security Monitoring and compliance

Event Types

In CMDB > Event Types, search for “CyberArk-Vault” in the Device Type column to see close to 400 event types associated with this device.


In Analytics > Rules, search for “CyberArk”:

CyberArk Vault Blocked Failure

CyberArk Vault CPM Password Disables

CyberArk Vault Excessive Failed PSM Connections

CyberArk Vault Excessive Impersonations

CyberArk Vault Excessive PSM Keystroke Logging Failure

CyberArk Vault Excessive PSM Session Monitoring Failure

CyberArk Vault Excessive Password Release Failure

CyberArk Vault File Operation Failure

CyberArk Vault Object Content Validation Failure

CyberArk Vault Unauthorized User Stations

CyberArk Vault User History Clear


In Analytics > Reports, search for “CyberArk”:

CyberArk Blocked Operations

CyberArk CPM Password Disables

CyberArk CPM Password Retrieval

CyberArk File Operation Failures

CyberArk Impersonations

CyberArk Object Content Validation Failures

CyberArk PSM Monitoring Failures

CyberArk Password Resets

CyberArk Privileged Command Operations

CyberArk Provider Password Retrieval

CyberArk Trusted Network Area Updates

CyberArk Unauthorized Stations

CyberArk User History Clears

CyberArk User/Group Modification Activity

CyberArk Vault CPM Password Reconcilations

CyberArk Vault CPM Password Verifications

CyberArk Vault Configuration Changes

CyberArk Vault Failed PSM connections

CyberArk Vault Modification Activity

CyberArk Vault PSM Keystore Logging Failures

CyberArk Vault Password Changes from CPM

CyberArk Vault Password Release Failures

CyberArk Vault Successful PSM Connections

Top CyberArk Event Types

Top CyberArk Safes, Folders By Activity

Top CyberArk Users By Activity

CyberArk Configuration for sending syslog in a specific format

  1. Open \PrivateArk\Server\DBParm.ini file and edit the SYSLOG section:
    1. SyslogServerIP – Specify AccelOps supervisor, workers and collectors separated by commas.
    2. SyslogServerProtocol – Set to the default value of UDP.
    3. SyslogServerPort – Set to the default value of 514.
    4. SyslogMessageCodeFilter – Set to the default range 0-999.
    5. SyslogTranslatorFile – Set to Syslog\AccelOps.xsl.
    6. UseLegacySyslogFormat – Set to the default value of No.
  2. Copy the relevant XSL translator file to the Syslog subfolder specified in the SyslogTranslatorFile parameter in DBParm.ini.
  3. Stop and Start Vault (Central Server Administration) for the changes to take effect.

Make sure the syslog format is as follows.

<5>1 2016-02-02T17:24:42Z SJCDVVWCARK01 CYBERARK: Product=”Vault”;Version=”9.20.0000″;MessageID=”295″;Message=”Retrieve password”;Issuer=”Administrator”;Station=”″;File=”Root\snmpC ommunity”;Safe=”TestPasswords”;Reason=”Test”;Severity=”Info” <30>Mar 22 20:13:42 VA461_1022 CyberArk AIM[2453]: APPAP097I Connection to the Vault has been restored <27>Mar 22 20:10:50 VA461_1022 CyberArk AIM[2453]: APPAP289E Connection to the Vault has failed. Further attempts to connect to the Vault will be avoided for [1] minutes. <27>Mar 24 23:41:58 VA461_1022 CyberArk AIM[2453]: APPAU002E Provider

[Prov_VA461_1022] has failed to fetch password with query [Safe=TestPutta;Object=Telnet91] for application [AccelOps]. Fetch reason: [APPAP004E Password object matching query

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Don't Forget To visit the YouTube Channel for the latest Fortinet Training Videos and Question / Answer sessions!
- FortinetGuru YouTube Channel
- FortiSwitch Training Videos