Skip to content

[cyberarkpas] Handle syslog header in the monitor data stream #16739

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
chrisberkhout merged 4 commits into from
Jan 5, 2026
Merged

[cyberarkpas] Handle syslog header in the monitor data stream #16739

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
77d25ad
Handle syslog prefix in the monitor data stream.
chrisberkhout Dec 31, 2025
d8c1fd2
Version bump, changelog entry.
chrisberkhout Dec 31, 2025
e3709e2
Make one of the pipeline tests use a syslog header.
chrisberkhout Jan 2, 2026
4895fac
Update timestamps in unrelated pipeline tests so they pass.
chrisberkhout Jan 5, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 5 additions & 0 deletions packages/cyberarkpas/changelog.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,9 @@
# newer versions go on top
- version: "2.28.0"
changes:
- description: Handle syslog header in the monitor data stream.
type: enhancement
link: https://github.com/elastic/integrations/pull/16739
- version: "2.27.0"
changes:
- description: Update Kibana constraint to support 9.0.0.
Expand Down
4 changes: 2 additions & 2 deletions ...stream/audit/_dev/test/pipeline/test-288-auto-clear-users-history-start.log-expected.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -54,7 +54,7 @@
]
},
{
"@timestamp": "2025-03-08T03:00:20.000Z",
"@timestamp": "2026-03-08T03:00:20.000Z",
"cyberarkpas": {
"audit": {
"action": "Auto Clear Users History start",
Expand Down Expand Up @@ -100,4 +100,4 @@
]
}
]
}
}
4 changes: 2 additions & 2 deletions ...a_stream/audit/_dev/test/pipeline/test-289-auto-clear-users-history-end.log-expected.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -54,7 +54,7 @@
]
},
{
"@timestamp": "2025-03-08T03:00:20.000Z",
"@timestamp": "2026-03-08T03:00:20.000Z",
"cyberarkpas": {
"audit": {
"action": "Auto Clear Users History end",
Expand Down Expand Up @@ -100,4 +100,4 @@
]
}
]
}
}
4 changes: 2 additions & 2 deletions ...a_stream/audit/_dev/test/pipeline/test-310-monitor-dr-replication-start.log-expected.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -54,7 +54,7 @@
]
},
{
"@timestamp": "2025-03-08T02:48:07.000Z",
"@timestamp": "2026-03-08T02:48:07.000Z",
"cyberarkpas": {
"audit": {
"action": "Monitor DR Replication start",
Expand Down Expand Up @@ -100,4 +100,4 @@
]
}
]
}
}
4 changes: 2 additions & 2 deletions ...ata_stream/audit/_dev/test/pipeline/test-311-monitor-dr-replication-end.log-expected.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -54,7 +54,7 @@
]
},
{
"@timestamp": "2025-03-08T02:48:07.000Z",
"@timestamp": "2026-03-08T02:48:07.000Z",
"cyberarkpas": {
"audit": {
"action": "Monitor DR Replication end",
Expand Down Expand Up @@ -100,4 +100,4 @@
]
}
]
}
}
4 changes: 2 additions & 2 deletions ...as/data_stream/audit/_dev/test/pipeline/test-357-monitor-fw-rules-start.log-expected.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -54,7 +54,7 @@
]
},
{
"@timestamp": "2025-03-08T02:32:56.000Z",
"@timestamp": "2026-03-08T02:32:56.000Z",
"cyberarkpas": {
"audit": {
"action": "Monitor FW rules start",
Expand Down Expand Up @@ -100,4 +100,4 @@
]
}
]
}
}
4 changes: 2 additions & 2 deletions ...kpas/data_stream/audit/_dev/test/pipeline/test-358-monitor-fw-rules-end.log-expected.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -54,7 +54,7 @@
]
},
{
"@timestamp": "2025-03-08T02:32:56.000Z",
"@timestamp": "2026-03-08T02:32:56.000Z",
"cyberarkpas": {
"audit": {
"action": "Monitor FW Rules end",
Expand Down Expand Up @@ -100,4 +100,4 @@
]
}
]
}
}
4 changes: 2 additions & 2 deletions ...y-warning-the-signature-hash-algorithm-of-the-vault-certificate-is-sha1.log-expected.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -57,7 +57,7 @@
]
},
{
"@timestamp": "2025-03-08T07:46:54.000Z",
"@timestamp": "2026-03-08T07:46:54.000Z",
"cyberarkpas": {
"audit": {
"action": "Security warning - The Signature Hash Algorithm of the Vault certificate is SHA1.",
Expand Down Expand Up @@ -106,4 +106,4 @@
]
}
]
}
}
4 changes: 2 additions & 2 deletions ...rarkpas/data_stream/audit/_dev/test/pipeline/test-59-clear-safe-history.log-expected.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -55,7 +55,7 @@
]
},
{
"@timestamp": "2025-03-08T03:10:31.000Z",
"@timestamp": "2026-03-08T03:10:31.000Z",
"cyberarkpas": {
"audit": {
"action": "Clear Safe History",
Expand Down Expand Up @@ -156,4 +156,4 @@
]
}
]
}
}
4 changes: 2 additions & 2 deletions ...s/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-88-set-password.log-expected.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -107,7 +107,7 @@
]
},
{
"@timestamp": "2025-03-08T02:54:46.000Z",
"@timestamp": "2026-03-08T02:54:46.000Z",
"cyberarkpas": {
"audit": {
"action": "Set Password",
Expand Down Expand Up @@ -1071,4 +1071,4 @@
]
}
]
}
}
4 changes: 2 additions & 2 deletions ...ages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-legacysyslog.log-expected.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
{
"expected": [
{
"@timestamp": "2025-03-08T03:41:01.000Z",
"@timestamp": "2026-03-08T03:41:01.000Z",
"cyberarkpas": {
"audit": {
"action": "Retrieve File",
Expand Down Expand Up @@ -52,4 +52,4 @@
]
}
]
}
}
2 changes: 1 addition & 1 deletion packages/cyberarkpas/data_stream/monitor/_dev/test/pipeline/test-monitor.log
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,4 +27,4 @@
{"format":"elastic","version":"1.0","syslog":{"monitor_record":{"Timestamp":"Oct 15 00:26:00","IsoTimestamp":"2024-10-15T00:26:00Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"VaultMonitor","Version":"11.7.0026","AverageExecutionTime":"14","MaxExecutionTime":"170","AverageQueueTime":"4","MaxQueueTime":"54","NumberOfParallelTasks":"0","MaxParallelTasks":"20","TransactionCount":"307","CPUUsage":"10","MemoryUsage":"60","DriveFreeSpaceInGB":"20","DriveTotalSpaceInGB":"40","SyslogQueueSize":"0"}}}
{"format":"elastic","version":"1.0","syslog":{"monitor_record":{"Timestamp":"Oct 15 00:27:00","IsoTimestamp":"2024-10-15T00:27:00Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"VaultMonitor","Version":"11.7.0027","AverageExecutionTime":"10","MaxExecutionTime":"184","AverageQueueTime":"0","MaxQueueTime":"102","NumberOfParallelTasks":"1","MaxParallelTasks":"20","TransactionCount":"316","CPUUsage":"12","MemoryUsage":"60","DriveFreeSpaceInGB":"20","DriveTotalSpaceInGB":"40","SyslogQueueSize":"1"}}}
{"format":"elastic","version":"1.0","syslog":{"monitor_record":{"Timestamp":"Oct 15 00:28:00","IsoTimestamp":"2024-10-15T00:28:00Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"VaultMonitor","Version":"11.7.0028","AverageExecutionTime":"11","MaxExecutionTime":"101","AverageQueueTime":"1","MaxQueueTime":"62","NumberOfParallelTasks":"1","MaxParallelTasks":"20","TransactionCount":"302","CPUUsage":"0","MemoryUsage":"63","DriveFreeSpaceInGB":"20","DriveTotalSpaceInGB":"40","SyslogQueueSize":"0"}}}
{"format":"elastic","version":"1.0","syslog":{"monitor_record":{"Timestamp":"Oct 15 00:29:00","IsoTimestamp":"2024-10-15T00:29:00Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"VaultMonitor","Version":"11.7.0029","AverageExecutionTime":"10","MaxExecutionTime":"148","AverageQueueTime":"0","MaxQueueTime":"37","NumberOfParallelTasks":"1","MaxParallelTasks":"20","TransactionCount":"315","CPUUsage":"7","MemoryUsage":"62","DriveFreeSpaceInGB":"20","DriveTotalSpaceInGB":"40","SyslogQueueSize":"0"}}}
2026-01-01T00:00:01-00:00 hostname0001 {"format":"elastic","version":"1.0","syslog":{"monitor_record":{"Timestamp":"Oct 15 00:29:00","IsoTimestamp":"2024-10-15T00:29:00Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"VaultMonitor","Version":"11.7.0029","AverageExecutionTime":"10","MaxExecutionTime":"148","AverageQueueTime":"0","MaxQueueTime":"37","NumberOfParallelTasks":"1","MaxParallelTasks":"20","TransactionCount":"315","CPUUsage":"7","MemoryUsage":"62","DriveFreeSpaceInGB":"20","DriveTotalSpaceInGB":"40","SyslogQueueSize":"0"}}}
4 changes: 2 additions & 2 deletions packages/cyberarkpas/data_stream/monitor/_dev/test/pipeline/test-monitor.log-expected.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1476,7 +1476,7 @@
},
"event": {
"kind": "metric",
"original": "{\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"monitor_record\":{\"Timestamp\":\"Oct 15 00:29:00\",\"IsoTimestamp\":\"2024-10-15T00:29:00Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"VaultMonitor\",\"Version\":\"11.7.0029\",\"AverageExecutionTime\":\"10\",\"MaxExecutionTime\":\"148\",\"AverageQueueTime\":\"0\",\"MaxQueueTime\":\"37\",\"NumberOfParallelTasks\":\"1\",\"MaxParallelTasks\":\"20\",\"TransactionCount\":\"315\",\"CPUUsage\":\"7\",\"MemoryUsage\":\"62\",\"DriveFreeSpaceInGB\":\"20\",\"DriveTotalSpaceInGB\":\"40\",\"SyslogQueueSize\":\"0\"}}}"
"original": "2026-01-01T00:00:01-00:00 hostname0001 {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"monitor_record\":{\"Timestamp\":\"Oct 15 00:29:00\",\"IsoTimestamp\":\"2024-10-15T00:29:00Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"VaultMonitor\",\"Version\":\"11.7.0029\",\"AverageExecutionTime\":\"10\",\"MaxExecutionTime\":\"148\",\"AverageQueueTime\":\"0\",\"MaxQueueTime\":\"37\",\"NumberOfParallelTasks\":\"1\",\"MaxParallelTasks\":\"20\",\"TransactionCount\":\"315\",\"CPUUsage\":\"7\",\"MemoryUsage\":\"62\",\"DriveFreeSpaceInGB\":\"20\",\"DriveTotalSpaceInGB\":\"40\",\"SyslogQueueSize\":\"0\"}}}"
},
"host": {
"cpu": {
Expand All @@ -1501,4 +1501,4 @@
]
}
]
}
}
28 changes: 26 additions & 2 deletions packages/cyberarkpas/data_stream/monitor/elasticsearch/ingest_pipeline/default.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,10 +17,34 @@ processors:
target_field: event.original
if: ctx.event?.original == null
ignore_missing: true
#
# Parse syslog headers (if any) and extract JSON payload.
#
- grok:
tag: grok_event_original
field: event.original
patterns:
# RFC5424 from CyberArk.
# UseLegacySyslogFormat=No
# <5>1 2021-03-04T17:28:23Z VAULT {"format":"elastic","version":"1.0",...}
- "^<%{NONNEGINT:log.syslog.priority:long}>%{NONNEGINT} %{TIMESTAMP_ISO8601:_tmp.syslog_ts} %{SYSLOGHOST:_tmp.hostname} %{JSON_PAYLOAD:_tmp.payload}"

# Legacy format.
# UseLegacySyslogFormat=Yes
# Mar 08 02:57:42 VAULT {"format":"elastic","version":"1.0",...}
- "^%{SYSLOGTIMESTAMP:_tmp.syslog_ts} %{SYSLOGHOST:_tmp.hostname} %{JSON_PAYLOAD:_tmp.payload}"

# Catch-all mode, just JSON payload.
- "%{JSON_PAYLOAD:_tmp.payload}"
pattern_definitions:
JSON_PAYLOAD: '{"format":"elastic","version":"1.0",.*}'
on_failure:
- fail:
message: "unexpected event format: {{{_ingest.on_failure_message}}}"

- json:
tag: json_event_original
field: event.original
tag: json_tmp_payload
field: _tmp.payload
target_field: _tmp.json
on_failure:
- fail:
Expand Down
2 changes: 1 addition & 1 deletion packages/cyberarkpas/manifest.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
name: cyberarkpas
title: CyberArk Privileged Access Security
version: "2.27.0"
version: "2.28.0"
description: Collect logs from CyberArk Privileged Access Security with Elastic Agent.
type: integration
format_version: "3.0.3"
Expand Down