1. Sign in to the CyberArk Vault Server as the local administrator.
2. Navigate to where you installed the server. For example, PrivateArk > Server > Syslog.
3. Copy the SyslogTranslator.sample.xsl file path to use in a later step.
4. Navigate to /Server/Conf, and then back up the DBParm.ini file.
5. Open the DBParm.ini file, and then configure these settings:
   • SyslogTranslatorFile — Enter the file path for SyslogTranslator.sample.xsl from a previous step.
   • SyslogServerPort — Enter 514.
   • SyslogServerIP — Enter the IP address of the Arctic Wolf Sensor or vLC.
   • SyslogServerProtocol — Enter TCP.
   • SyslogMessageCodeFilter — Enter 0-999.
   • UseLegacySyslogFormat — Enter No.
6. Save the file, and then exit.
7. Restart the server to apply the configuration changes.
   A message confirms that the configuration changes have been applied.

Configuring the CyberArk PTA to send syslog records is not required. Arctic Wolf recommends completing this step to get the best security value from this integration.

1. Sign in to the CyberArk PTA server as the root user.
2. Open the default systemparm.properties file using the DEFAULTPARM command.
3. Copy the line containing the syslog_outbound field, and then exit the file.
4. Open the local systemparm.properties file using the LOCALPARM command.
   The file opens in the Vim text editor.
5. Press i to edit the file.
6. Paste the line that you copied, and then remove the # to uncomment it.
7. In the new line, configure these settings:
   • host — Enter the IP address of the Arctic Wolf Sensor or vLC.
   • port — Enter 514.
   • format — Enter CEF.
   • protocol — Enter TCP.
   • siem — Enter Arctic Wolf.
   • SyslogType — Enter RFC5424.
   • tcpOctetCounting — Enter False.
8. Save the file, and then exit.
9. Restart the server.
   A message confirms that the configuration changes have been applied.
10. Sign in to the CyberArk PTA server as the root user, and then run the RUN_DIAGNOSTICS command to confirm the syslog changes.
    Task numbers P046 and P052 should display OK.

1. Sign in to the Arctic Wolf Unified Portal.
2. In the navigation menu, click Tickets & Alerts > All Tickets.
3. Perform the appropriate action, depending on if you are:
   • A new customer — In the Ticket Type list, select Onboarding. Then, click the existing [Deploy] Site Config: <ticket_subject> ticket.
   • An existing customer — Click Open a New Ticket.
4. On the Open a New Ticket page, configure these settings:
   • What is this ticket related to? — Select General request.
   • Subject — Enter Syslog changes.
   • Related ticket (optional) — Keep empty.
   • Message — Enter this information for your Concierge Security® Team (CST):
     • Confirmation that you completed the steps in this configuration guide.
     • The IP address or hostname of the Arctic Wolf Sensor that you used during the configuration.
     • The IP address, timezone, and device type for all sources that you are forwarding.
     • Questions or comments that you have.
5. Click Send Message.

   Your CST reviews the details to make sure that Arctic Wolf is successfully processing the logs.