This message originated from Cribl Community Slack.
Click here to view the original link.
Hi everyone, we're trying to setup log forwarding from Cyberark Audit to cribl. Could you please help with that
Solved
Cyberark Audit Log Forwarding Setup To Cribl Failing
Best answer by Jon Rust
as far as i can tell, it's just syslog
1. Set-up a syslog source as normal, or use an existing one. Enable TLS
2. In your CyberArk UI locate the SIEM / Syslog / Log forwarding settings and create a new target with:
◦ Server / Host:
▪︎ Cribl.Cloud: your Worker Group Ingress hostname (e.g.
default.<workspace>.<org>.cribl.cloud).
▪︎ Self‑hosted: the VIP / load balancer / worker IP where Stream listens.
◦ Port: the exact port from the Syslog Source above.
◦ enable TLS
◦ Log types: select the CyberArk events you care about.
◦ Format:
▪︎ If there’s a choice, pick CEF or key=value syslog; Cribl parses these easily.
as far as i can tell, it's just syslog
1. Set-up a syslog source as normal, or use an existing one. Enable TLS
2. In your CyberArk UI locate the SIEM / Syslog / Log forwarding settings and create a new target with:
◦ Server / Host:
▪︎ Cribl.Cloud: your Worker Group Ingress hostname (e.g.
default.<workspace>.<org>.cribl.cloud).
▪︎ Self‑hosted: the VIP / load balancer / worker IP where Stream listens.
◦ Port: the exact port from the Syslog Source above.
◦ enable TLS
◦ Log types: select the CyberArk events you care about.
◦ Format:
▪︎ If there’s a choice, pick CEF or key=value syslog; Cribl parses these easily.
If you can't use syslog, there may be a way to collect via their API, but I've not seen it done (yet)
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.