The customer team has prepped the Cyber Ark server and added the required xsl files according to the attached config guide. I have ensured that the decoder is capturing and the service parser is enabled. I want to ensure that the logs are truly being ingested and an analyst could see the logs. How can I definitively identify the forwarded CyberArk event sources are in SA?
Thank you for your assistance!
do a query of the device ip see whether you can find any, or you can do tcpdump see whether the logs is sending over.
depending on your SA version you can also use the health and wellness section of SA (Admin > Health and Wellness > Event source monitoring) to locate the IP and potential device type of the cyberark logs.
you can select the log decoder you are pointing at, the remote collector (VLC) if you are using one and the device.type if the messages are parsed properly. Make sure you have the updated parser subscribed and deployed from RSA Live as well as make sure its enabled on the log decoder.
Thanks for the guidance guys, I have tried all of the steps provided and It seems like a network issue. Wish I could mark both as correct, because they both provided insight into T/S the issue.
If you have found your way here, then you may find this link helpful. I know that I did, and it pertains to the underlying question that I had about adding event types.
do a query of the device ip see whether you can find any, or you can do tcpdump see whether the logs is sending over.