Add package for Cyberark Privileged Access Security audit logs (#928)

Adds a new package, cyberarkpas, for Cyberark Privileged Access Security audit logs (from elastic/beats#24803)

packages/cyberarkpas/_dev/build/docs/README.md

@@ -0,0 +1,36 @@
+# Cyberark Privileged Access Security
+
+The Cyberark Privileged Access Security integration collects audit logs from Cyberark's Vault server.
+
+## Audit
+
+The `audit` dataset receives Vault Audit logs for User and Safe activities over the syslog protocol.
+
+### Vault Configuration
+
+Follow the steps under [Security Information and Event Management (SIEM) Applications](https://docs.cyberark.com/Product-Doc/OnlineHelp/PAS/Latest/en/Content/PASIMP/DV-Integrating-with-SIEM-Applications.htm) documentation to setup the integration:
+
+- Copy the [elastic-json-v1.0.xsl](https://raw.githubusercontent.com/elastic/beats/master/x-pack/filebeat/module/cyberarkpas/_meta/assets/elastic-json-v1.0.xsl) XSL Translator file to
+the `Server\Syslog` folder.
+
+- Sample syslog configuration for `DBPARM.ini`:
+
+```ini
+[SYSLOG]
+UseLegacySyslogFormat=No
+SyslogTranslatorFile=Syslog\elastic-json-v1.0.xsl
+SyslogServerIP=<INSERT FILEBEAT IP HERE>
+SyslogServerPort=<INSERT FILEBEAT PORT HERE>
+SyslogServerProtocol=TCP
+```
+
+For proper timestamping of events, it's recommended to use the newer RFC5424 Syslog format
+(`UseLegacySyslogFormat=No`). To avoid event loss, use `TCP` or `TLS` protocols instead of `UDP`.
+
+### Example event
+
+{{event "audit"}}
+
+**Exported fields**
+
+{{fields "audit"}}

packages/cyberarkpas/_dev/deploy/docker/docker-compose.yml

@@ -0,0 +1,26 @@
+version: '2.3'
+services:
+  cyberarkpas-audit-logfile:
+    image: alpine
+    volumes:
+      - ./sample_logs:/sample_logs:ro
+      - ${SERVICE_LOGS_DIR}:/var/log
+    command: /bin/sh -c "cp /sample_logs/audit/* /var/log/"
+  cyberarkpas-audit-udp:
+    image: akroh/stream:v0.2.0
+    volumes:
+      - ./sample_logs:/sample_logs:ro
+    entrypoint: /bin/bash
+    command: -c "/stream log --start-signal=SIGHUP --delay=5s --addr elastic-agent:9999 -p=udp /sample_logs/audit/*.log"
+  cyberarkpas-audit-tcp:
+    image: akroh/stream:v0.2.0
+    volumes:
+      - ./sample_logs:/sample_logs:ro
+    entrypoint: /bin/bash
+    command: -c "/stream log --start-signal=SIGHUP --delay=5s --addr elastic-agent:9999 -p=tcp /sample_logs/audit/*.log"
+  cyberarkpas-audit-tls:
+    image: akroh/stream:v0.2.0
+    volumes:
+      - ./sample_logs:/sample_logs:ro
+    entrypoint: /bin/bash
+    command: -c "/stream log --start-signal=SIGHUP --delay=5s --addr elastic-agent:9999 -p=tls --insecure /sample_logs/audit/*.log"

packages/cyberarkpas/_dev/deploy/docker/sample_logs/audit/105_add_file_category.log

@@ -0,0 +1,6 @@
+<5>1 2021-03-08T18:24:49Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 08 10:24:49","IsoTimestamp":"2021-03-08T18:24:49Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"105","Desc":"Add File Category","Severity":"Info","Issuer":"Administrator","Action":"Add File Category","SourceUser":"","TargetUser":"","Safe":"Test","File":"Root\\Operating System-WinDesktopLocal-Address-adriansr","Station":"127.0.0.1","Location":"","Category":"Address","RequestId":"","Reason":"Value=[Address]","ExtraDetails":"","Message":"Add File Category","GatewayStation":"10.0.1.20"}}}
+<5>1 2021-03-10T09:11:54Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:54","IsoTimestamp":"2021-03-10T09:11:54Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"105","Desc":"Add File Category","Severity":"Info","Issuer":"PSMPApp_localhost.localdomain","Action":"Add File Category","SourceUser":"","TargetUser":"","Safe":"PSMPLiveSessions","File":"Root\\PSMPApp_localhost.localdomain.LiveSessions","Station":"81.32.170.205","Location":"","Category":"_PSMLiveSessions_1","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add File Category","GatewayStation":""}}}
+<5>1 2021-03-10T18:46:48Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 10:46:48","IsoTimestamp":"2021-03-10T18:46:48Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"105","Desc":"Add File Category","Severity":"Info","Issuer":"PSMApp_VAGRANT","Action":"Add File Category","SourceUser":"","TargetUser":"","Safe":"PSMLiveSessions","File":"Root\\PSMServer.LiveSessions","Station":"81.32.170.205","Location":"","Category":"_PSMLiveSessions_1","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add File Category","GatewayStation":""}}}
+<5>1 2021-03-10T22:17:26Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 14:17:26","IsoTimestamp":"2021-03-10T22:17:26Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"105","Desc":"Add File Category","Severity":"Info","Issuer":"Administrator","Action":"Add File Category","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\PSM-ASR-CYBERARK-WI","Station":"35.192.121.42","Location":"","Category":"LogonDomain","RequestId":"","Reason":"Value=[ASR-CYBERARK-WI]","ExtraDetails":"","Message":"Add File Category","GatewayStation":""}}}
+<5>1 2021-03-10T22:20:12Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 14:20:12","IsoTimestamp":"2021-03-10T22:20:12Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"105","Desc":"Add File Category","Severity":"Info","Issuer":"PSMApp_ASR-WIN","Action":"Add File Category","SourceUser":"","TargetUser":"","Safe":"PSMLiveSessions","File":"Root\\PSM-ASR-CYBERARK-WI.LiveSessions","Station":"35.192.121.42","Location":"","Category":"_PSMLiveSessions_1","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add File Category","GatewayStation":""}}}
+<5>1 2021-03-11T16:59:58Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 08:59:58</Timestamp>\n    <IsoTimestamp>2021-03-11T16:59:58Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>105</MessageID>\n    <Desc>Add File Category</Desc>\n    <Severity>Info</Severity>\n    <Issuer>PSMPApp_VAGRANT</Issuer>\n    <Action>Add File Category</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>PSMPLiveSessions</Safe>\n    <File>Root\\PSMPApp_VAGRANT.LiveSessions</File>\n    <Station>81.32.170.205</Station>\n    <Location></Location>\n    <Category>_PSMLiveSessions_1</Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Add File Category</Message>\n    <GatewayStation></GatewayStation>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 08:59:58","IsoTimestamp":"2021-03-11T16:59:58Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"105","Desc":"Add File Category","Severity":"Info","Issuer":"PSMPApp_VAGRANT","Action":"Add File Category","SourceUser":"","TargetUser":"","Safe":"PSMPLiveSessions","File":"Root\\PSMPApp_VAGRANT.LiveSessions","Station":"81.32.170.205","Location":"","Category":"_PSMLiveSessions_1","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add File Category","GatewayStation":""}}}

packages/cyberarkpas/_dev/deploy/docker/sample_logs/audit/106_update_file_category.log

@@ -0,0 +1,6 @@
+<5>1 2021-03-08T18:25:52Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 08 10:25:52","IsoTimestamp":"2021-03-08T18:25:52Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"106","Desc":"Update File Category","Severity":"Info","Issuer":"Administrator","Action":"Update File Category","SourceUser":"","TargetUser":"","Safe":"Test","File":"Root\\Operating System-WinDesktopLocal-Address-adriansr","Station":"127.0.0.1","Location":"","Category":"Address","RequestId":"","Reason":"Value=[components] Old Value=[Address]","ExtraDetails":"","Message":"Update File Category","GatewayStation":"10.0.1.20"}}}
+<5>1 2021-03-10T18:46:48Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 10:46:48","IsoTimestamp":"2021-03-10T18:46:48Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"106","Desc":"Update File Category","Severity":"Info","Issuer":"PSMApp_VAGRANT","Action":"Update File Category","SourceUser":"","TargetUser":"","Safe":"PSMLiveSessions","File":"Root\\PSMServer.LiveSessions","Station":"81.32.170.205","Location":"","Category":"_PSMLiveSessions_1","RequestId":"","Reason":"","ExtraDetails":"","Message":"Update File Category","GatewayStation":""}}}
+<5>1 2021-03-10T22:20:12Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 14:20:12","IsoTimestamp":"2021-03-10T22:20:12Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"106","Desc":"Update File Category","Severity":"Info","Issuer":"PSMApp_ASR-WIN","Action":"Update File Category","SourceUser":"","TargetUser":"","Safe":"PSMLiveSessions","File":"Root\\PSM-ASR-CYBERARK-WI.LiveSessions","Station":"35.192.121.42","Location":"","Category":"_PSMLiveSessions_1","RequestId":"","Reason":"","ExtraDetails":"","Message":"Update File Category","GatewayStation":""}}}
+<5>1 2021-03-11T17:38:26Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 09:38:26</Timestamp>\n    <IsoTimestamp>2021-03-11T17:38:26Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>106</MessageID>\n    <Desc>Update File Category</Desc>\n    <Severity>Info</Severity>\n    <Issuer>PSMPApp_VAGRANT</Issuer>\n    <Action>Update File Category</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>PSMRecordings</Safe>\n    <File>root\\87012dcc-8290-11eb-949e-080027efd402.session</File>\n    <Station>81.32.170.205</Station>\n    <Location></Location>\n    <Category>PSMStatus</Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Update File Category</Message>\n    <GatewayStation></GatewayStation>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 09:38:26","IsoTimestamp":"2021-03-11T17:38:26Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"106","Desc":"Update File Category","Severity":"Info","Issuer":"PSMPApp_VAGRANT","Action":"Update File Category","SourceUser":"","TargetUser":"","Safe":"PSMRecordings","File":"root\\87012dcc-8290-11eb-949e-080027efd402.session","Station":"81.32.170.205","Location":"","Category":"PSMStatus","RequestId":"","Reason":"","ExtraDetails":"","Message":"Update File Category","GatewayStation":""}}}
+<5>1 2021-03-11T20:10:33Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 12:10:33</Timestamp>\n    <IsoTimestamp>2021-03-11T20:10:33Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>106</MessageID>\n    <Desc>Update File Category</Desc>\n    <Severity>Info</Severity>\n    <Issuer>PSMApp_ASR-WIN</Issuer>\n    <Action>Update File Category</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>PSMLiveSessions</Safe>\n    <File>Root\\PSM-ASR-CYBERARK-WI.LiveSessions</File>\n    <Station>34.66.114.180</Station>\n    <Location></Location>\n    <Category>_PSMLiveSessions_1</Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Update File Category</Message>\n    <GatewayStation></GatewayStation>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 12:10:33","IsoTimestamp":"2021-03-11T20:10:33Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"106","Desc":"Update File Category","Severity":"Info","Issuer":"PSMApp_ASR-WIN","Action":"Update File Category","SourceUser":"","TargetUser":"","Safe":"PSMLiveSessions","File":"Root\\PSM-ASR-CYBERARK-WI.LiveSessions","Station":"34.66.114.180","Location":"","Category":"_PSMLiveSessions_1","RequestId":"","Reason":"","ExtraDetails":"","Message":"Update File Category","GatewayStation":""}}}
+<5>1 2021-03-14T13:49:38Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 14 06:49:38</Timestamp>\n    <IsoTimestamp>2021-03-14T13:49:38Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>106</MessageID>\n    <Desc>Update File Category</Desc>\n    <Severity>Info</Severity>\n    <Issuer>PSMPApp_SSH</Issuer>\n    <Action>Update File Category</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>PSMPLiveSessions</Safe>\n    <File>Root\\PSMPApp_SSH.LiveSessions</File>\n    <Station>34.71.250.247</Station>\n    <Location></Location>\n    <Category>_PSMLiveSessions_1</Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Update File Category</Message>\n    <GatewayStation></GatewayStation>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 06:49:38","IsoTimestamp":"2021-03-14T13:49:38Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"106","Desc":"Update File Category","Severity":"Info","Issuer":"PSMPApp_SSH","Action":"Update File Category","SourceUser":"","TargetUser":"","Safe":"PSMPLiveSessions","File":"Root\\PSMPApp_SSH.LiveSessions","Station":"34.71.250.247","Location":"","Category":"_PSMLiveSessions_1","RequestId":"","Reason":"","ExtraDetails":"","Message":"Update File Category","GatewayStation":""}}}

packages/cyberarkpas/_dev/deploy/docker/sample_logs/audit/107_delete_file_category.log

@@ -0,0 +1 @@
+<5>1 2021-03-15T10:22:24Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 15 03:22:24</Timestamp>\n    <IsoTimestamp>2021-03-15T10:22:24Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>107</MessageID>\n    <Desc>Delete File Category</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Delete File Category</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Operating System-UnixSSH-34.123.103.115-testark</File>\n    <Station>127.0.0.1</Station>\n    <Location></Location>\n    <Category>LastFailDate</Category>\n    <RequestId></RequestId>\n    <Reason>Old Value=[1615803137]</Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Delete File Category</Message>\n    <GatewayStation>10.0.1.20</GatewayStation>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 03:22:24","IsoTimestamp":"2021-03-15T10:22:24Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"107","Desc":"Delete File Category","Severity":"Info","Issuer":"Administrator","Action":"Delete File Category","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-34.123.103.115-testark","Station":"127.0.0.1","Location":"","Category":"LastFailDate","RequestId":"","Reason":"Old Value=[1615803137]","ExtraDetails":"","Message":"Delete File Category","GatewayStation":"10.0.1.20"}}}

packages/cyberarkpas/_dev/deploy/docker/sample_logs/audit/124_rename_file.log

@@ -0,0 +1 @@
+<5>1 2021-03-14T13:42:20Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 14 06:42:20</Timestamp>\n    <IsoTimestamp>2021-03-14T13:42:20Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>124</MessageID>\n    <Desc>Rename File</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Rename File</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>PSM</Safe>\n    <File>Root\\Operating System-UnixSSH-34.123.103.115-PSMConnect</File>\n    <Station>127.0.0.1</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Rename File</Message>\n    <GatewayStation>10.0.1.20</GatewayStation>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 06:42:20","IsoTimestamp":"2021-03-14T13:42:20Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"124","Desc":"Rename File","Severity":"Info","Issuer":"Administrator","Action":"Rename File","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\Operating System-UnixSSH-34.123.103.115-PSMConnect","Station":"127.0.0.1","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Rename File","GatewayStation":"10.0.1.20"}}}

packages/cyberarkpas/_dev/deploy/docker/sample_logs/audit/125_rename_file_cont.log

@@ -0,0 +1 @@
+<5>1 2021-03-14T13:42:20Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 14 06:42:20</Timestamp>\n    <IsoTimestamp>2021-03-14T13:42:20Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>125</MessageID>\n    <Desc>Rename File (Cont.)</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Rename File (Cont.)</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>PSM</Safe>\n    <File>Operating System-UnixSSH-34.71.250.247-PSMConnect</File>\n    <Station>127.0.0.1</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Rename File (Cont.)</Message>\n    <GatewayStation>10.0.1.20</GatewayStation>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 06:42:20","IsoTimestamp":"2021-03-14T13:42:20Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"125","Desc":"Rename File (Cont.)","Severity":"Info","Issuer":"Administrator","Action":"Rename File (Cont.)","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Operating System-UnixSSH-34.71.250.247-PSMConnect","Station":"127.0.0.1","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Rename File (Cont.)","GatewayStation":"10.0.1.20"}}}

packages/cyberarkpas/_dev/deploy/docker/sample_logs/audit/126_unlock_file.log

@@ -0,0 +1 @@
+<5>1 2021-03-10T18:33:34Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 10:33:34","IsoTimestamp":"2021-03-10T18:33:34Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"126","Desc":"Unlock File","Severity":"Info","Issuer":"Administrator","Action":"Unlock File","SourceUser":"","TargetUser":"","Safe":"PVWAConfig","File":"Root\\PVConfiguration.xml","Station":"127.0.0.1","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Unlock File","GatewayStation":""}}}