PAM Administration

System Monitoring and Common

Administrative Tasks

© 2023 CyberArk Software Ltd. All rights reserved

 Agenda
By the end of this session, you will be able to:

• Monitor the system health via various methods:

− REST
− Email
− SIEM
− SNMP

• Monitor replications and DR status

• Perform common administrative tasks related to

system maintenance

© 2023 CyberArk Software Ltd. All rights reserved

 • Monitoring components via REST
and the System Health pane

System • Monitoring components via email

Monitoring
notifications

• Monitoring components via SIEM

• Monitoring components via SNMP

• Monitoring replications and DR

Copyright © 2023 CyberArk Software Ltd. All rights reserved.

 Monitoring System Health via REST

© 2023 CyberArk Software Ltd. All rights reserved

System Health
You can export
The System Health page provides information on:
consolidated
information about
the system health
using the
REST API

The health of
the Primary and Connectivity status
DR Vaults Accounts
for PVWA, CPM,
managed by CPM
PSM and PTA

PSM concurrent
sessions
 System Health -
Components
The following information is
provided for each component:
• IP Address
• Version
• Component User
• Connectivity Status:
⎼ Connected
⎼ Disconnected
• Last Log On Date:
⎼ The date when this component
user last logged on to the Vault

© 2023 CyberArk Software Ltd. All rights reserved

 Monitoring via Email Notifications

© 2023 CyberArk Software Ltd. All rights reserved

 Best Practice –
Monitoring
Components
• After installing the components,
you can configure email
notifications to be sent out if the
components’ user or users
become disconnected.
• This should be done for all
component users you wish to
monitor.
• Examples include:
⎼ PVWAAppUser
⎼ PasswordManager
⎼ DR
⎼ Backup
© 2023 CyberArk Software Ltd. All rights reserved
Enabling Component Monitoring – 1
There is an email template that you can customize by going to: Locate the rule Component is inactive -
Options / Notification Settings / Notification Agent Rules Template ID: 206

Searching for
"206" will bring
you to the
template, where
you can edit the
Body parameter
 Enabling Component
Monitoring – 2
Use the PrivateArk Client to enable
monitoring of a specific CyberArk
component user account:
• Select the user and click Update
• In the General tab, check the box for:
Send email notification if component
is not connected

© 2023 CyberArk Software Ltd. All rights reserved

 Enabling
Component
Monitoring – 3
In dbparm.ini, you will need to
add the parameter:

ComponentMonitoringInterval

A value of 1 means one minute

will pass between checks.

© 2023 CyberArk Software Ltd. All rights reserved

 Enabling
Component
Monitoring – 4
The actions taken when the Vault
detects that a component is
disconnected are defined in the
parameter:
ComponentNotificationThreshold
E.g.: CPM, Yes, 720, 1440
• CPM will be checked.
• Notifications will be sent.
• The first after 720 minutes
• Subsequent notifications sent
every 1440 minutes.

© 2023 CyberArk Software Ltd. All rights reserved

 Enabling
Component
Monitoring – 5
• In the event of a loss of
communication between the
component and the Vault, there
will now be an ITAlog error
indicating the component’s loss
of communication
• And because we have enabled
email notifications, Vault
Admins will also get a
notification in their in-box.

© 2023 CyberArk Software Ltd. All rights reserved

 Monitor via SNMP
With Remote Control Agent

© 2023 CyberArk Software Ltd. All rights reserved

 Remote Control
The CyberArk Vault Remote Control feature enables users to carry out a number of
remote operations on the Vault, DR Vault, and ENE components. It consists of two elements:

Remote Control • Installed as part of the Vault, both the Primary and DR
Agent • Windows service

• A utility that runs from a command line interface.

• Executes tasks on a Vault component where the Remote Control Agent
Remote Control
is installed.
Client
• Does not require any other Vault components to be installed on the
same computer, not even the PrivateArk Client.

© 2023 CyberArk Software Ltd. All rights reserved

 Remote Monitoring
The Remote Control Agent can use SNMP to send Vault traps to a remote terminal.
This enables users to receive both Operating System and Vault information:

Operating System Component-specific

Information Information
• CPU, memory, and disk usage • Primary and DR Vault status
• Event log notifications • Primary and DR Vault logs
• Service status

CyberArk provides two MIB files (for SNMP v1 and SNMP v2) that describe the SNMP
notifications that are sent by the Vault. These files can be uploaded and integrated into the
enterprise monitoring software.

© 2023 CyberArk Software Ltd. All rights reserved

Remote Monitoring – SNMP Parameters

For a complete list of parameters, refer to the CyberArk PAM Self Hosted documentation:

https://docs.cyberark.com
 Remote Administration

The Remote Control Agent allows

administrators to do the following from
the Client:
• Retrieve logs
• Set parameters
• Restart the Vault
• Restart services
• Reboot the Vault server
• Retrieve machine statistics such as
memory and processor usage

© 2023 CyberArk Software Ltd. All rights reserved

 Monitor via SIEM

© 2023 CyberArk Software Ltd. All rights reserved

 Vault Health Monitoring via SIEM

To increase the visibility of CyberArk’s solution, measurements can be sent from the Vault via the
syslog protocol and can be aggregated in a SIEM tool.

• The Vault can be configured to send health statistics to SIEM applications such as Splunk and
ArcSight. This is done by setting the SendMonitorMessage parameter in dbparm.ini to yes.

• Statistics include transaction queue/execution time, number of tasks, CPU usage, and more.

• You should create a baseline specific to your environment to identify system trends and
thresholds.

• Monitor statistics regularly in order to detect variations from your baseline.

cyberark.com
© 2023 CyberArk Software Ltd. All rights reserved
 Application Monitoring Sample Dashboards (Splunk)
• Shows systemic issues with specific platforms
• Additional drill-down can show trends for specific error messages
• Platforms at top of list can be prioritized to address most widespread issues first

© 2023 CyberArk Software Ltd. All rights reserved

 Application Monitoring Sample Dashboards (Splunk)
• Shows overall Vault activity over time
• Can be customized by time range
• Trends can be stacked to compare current loads to historical loads
• Visualizes impact from various replication cycles and EVD jobs

© 2023 CyberArk Software Ltd. All rights reserved

 Monitoring Replications

© 2023 CyberArk Software Ltd. All rights reserved

 Monitoring Backup
and DR Replications

It is critical to be notified ASAP when Backup and

DR are not operating.
• The Vault can be configured to send email
notifications when the Backup and DR users fail
to connect after a specific time period.
• By default, these notifications are sent to the
members of the Vault Admins group, although they
can be sent to any predefined recipients.
• In addition, a relevant message will be written in
ITALog.log.

© 2023 CyberArk Software Ltd. All rights reserved

 Enabling Backup Monitoring
To activate the Backup Status Notification, you to need add the
BackupNotificationThreshold parameter to dbparm.ini

BackupNotificationThreshold=Yes,Yes,48,24,12
Configures the Vault to monitor missing replication

Sends notifications whenever a missing replication is

detected according to the following timeframes

First notification will be sent 48 hours after the missing

procedure is detected

Subsequent notifications will be sent every 24 hours

after that

The backup replication status will then be checked

every 12 hours

© 2023 CyberArk Software Ltd. All rights reserved

 Enabling Monitoring of DR Replications
To activate DR monitoring, you need add the DRNotificationThreshold parameter to dbparm.ini

DRNotificationThreshold=Yes,Yes,2,24,30m
Configures the Vault to monitor missing DR User
connections

Sends notifications whenever a missing connection is

detected according to the following timeframes

First notification will be sent 2 hours after the missing

procedure is detected

Subsequent notifications will be sent every 24 hours

after that

The DR status will then be checked every 30 minutes

© 2023 CyberArk Software Ltd. All rights reserved

 Common
Tasks • Rotate CPM Logs

• Clearing Safe history

• Other common tasks

© 2023 CyberArk Software Ltd. All rights reserved

 CPM Log Rotation
During daily CPM operations, the log files folder and its subfolder can grow to a
huge amount of data.
• Extremely large log files can lead to disk space issues on the CPM Server and can
make troubleshooting difficult
• All the CPM log files can be automatically uploaded to a Safe in the Vault on a
regular basis, according to a predefined time period.

LogCheckPeriod The interval in hours after which the log files will be uploaded to the Vault

It is recommended to upload CPM logs to a Safe

LogSafeName The name of the safe where the log files will be saved

And then automatically purge old and obsolete logs files

© 2023 CyberArk Software Ltd. All rights reserved

 CPM Log Rotation -
Configuration
Configure the CPM to archive
logs to the Vault periodically
using the LogCheckPeriod,
LogSafeName and parameters in
CPM Settings.
Once the log Safe has been
defined, an automatic process will
periodically remove old log files.

© 2023 CyberArk Software Ltd. All rights reserved

 Clearing Safe History

Periodically, you need to clear the Safe history

• Only file versions and Safe history logs that
have been held for longer than the time
specified in the Safe Properties History
window can be deleted
• To clear the Safe History, select
Clear Expired History from the Tools menu
in the PrivateArk Client, then Safe
• When you open a Safe via the
PrivateArk Client, you will be prompted to
clear expired Safe history

© 2023 CyberArk Software Ltd. All rights reserved

 Recommended Tasks
WEEKLY Check ITAlog.log once a week for a month.
• If not much noise is found, change interval to every two weeks.
• If you don’t know what Normal looks like, it is harder to identify
when something Abnormal occurs.
Use M&R guide and search the Customer Community to
understand messages.
Example of noise:
Messages "ITATS319W Firewall contains external rules." will appear every
15 min with the default value in the dbparm.ini: MonitorFWRulesInterval

QUARTERLY Check license capacity to make sure you are not approaching
license limits.
Check free space to make sure systems have adequate
capacity.
• If space is limited, check monthly or every other month.
© 2023 CyberArk Software Ltd. All rights reserved
 Recommended Tasks

QUARTERLY • Review, manage, test directory mappings.

• Periodically (quarterly, annually) test Master account and
password login procedure.
• Periodically (quarterly, annually) test DR/BC failover procedures,
including password reset disk for the Vault host administrator.

ANNUALLY • Schedule a formal CyberArk Security Services Health Check

annually / periodically.

© 2023 CyberArk Software Ltd. All rights reserved

 Recommended Tasks
• Use the built-in capabilities of Syslog and SIEM to monitor your environment.
• Use Remote Control Agent for monitoring via SNMP.
• Know where the logs are.
• Diagram your environment with server names, IPs, and server function, and
current CyberArk version.
• Make sure archive logs setting is adequate for the amount of time traces and LC
(Logic Container) logs that need to be archived.
⎼ Ideally having 24 hours of archived traces would be preferred from a support perspective.
⎼ Vault traces and LC logs are located in the same archive folder.
• Make sure you provide Support with the correct log when requested.

• Have a tool like LogExpert to read logs and search logs for troubleshooting.

Check the Visio/PowerPoint Stencils here:

https://cyberark-customers.force.com/s/article/Official-Visio-and-PowerPoint-CyberArk-icons

© 2023 CyberArk Software Ltd. All rights reserved

 Recommended Tasks

Make sure the CPMs are configured to auto-rotate logs.

Configure the Send Email Notification if Component is not Connected option.

© 2023 CyberArk Software Ltd. All rights reserved

 Summary

© 2023 CyberArk Software Ltd. All rights reserved

 Summary In this session we covered:

• Monitoring various CyberArk

components

• Common Administrative Tasks

© 2023 CyberArk Software Ltd. All rights reserved

 Documentation

Additional
Resources
CyberArk Technical Community

Support Vault

cyberark.com