diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc
index ec900ef36f8..1d5ba3fe193 100644
--- a/CHANGELOG.next.asciidoc
+++ b/CHANGELOG.next.asciidoc
@@ -836,6 +836,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
 - Add `fail_on_template_error` option for httpjson input. {pull}24784[24784]
 - Change `okta.target` to `flattened` field type.  {issue}24354[24354] {pull}24636[24636]
 - Added `http.request.id` to `nginx/ingress_controller` and `elasticsearch/audit`. {pull}24994[24994]
+- New module `cyberarkpas` for CyberArk Privileged Access Security audit logs. {pull}24803[24803]
 
 *Heartbeat*
 
diff --git a/filebeat/docs/fields.asciidoc b/filebeat/docs/fields.asciidoc
index addfc1739c9..fffec3d17de 100644
--- a/filebeat/docs/fields.asciidoc
+++ b/filebeat/docs/fields.asciidoc
@@ -29,6 +29,7 @@ grouped in the following categories:
 * <<exported-fields-coredns>>
 * <<exported-fields-crowdstrike>>
 * <<exported-fields-cyberark>>
+* <<exported-fields-cyberarkpas>>
 * <<exported-fields-cylance>>
 * <<exported-fields-docker-processor>>
 * <<exported-fields-ecs>>
@@ -34178,6 +34179,268 @@ type: keyword
 
 --
 
+[[exported-fields-cyberarkpas]]
+== CyberArk PAS fields
+
+cyberarkpas fields.
+
+
+
+
+[float]
+=== audit
+
+Cyberark Privileged Access Security Audit fields.
+
+
+
+*`cyberarkpas.audit.action`*::
++
+--
+A description of the audit record.
+
+type: keyword
+
+--
+
+*`cyberarkpas.audit.ca_properties`*::
++
+--
+Account metadata.
+
+type: flattened
+
+--
+
+*`cyberarkpas.audit.category`*::
++
+--
+The category name (for category-related operations).
+
+type: keyword
+
+--
+
+*`cyberarkpas.audit.desc`*::
++
+--
+A static value that displays a description of the audit codes.
+
+type: keyword
+
+--
+
+*`cyberarkpas.audit.extra_details`*::
++
+--
+Specific extra details of the audit records.
+
+type: flattened
+
+--
+
+*`cyberarkpas.audit.file`*::
++
+--
+The name of the target file.
+
+type: keyword
+
+--
+
+*`cyberarkpas.audit.gateway_station`*::
++
+--
+The IP of the web application machine (PVWA).
+
+type: ip
+
+--
+
+*`cyberarkpas.audit.hostname`*::
++
+--
+The hostname, in upper case.
+
+type: keyword
+
+example: MY-COMPUTER
+
+--
+
+*`cyberarkpas.audit.iso_timestamp`*::
++
+--
+The timestamp, in ISO Timestamp format (RFC 3339).
+
+type: date
+
+example: 2013-06-25 10:47:19+00:00
+
+--
+
+*`cyberarkpas.audit.issuer`*::
++
+--
+The Vault user who wrote the audit. This is usually the user who performed the operation.
+
+type: keyword
+
+--
+
+*`cyberarkpas.audit.location`*::
++
+--
+The target Location (for Location operations).
+
+type: keyword
+
+Field is not indexed.
+
+--
+
+*`cyberarkpas.audit.message`*::
++
+--
+A description of the audit records (same information as in the Desc field).
+
+type: keyword
+
+--
+
+*`cyberarkpas.audit.message_id`*::
++
+--
+The code ID of the audit records.
+
+type: keyword
+
+--
+
+*`cyberarkpas.audit.product`*::
++
+--
+A static value that represents the product.
+
+type: keyword
+
+--
+
+*`cyberarkpas.audit.pvwa_details`*::
++
+--
+Specific details of the PVWA audit records.
+
+type: flattened
+
+--
+
+*`cyberarkpas.audit.raw`*::
++
+--
+Raw XML for the original audit record. Only present when XSLT file has debugging enabled.
+
+
+type: keyword
+
+Field is not indexed.
+
+--
+
+*`cyberarkpas.audit.reason`*::
++
+--
+The reason entered by the user.
+
+type: text
+
+--
+
+*`cyberarkpas.audit.rfc5424`*::
++
+--
+Whether the syslog format complies with RFC5424.
+
+type: boolean
+
+example: True
+
+--
+
+*`cyberarkpas.audit.safe`*::
++
+--
+The name of the target Safe.
+
+type: keyword
+
+--
+
+*`cyberarkpas.audit.severity`*::
++
+--
+The severity of the audit records.
+
+type: keyword
+
+--
+
+*`cyberarkpas.audit.source_user`*::
++
+--
+The name of the Vault user who performed the operation.
+
+type: keyword
+
+--
+
+*`cyberarkpas.audit.station`*::
++
+--
+The IP from where the operation was performed. For PVWA sessions, this will be the real client machine IP.
+
+type: ip
+
+--
+
+*`cyberarkpas.audit.target_user`*::
++
+--
+The name of the Vault user on which the operation was performed.
+
+type: keyword
+
+--
+
+*`cyberarkpas.audit.timestamp`*::
++
+--
+The timestamp, in MMM DD HH:MM:SS format.
+
+type: keyword
+
+example: Jun 25 10:47:19
+
+--
+
+*`cyberarkpas.audit.vendor`*::
++
+--
+A static value that represents the vendor.
+
+type: keyword
+
+--
+
+*`cyberarkpas.audit.version`*::
++
+--
+A static value that represents the version of the Vault.
+
+type: keyword
+
+--
+
 [[exported-fields-cylance]]
 == CylanceProtect fields
 
diff --git a/filebeat/docs/images/filebeat-cyberarkpas-overview.png b/filebeat/docs/images/filebeat-cyberarkpas-overview.png
new file mode 100644
index 00000000000..768de758559
Binary files /dev/null and b/filebeat/docs/images/filebeat-cyberarkpas-overview.png differ
diff --git a/filebeat/docs/modules/cyberarkpas.asciidoc b/filebeat/docs/modules/cyberarkpas.asciidoc
new file mode 100644
index 00000000000..446580eb5a8
--- /dev/null
+++ b/filebeat/docs/modules/cyberarkpas.asciidoc
@@ -0,0 +1,184 @@
+////
+This file is generated! See scripts/docs_collector.py
+////
+
+[[filebeat-module-cyberarkpas]]
+[role="xpack"]
+
+:modulename: cyberarkpas
+:has-dashboards: false
+
+== Cyberark PAS module
+
+beta[]
+
+This is a module for receiving CyberArk Privileged Account Security (PAS) logs over Syslog or a file.
+
+The {plugins}/ingest-geoip.html[ingest-geoip] Elasticsearch plugin is required to run this module.
+
+include::../include/gs-link.asciidoc[]
+
+include::../include/configuring-intro.asciidoc[]
+
+:fileset_ex: audit
+
+[float]
+==== `audit` fileset settings
+
+The `audit` fileset receives Vault Audit logs for User and Safe activities over the syslog protocol.
+
+[float]
+===== Vault configuration
+
+Follow the steps under https://docs.cyberark.com/Product-Doc/OnlineHelp/PAS/Latest/en/Content/PASIMP/DV-Integrating-with-SIEM-Applications.htm[Security Information and Event Management (SIEM) Applications]
+documentation to setup the integration:
+
+- Copy the https://raw.githubusercontent.com/elastic/beats/{branch}/x-pack/filebeat/module/cyberarkpas/_meta/assets/elastic-json-v1.0.xsl[elastic-json-v1.0.xsl] XSL Translator file to
+the `Server\Syslog` folder.
+
+- Sample syslog configuration for `DBPARM.ini`:
+
+[source,ini]
+----
+[SYSLOG]
+UseLegacySyslogFormat=No
+SyslogTranslatorFile=Syslog\elastic-json-v1.0.xsl
+SyslogServerIP=<INSERT FILEBEAT IP HERE>
+SyslogServerPort=<INSERT FILEBEAT PORT HERE>
+SyslogServerProtocol=TCP
+----
+
+For proper timestamping of events, it's recommended to use the newer RFC5424 Syslog format
+(`UseLegacySyslogFormat=No`). To avoid event loss, use `TCP` or `TLS` protocols instead of `UDP`.
+
+[float]
+===== Filebeat configuration
+
+Edit the `cyberarkpas.yml` configuration. The following sample configuration will accept `TCP`
+protocol connections from all interfaces:
+
+[source,yaml]
+----
+- module: cyberarkpas
+  audit:
+    enabled: true
+
+    # Set which input to use between tcp (default), udp, or file.
+    #
+    var.input: tcp
+    var.syslog_host: 0.0.0.0
+    var.syslog_port: 9301
+
+    # With tcp input, set the optional tls configuration:
+    #var.ssl:
+    #  enabled: true
+    #  certificate: /path/to/cert.pem
+    #  key: /path/to/privatekey.pem
+    #  key_passphrase: 'password for my key'
+
+    # Uncoment to keep the original syslog event under event.original.
+    # var.preserve_original_event: true
+
+    # Set paths for the log files when file input is used.
+    # var.paths:
+----
+
+For encrypted communications, use the `TLS` protocol in the Vault's `DBPARM.ini` and use `tcp` input
+with `var.ssl` settings in Filebeat:
+
+[source,yaml]
+----
+- module: cyberarkpas
+  audit:
+    enabled: true
+
+    # Set which input to use between tcp (default), udp, or file.
+    #
+    var.input: tcp
+    var.syslog_host: 0.0.0.0
+    var.syslog_port: 9301
+
+    # With tcp input, set the optional tls configuration:
+    var.ssl:
+      enabled: true
+      certificate: /path/to/cert.pem
+      key: /path/to/privatekey.pem
+      key_passphrase: 'password for my key'
+
+    # Uncoment to keep the original syslog event under event.original.
+    # var.preserve_original_event: true
+
+    # Set paths for the log files when file input is used.
+    # var.paths:
+----
+
+[float]
+===== Configuration options
+
+include::../include/config-option-intro.asciidoc[]
+
+*`var.input`*::
+
+The input to use. One of `tcp` (default), `udp` or `file`.
+
+
+*`var.syslog_host`*::
+
+The address to listen to UDP or TCP based syslog traffic. Defaults to `localhost`.
+Set to `0.0.0.0` to bind to all available interfaces.
+
+
+*`var.syslog_port`*::
+
+The port to listen for syslog traffic. Defaults to `9301`.
+
+NOTE: Ports below 1024 require Filebeat to run as root.
+
+
+*`var.ssl`*::
+
+Configuration options for SSL parameters to use when acting as a server for `TLS` protocol.
+See https://www.elastic.co/guide/en/beats/filebeat/current/configuration-ssl.html#ssl-server-config[SSL server configuration options.]
+for a description of the available sub-options.
+
+
+*`var.preserve_original_event`*::
+
+Set to `true` to store the original syslog message under the `event.original` field.
+Defaults to `false`.
+
+
+*`var.paths`*::
+
+An array of glob-based paths that specify where to look for the log files. All
+patterns supported by https://golang.org/pkg/path/filepath/#Glob[Go Glob]
+are also supported here. For example, you can use wildcards to fetch all files
+from a predefined level of subdirectories: `/path/to/log/*/*.log`. This
+fetches all `.log` files from the subfolders of `/path/to/log`. It does not
+fetch log files from the `/path/to/log` folder itself.
+
+This setting is only applicable when `file` input is configured.
+
+
+[float]
+=== Example dashboard
+
+This module comes with a sample dashboard:
+
+[role="screenshot"]
+image::./images/filebeat-cyberarkpas-overview.png[]
+
+:has-dashboards!:
+
+:fileset_ex!:
+
+:modulename!:
+
+
+
+[float]
+=== Fields
+
+For a description of each field in the module, see the
+<<exported-fields-cyberarkpas,exported fields>> section.
+
diff --git a/filebeat/docs/modules_list.asciidoc b/filebeat/docs/modules_list.asciidoc
index aec43cb354e..3923c7f8227 100644
--- a/filebeat/docs/modules_list.asciidoc
+++ b/filebeat/docs/modules_list.asciidoc
@@ -16,6 +16,7 @@ This file is generated! See scripts/docs_collector.py
   * <<filebeat-module-coredns>>
   * <<filebeat-module-crowdstrike>>
   * <<filebeat-module-cyberark>>
+  * <<filebeat-module-cyberarkpas>>
   * <<filebeat-module-cylance>>
   * <<filebeat-module-elasticsearch>>
   * <<filebeat-module-envoyproxy>>
@@ -88,6 +89,7 @@ include::modules/cisco.asciidoc[]
 include::modules/coredns.asciidoc[]
 include::modules/crowdstrike.asciidoc[]
 include::modules/cyberark.asciidoc[]
+include::modules/cyberarkpas.asciidoc[]
 include::modules/cylance.asciidoc[]
 include::modules/elasticsearch.asciidoc[]
 include::modules/envoyproxy.asciidoc[]
diff --git a/x-pack/filebeat/filebeat.reference.yml b/x-pack/filebeat/filebeat.reference.yml
index fa3a81af67d..d9cc6d6cc9c 100644
--- a/x-pack/filebeat/filebeat.reference.yml
+++ b/x-pack/filebeat/filebeat.reference.yml
@@ -674,6 +674,32 @@ filebeat.modules:
     # "+02:00" for GMT+02:00
     # var.tz_offset: local
 
+#----------------------------- CyberArk PAS Module -----------------------------
+- module: cyberarkpas
+  audit:
+    enabled: true
+
+    # Set which input to use between tcp (default), udp, or file.
+    #
+    # var.input: tcp
+
+    # var.syslog_host: localhost
+    # var.syslog_port: 9301
+
+    # With tcp input, set the optional tls configuration:
+    #var.ssl:
+    #  enabled: true
+    #  certificate: /path/to/cert.pem
+    #  key: /path/to/privatekey.pem
+    #  key_passphrase: 'password for my key'
+
+    # Uncoment to keep the original syslog event under event.original.
+    # var.preserve_original_event: true
+
+    # Set paths for the log files when file input is used.
+    # var.paths:
+
+
 #---------------------------- CylanceProtect Module ----------------------------
 - module: cylance
   protect:
diff --git a/x-pack/filebeat/include/list.go b/x-pack/filebeat/include/list.go
index a21eb75380f..f731ee24a81 100644
--- a/x-pack/filebeat/include/list.go
+++ b/x-pack/filebeat/include/list.go
@@ -24,6 +24,7 @@ import (
 	_ "github.com/elastic/beats/v7/x-pack/filebeat/module/coredns"
 	_ "github.com/elastic/beats/v7/x-pack/filebeat/module/crowdstrike"
 	_ "github.com/elastic/beats/v7/x-pack/filebeat/module/cyberark"
+	_ "github.com/elastic/beats/v7/x-pack/filebeat/module/cyberarkpas"
 	_ "github.com/elastic/beats/v7/x-pack/filebeat/module/cylance"
 	_ "github.com/elastic/beats/v7/x-pack/filebeat/module/envoyproxy"
 	_ "github.com/elastic/beats/v7/x-pack/filebeat/module/f5"
diff --git a/x-pack/filebeat/module/cyberarkpas/_meta/assets/elastic-json-v1.0.xsl b/x-pack/filebeat/module/cyberarkpas/_meta/assets/elastic-json-v1.0.xsl
new file mode 100644
index 00000000000..abd4777a52e
--- /dev/null
+++ b/x-pack/filebeat/module/cyberarkpas/_meta/assets/elastic-json-v1.0.xsl
@@ -0,0 +1,161 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
+<xsl:import href="./Syslog/RFC5424Changes.xsl"/>
+<xsl:output method='text' version='1.0' encoding='UTF-8' indent='no'/>
+
+<!-- version control variables -->
+<xsl:variable name="format" select="'elastic'"/>
+<xsl:variable name="version" select="'1.0'"/>
+
+<!-- configuration -->
+<xsl:variable name="include_raw" select="0"/> <!-- save a "raw" key with the original XML -->
+
+<!-- main object with header info -->
+<xsl:template match="/">
+  <xsl:apply-imports/>
+  <xsl:text>{"format":"</xsl:text><xsl:value-of select="$format"/>
+  <xsl:text>","version":"</xsl:text><xsl:value-of select="$version"/>
+  <xsl:text>"</xsl:text>
+  <xsl:choose>
+    <xsl:when test="$include_raw=1">
+      <xsl:text>,"raw":</xsl:text>
+      <xsl:call-template name="json-string">
+        <xsl:with-param name="text">
+          <xsl:apply-templates select="*" mode="raw"/>
+        </xsl:with-param>
+      </xsl:call-template>
+    </xsl:when>
+  </xsl:choose>
+  <xsl:text>,</xsl:text>
+  <xsl:apply-templates select="*" mode="object"/>
+  <!-- this text below includes the terminating newline -->
+  <xsl:text>}&#xa;</xsl:text>
+</xsl:template>
+
+<xsl:template match="*" mode="raw">
+    <xsl:value-of select="concat('&lt;', name())" />
+    <xsl:for-each select="@*">
+      <xsl:value-of select="concat(' ', name(), '=&quot;', ., '&quot;')"/>
+    </xsl:for-each>
+    <xsl:text>&gt;</xsl:text>
+    <xsl:apply-templates mode="raw"/>
+    <xsl:value-of select="concat('&lt;/', name(), '&gt;')" />
+  </xsl:template>
+
+<!-- serialize objects -->
+<xsl:template match="*" mode="object">
+  <xsl:text>&quot;</xsl:text>
+  <xsl:value-of select="name()"/><xsl:text>&quot;:</xsl:text><xsl:call-template name="value">
+        <xsl:with-param name="parent" select="1"/>
+    </xsl:call-template>
+</xsl:template>
+
+<!-- serialize array elements -->
+<xsl:template match="*" mode="array">
+    <xsl:call-template name="value"/>
+</xsl:template>
+
+<!-- value of node serializer -->
+<xsl:template name="value">
+  <xsl:param name="parent"/>
+  <xsl:variable name="childName" select="name(*[1])"/>
+  <xsl:choose>
+    <xsl:when test="not(*|@*)">
+      <xsl:choose>
+        <xsl:when test="$parent=1">
+          <xsl:call-template name="json-string">
+            <xsl:with-param name="text" select="."/>
+          </xsl:call-template>
+          </xsl:when>
+        <xsl:otherwise>
+          <xsl:call-template name="json-string">
+            <xsl:with-param name="text" select="name()"/>
+          </xsl:call-template>
+          <xsl:text>:</xsl:text>
+          <xsl:call-template name="json-string">
+            <xsl:with-param name="text" select="."/>
+          </xsl:call-template>
+          </xsl:otherwise>
+      </xsl:choose>
+    </xsl:when>
+    <xsl:when test="count(*[name()=$childName]) > 1">
+      <xsl:text>{</xsl:text>
+      <xsl:call-template name="json-string">
+        <xsl:with-param name="text" select="$childName"/>
+      </xsl:call-template>
+      <xsl:text>:[</xsl:text>
+      <xsl:apply-templates select="*" mode="array"/>
+      <xsl:text>]}</xsl:text>
+      </xsl:when>
+    <xsl:otherwise>
+      <xsl:text>{</xsl:text>
+        <xsl:apply-templates select="@*" mode="attrs"/>
+        <xsl:if test='count(@*)>0 and count(*)>0'>,</xsl:if>
+        <xsl:apply-templates select="*" mode="object"/>
+      <xsl:text>}</xsl:text>
+    </xsl:otherwise>
+  </xsl:choose>
+  <xsl:if test="following-sibling::*"><xsl:text>,</xsl:text></xsl:if>
+</xsl:template>
+
+<!-- serialize attributes -->
+<xsl:template match="@*" mode="attrs">
+    <xsl:call-template name="json-string">
+      <xsl:with-param name="text" select="name()"/>
+    </xsl:call-template>
+    <xsl:text>:</xsl:text>
+    <xsl:call-template name="json-string">
+      <xsl:with-param name="text" select="."/>
+    </xsl:call-template>
+    <xsl:if test="position()!=last()"><xsl:text>,</xsl:text></xsl:if>
+</xsl:template>
+
+<!-- json-string converts a text to a quoted and escaped JSON string -->
+<xsl:template name="json-string">
+  <xsl:param name="text"/>
+  <xsl:variable name="tmp">
+      <xsl:call-template name="string-replace">
+        <xsl:with-param name="string" select="$text"/>
+        <xsl:with-param name="from" select="'\'"/>
+        <xsl:with-param name="to" select="'\\'"/>
+      </xsl:call-template>
+  </xsl:variable>
+  <xsl:variable name="tmp2">
+    <xsl:call-template name="string-replace">
+      <xsl:with-param name="string" select="$tmp"/>
+      <xsl:with-param name="from" select="'&#xa;'"/>
+      <xsl:with-param name="to" select="'\n'"/>
+    </xsl:call-template>
+  </xsl:variable>
+  <xsl:text>&quot;</xsl:text>
+  <xsl:call-template name="string-replace">
+    <xsl:with-param name="string" select="translate($tmp2,'&#9;&#xd;','  ')"/>
+    <xsl:with-param name="from" select="'&quot;'"/>
+    <xsl:with-param name="to" select="'\&quot;'"/>
+  </xsl:call-template>
+  <xsl:text>&quot;</xsl:text>
+</xsl:template>
+
+<!-- replace all occurences of the character(s) `from'
+ by the string `to' in the string `string'.-->
+<xsl:template name="string-replace">
+  <xsl:param name="string"/>
+  <xsl:param name="from"/>
+  <xsl:param name="to"/>
+  <xsl:choose>
+    <xsl:when test="contains($string,$from)">
+      <xsl:value-of select="substring-before($string,$from)"/>
+      <xsl:value-of select="$to"/>
+      <xsl:call-template name="string-replace">
+        <xsl:with-param name="string" select="substring-after($string,$from)"/>
+        <xsl:with-param name="from" select="$from"/>
+        <xsl:with-param name="to" select="$to"/>
+      </xsl:call-template>
+    </xsl:when>
+    <xsl:otherwise>
+      <xsl:value-of select="$string"/>
+    </xsl:otherwise>
+  </xsl:choose>
+</xsl:template>
+ 
+</xsl:stylesheet>
diff --git a/x-pack/filebeat/module/cyberarkpas/_meta/config.yml b/x-pack/filebeat/module/cyberarkpas/_meta/config.yml
new file mode 100644
index 00000000000..4ebf2db818d
--- /dev/null
+++ b/x-pack/filebeat/module/cyberarkpas/_meta/config.yml
@@ -0,0 +1,24 @@
+- module: cyberarkpas
+  audit:
+    enabled: true
+
+    # Set which input to use between tcp (default), udp, or file.
+    #
+    # var.input: tcp
+
+    # var.syslog_host: localhost
+    # var.syslog_port: 9301
+
+    # With tcp input, set the optional tls configuration:
+    #var.ssl:
+    #  enabled: true
+    #  certificate: /path/to/cert.pem
+    #  key: /path/to/privatekey.pem
+    #  key_passphrase: 'password for my key'
+
+    # Uncoment to keep the original syslog event under event.original.
+    # var.preserve_original_event: true
+
+    # Set paths for the log files when file input is used.
+    # var.paths:
+
diff --git a/x-pack/filebeat/module/cyberarkpas/_meta/docs.asciidoc b/x-pack/filebeat/module/cyberarkpas/_meta/docs.asciidoc
new file mode 100644
index 00000000000..af66f19cd4e
--- /dev/null
+++ b/x-pack/filebeat/module/cyberarkpas/_meta/docs.asciidoc
@@ -0,0 +1,171 @@
+[role="xpack"]
+
+:modulename: cyberarkpas
+:has-dashboards: false
+
+== Cyberark PAS module
+
+beta[]
+
+This is a module for receiving CyberArk Privileged Account Security (PAS) logs over Syslog or a file.
+
+The {plugins}/ingest-geoip.html[ingest-geoip] Elasticsearch plugin is required to run this module.
+
+include::../include/gs-link.asciidoc[]
+
+include::../include/configuring-intro.asciidoc[]
+
+:fileset_ex: audit
+
+[float]
+==== `audit` fileset settings
+
+The `audit` fileset receives Vault Audit logs for User and Safe activities over the syslog protocol.
+
+[float]
+===== Vault configuration
+
+Follow the steps under https://docs.cyberark.com/Product-Doc/OnlineHelp/PAS/Latest/en/Content/PASIMP/DV-Integrating-with-SIEM-Applications.htm[Security Information and Event Management (SIEM) Applications]
+documentation to setup the integration:
+
+- Copy the https://raw.githubusercontent.com/elastic/beats/{branch}/x-pack/filebeat/module/cyberarkpas/_meta/assets/elastic-json-v1.0.xsl[elastic-json-v1.0.xsl] XSL Translator file to
+the `Server\Syslog` folder.
+
+- Sample syslog configuration for `DBPARM.ini`:
+
+[source,ini]
+----
+[SYSLOG]
+UseLegacySyslogFormat=No
+SyslogTranslatorFile=Syslog\elastic-json-v1.0.xsl
+SyslogServerIP=<INSERT FILEBEAT IP HERE>
+SyslogServerPort=<INSERT FILEBEAT PORT HERE>
+SyslogServerProtocol=TCP
+----
+
+For proper timestamping of events, it's recommended to use the newer RFC5424 Syslog format
+(`UseLegacySyslogFormat=No`). To avoid event loss, use `TCP` or `TLS` protocols instead of `UDP`.
+
+[float]
+===== Filebeat configuration
+
+Edit the `cyberarkpas.yml` configuration. The following sample configuration will accept `TCP`
+protocol connections from all interfaces:
+
+[source,yaml]
+----
+- module: cyberarkpas
+  audit:
+    enabled: true
+
+    # Set which input to use between tcp (default), udp, or file.
+    #
+    var.input: tcp
+    var.syslog_host: 0.0.0.0
+    var.syslog_port: 9301
+
+    # With tcp input, set the optional tls configuration:
+    #var.ssl:
+    #  enabled: true
+    #  certificate: /path/to/cert.pem
+    #  key: /path/to/privatekey.pem
+    #  key_passphrase: 'password for my key'
+
+    # Uncoment to keep the original syslog event under event.original.
+    # var.preserve_original_event: true
+
+    # Set paths for the log files when file input is used.
+    # var.paths:
+----
+
+For encrypted communications, use the `TLS` protocol in the Vault's `DBPARM.ini` and use `tcp` input
+with `var.ssl` settings in Filebeat:
+
+[source,yaml]
+----
+- module: cyberarkpas
+  audit:
+    enabled: true
+
+    # Set which input to use between tcp (default), udp, or file.
+    #
+    var.input: tcp
+    var.syslog_host: 0.0.0.0
+    var.syslog_port: 9301
+
+    # With tcp input, set the optional tls configuration:
+    var.ssl:
+      enabled: true
+      certificate: /path/to/cert.pem
+      key: /path/to/privatekey.pem
+      key_passphrase: 'password for my key'
+
+    # Uncoment to keep the original syslog event under event.original.
+    # var.preserve_original_event: true
+
+    # Set paths for the log files when file input is used.
+    # var.paths:
+----
+
+[float]
+===== Configuration options
+
+include::../include/config-option-intro.asciidoc[]
+
+*`var.input`*::
+
+The input to use. One of `tcp` (default), `udp` or `file`.
+
+
+*`var.syslog_host`*::
+
+The address to listen to UDP or TCP based syslog traffic. Defaults to `localhost`.
+Set to `0.0.0.0` to bind to all available interfaces.
+
+
+*`var.syslog_port`*::
+
+The port to listen for syslog traffic. Defaults to `9301`.
+
+NOTE: Ports below 1024 require Filebeat to run as root.
+
+
+*`var.ssl`*::
+
+Configuration options for SSL parameters to use when acting as a server for `TLS` protocol.
+See https://www.elastic.co/guide/en/beats/filebeat/current/configuration-ssl.html#ssl-server-config[SSL server configuration options.]
+for a description of the available sub-options.
+
+
+*`var.preserve_original_event`*::
+
+Set to `true` to store the original syslog message under the `event.original` field.
+Defaults to `false`.
+
+
+*`var.paths`*::
+
+An array of glob-based paths that specify where to look for the log files. All
+patterns supported by https://golang.org/pkg/path/filepath/#Glob[Go Glob]
+are also supported here. For example, you can use wildcards to fetch all files
+from a predefined level of subdirectories: `/path/to/log/*/*.log`. This
+fetches all `.log` files from the subfolders of `/path/to/log`. It does not
+fetch log files from the `/path/to/log` folder itself.
+
+This setting is only applicable when `file` input is configured.
+
+
+[float]
+=== Example dashboard
+
+This module comes with a sample dashboard:
+
+[role="screenshot"]
+image::./images/filebeat-cyberarkpas-overview.png[]
+
+:has-dashboards!:
+
+:fileset_ex!:
+
+:modulename!:
+
diff --git a/x-pack/filebeat/module/cyberarkpas/_meta/fields.yml b/x-pack/filebeat/module/cyberarkpas/_meta/fields.yml
new file mode 100644
index 00000000000..8ac73cb4913
--- /dev/null
+++ b/x-pack/filebeat/module/cyberarkpas/_meta/fields.yml
@@ -0,0 +1,10 @@
+- key: cyberarkpas
+  title: CyberArk PAS
+  description: >
+    cyberarkpas fields.
+  fields:
+    - name: cyberarkpas
+      type: group
+      default_field: false
+      fields:
+
diff --git a/x-pack/filebeat/module/cyberarkpas/_meta/kibana/7/dashboard/Filebeat-cyberarkpas-audit.json b/x-pack/filebeat/module/cyberarkpas/_meta/kibana/7/dashboard/Filebeat-cyberarkpas-audit.json
new file mode 100644
index 00000000000..bac1c083f52
--- /dev/null
+++ b/x-pack/filebeat/module/cyberarkpas/_meta/kibana/7/dashboard/Filebeat-cyberarkpas-audit.json
@@ -0,0 +1,1574 @@
+{
+  "objects": [
+    {
+      "attributes": {
+        "description": "Dashboard for CyberArk Privileged Access Security events.",
+        "hits": 0,
+        "kibanaSavedObjectMeta": {
+          "searchSourceJSON": {
+            "filter": [
+              {
+                "$state": {
+                  "store": "appState"
+                },
+                "meta": {
+                  "alias": null,
+                  "disabled": false,
+                  "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+                  "key": "event.dataset",
+                  "negate": false,
+                  "params": {
+                    "query": "cyberarkpas.audit"
+                  },
+                  "type": "phrase"
+                },
+                "query": {
+                  "match_phrase": {
+                    "event.dataset": "cyberarkpas.audit"
+                  }
+                }
+              }
+            ],
+            "query": {
+              "language": "kuery",
+              "query": ""
+            }
+          }
+        },
+        "optionsJSON": {
+          "hidePanelTitles": false,
+          "useMargins": true
+        },
+        "panelsJSON": [
+          {
+            "embeddableConfig": {
+              "enhancements": {},
+              "hidePanelTitles": false,
+              "savedVis": {
+                "data": {
+                  "aggs": [],
+                  "searchSource": {
+                    "filter": [],
+                    "query": {
+                      "language": "kuery",
+                      "query": ""
+                    }
+                  }
+                },
+                "description": "",
+                "params": {
+                  "controls": [
+                    {
+                      "fieldName": "observer.hostname",
+                      "id": "1617726994032",
+                      "indexPattern": "filebeat-*",
+                      "indexPatternRefName": "control_0_index_pattern",
+                      "label": " By Vault host",
+                      "options": {
+                        "dynamicOptions": true,
+                        "multiselect": true,
+                        "order": "desc",
+                        "size": 5,
+                        "type": "terms"
+                      },
+                      "parent": "",
+                      "type": "list"
+                    },
+                    {
+                      "fieldName": "event.code",
+                      "id": "1617811797137",
+                      "indexPattern": "filebeat-*",
+                      "indexPatternRefName": "control_1_index_pattern",
+                      "label": "By event code",
+                      "options": {
+                        "dynamicOptions": true,
+                        "multiselect": true,
+                        "order": "desc",
+                        "size": 5,
+                        "type": "terms"
+                      },
+                      "parent": "",
+                      "type": "list"
+                    }
+                  ],
+                  "pinFilters": false,
+                  "updateFiltersOnChange": true,
+                  "useTimeFilter": false
+                },
+                "title": "",
+                "type": "input_control_vis",
+                "uiState": {}
+              }
+            },
+            "gridData": {
+              "h": 9,
+              "i": "1007fa0d-a6a1-4682-a346-a90acc179da5",
+              "w": 10,
+              "x": 0,
+              "y": 0
+            },
+            "panelIndex": "1007fa0d-a6a1-4682-a346-a90acc179da5",
+            "title": "Filters",
+            "type": "visualization",
+            "version": "7.12.0"
+          },
+          {
+            "embeddableConfig": {
+              "enhancements": {},
+              "hidePanelTitles": false,
+              "savedVis": {
+                "data": {
+                  "aggs": [],
+                  "searchSource": {
+                    "filter": [],
+                    "query": {
+                      "language": "kuery",
+                      "query": ""
+                    }
+                  }
+                },
+                "description": "",
+                "params": {
+                  "axis_formatter": "number",
+                  "axis_position": "left",
+                  "axis_scale": "normal",
+                  "default_index_pattern": "filebeat-*",
+                  "default_timefield": "@timestamp",
+                  "filter": {
+                    "language": "kuery",
+                    "query": "event.dataset:\"cyberarkpas.audit\" "
+                  },
+                  "id": "61ca57f0-469d-11e7-af02-69e470af7417",
+                  "index_pattern": "",
+                  "interval": "",
+                  "isModelInvalid": false,
+                  "series": [
+                    {
+                      "axis_position": "right",
+                      "chart_type": "bar",
+                      "color": "#68BC00",
+                      "fill": 0.5,
+                      "formatter": "number",
+                      "hide_in_legend": 0,
+                      "id": "61ca57f1-469d-11e7-af02-69e470af7417",
+                      "label": "",
+                      "line_width": 1,
+                      "metrics": [
+                        {
+                          "id": "61ca57f2-469d-11e7-af02-69e470af7417",
+                          "type": "count"
+                        }
+                      ],
+                      "override_index_pattern": 0,
+                      "palette": {
+                        "name": "rainbow",
+                        "params": {
+                          "colors": [
+                            "#68BC00",
+                            "#009CE0",
+                            "#B0BC00",
+                            "#16A5A5",
+                            "#D33115",
+                            "#E27300",
+                            "#FCC400",
+                            "#7B64FF",
+                            "#FA28FF",
+                            "#333333",
+                            "#808080",
+                            "#194D33",
+                            "#0062B1",
+                            "#808900",
+                            "#0C797D",
+                            "#9F0500",
+                            "#C45100",
+                            "#FB9E00",
+                            "#653294",
+                            "#AB149E",
+                            "#0F1419",
+                            "#666666"
+                          ],
+                          "gradient": false
+                        },
+                        "type": "palette"
+                      },
+                      "point_size": 1,
+                      "separate_axis": 0,
+                      "split_color_mode": null,
+                      "split_mode": "terms",
+                      "stacked": "stacked",
+                      "terms_field": "cyberarkpas.audit.desc",
+                      "type": "timeseries"
+                    }
+                  ],
+                  "show_grid": 1,
+                  "show_legend": 1,
+                  "time_field": "",
+                  "time_range_mode": "entire_time_range",
+                  "tooltip_mode": "show_all",
+                  "type": "timeseries",
+                  "use_kibana_indexes": true
+                },
+                "title": "",
+                "type": "metrics",
+                "uiState": {}
+              }
+            },
+            "gridData": {
+              "h": 13,
+              "i": "f2dc3750-9b7c-4b0e-a45d-3d3b08f74f3e",
+              "w": 38,
+              "x": 10,
+              "y": 0
+            },
+            "panelIndex": "f2dc3750-9b7c-4b0e-a45d-3d3b08f74f3e",
+            "title": "event types by time",
+            "type": "visualization",
+            "version": "7.12.0"
+          },
+          {
+            "embeddableConfig": {
+              "attributes": {
+                "references": [
+                  {
+                    "id": "filebeat-*",
+                    "name": "indexpattern-datasource-current-indexpattern",
+                    "type": "index-pattern"
+                  },
+                  {
+                    "id": "filebeat-*",
+                    "name": "indexpattern-datasource-layer-33bc0096-e418-4f81-9c7c-7fdd16cc5203",
+                    "type": "index-pattern"
+                  }
+                ],
+                "state": {
+                  "datasourceStates": {
+                    "indexpattern": {
+                      "layers": {
+                        "33bc0096-e418-4f81-9c7c-7fdd16cc5203": {
+                          "columnOrder": [
+                            "eedd5aa8-a7c4-466a-b10b-3a8cba3bac12"
+                          ],
+                          "columns": {
+                            "eedd5aa8-a7c4-466a-b10b-3a8cba3bac12": {
+                              "customLabel": true,
+                              "dataType": "number",
+                              "isBucketed": false,
+                              "label": " ",
+                              "operationType": "count",
+                              "scale": "ratio",
+                              "sourceField": "Records"
+                            }
+                          },
+                          "incompleteColumns": {}
+                        }
+                      }
+                    }
+                  },
+                  "filters": [],
+                  "query": {
+                    "language": "kuery",
+                    "query": ""
+                  },
+                  "visualization": {
+                    "accessor": "eedd5aa8-a7c4-466a-b10b-3a8cba3bac12",
+                    "layerId": "33bc0096-e418-4f81-9c7c-7fdd16cc5203"
+                  }
+                },
+                "title": "",
+                "type": "lens",
+                "visualizationType": "lnsMetric"
+              },
+              "enhancements": {},
+              "hidePanelTitles": false
+            },
+            "gridData": {
+              "h": 4,
+              "i": "af9e9f0b-a40c-411e-b441-2a779983ed24",
+              "w": 10,
+              "x": 0,
+              "y": 9
+            },
+            "panelIndex": "af9e9f0b-a40c-411e-b441-2a779983ed24",
+            "title": "Count of events",
+            "type": "lens",
+            "version": "7.12.0"
+          },
+          {
+            "embeddableConfig": {
+              "attributes": {
+                "references": [
+                  {
+                    "id": "filebeat-*",
+                    "name": "indexpattern-datasource-current-indexpattern",
+                    "type": "index-pattern"
+                  },
+                  {
+                    "id": "filebeat-*",
+                    "name": "indexpattern-datasource-layer-de047c06-a965-47aa-8a15-8b0266d5abc3",
+                    "type": "index-pattern"
+                  }
+                ],
+                "state": {
+                  "datasourceStates": {
+                    "indexpattern": {
+                      "layers": {
+                        "de047c06-a965-47aa-8a15-8b0266d5abc3": {
+                          "columnOrder": [
+                            "b916e5f5-a64a-49f1-b37a-ee1825fc61a4",
+                            "3effd03e-0ed9-4e2d-ba8e-d77ae505092e"
+                          ],
+                          "columns": {
+                            "3effd03e-0ed9-4e2d-ba8e-d77ae505092e": {
+                              "dataType": "number",
+                              "isBucketed": false,
+                              "label": "Count of records",
+                              "operationType": "count",
+                              "scale": "ratio",
+                              "sourceField": "Records"
+                            },
+                            "b916e5f5-a64a-49f1-b37a-ee1825fc61a4": {
+                              "dataType": "string",
+                              "isBucketed": true,
+                              "label": "Top values of event.outcome",
+                              "operationType": "terms",
+                              "params": {
+                                "missingBucket": false,
+                                "orderBy": {
+                                  "columnId": "3effd03e-0ed9-4e2d-ba8e-d77ae505092e",
+                                  "type": "column"
+                                },
+                                "orderDirection": "desc",
+                                "otherBucket": true,
+                                "size": 5
+                              },
+                              "scale": "ordinal",
+                              "sourceField": "event.outcome"
+                            }
+                          },
+                          "incompleteColumns": {}
+                        }
+                      }
+                    }
+                  },
+                  "filters": [],
+                  "query": {
+                    "language": "kuery",
+                    "query": ""
+                  },
+                  "visualization": {
+                    "layers": [
+                      {
+                        "categoryDisplay": "default",
+                        "groups": [
+                          "b916e5f5-a64a-49f1-b37a-ee1825fc61a4"
+                        ],
+                        "layerId": "de047c06-a965-47aa-8a15-8b0266d5abc3",
+                        "legendDisplay": "default",
+                        "metric": "3effd03e-0ed9-4e2d-ba8e-d77ae505092e",
+                        "nestedLegend": false,
+                        "numberDisplay": "percent"
+                      }
+                    ],
+                    "shape": "donut"
+                  }
+                },
+                "title": "",
+                "type": "lens",
+                "visualizationType": "lnsPie"
+              },
+              "enhancements": {},
+              "hidePanelTitles": false
+            },
+            "gridData": {
+              "h": 13,
+              "i": "7031905a-92ab-4e0e-aa58-72f1c07ff409",
+              "w": 10,
+              "x": 0,
+              "y": 13
+            },
+            "panelIndex": "7031905a-92ab-4e0e-aa58-72f1c07ff409",
+            "title": "Breakdown by outcome",
+            "type": "lens",
+            "version": "7.12.0"
+          },
+          {
+            "embeddableConfig": {
+              "attributes": {
+                "references": [
+                  {
+                    "id": "filebeat-*",
+                    "name": "indexpattern-datasource-current-indexpattern",
+                    "type": "index-pattern"
+                  },
+                  {
+                    "id": "filebeat-*",
+                    "name": "indexpattern-datasource-layer-19858811-84d1-4f50-901c-dc1451972324",
+                    "type": "index-pattern"
+                  },
+                  {
+                    "id": "filebeat-*",
+                    "name": "filter-index-pattern-0",
+                    "type": "index-pattern"
+                  },
+                  {
+                    "id": "filebeat-*",
+                    "name": "filter-index-pattern-1",
+                    "type": "index-pattern"
+                  }
+                ],
+                "state": {
+                  "datasourceStates": {
+                    "indexpattern": {
+                      "layers": {
+                        "19858811-84d1-4f50-901c-dc1451972324": {
+                          "columnOrder": [
+                            "81dcff19-b14a-4e4b-999e-dbbcbdfdf816",
+                            "e3526253-18e0-4122-b112-ee5b4b9e23d7"
+                          ],
+                          "columns": {
+                            "81dcff19-b14a-4e4b-999e-dbbcbdfdf816": {
+                              "dataType": "string",
+                              "isBucketed": true,
+                              "label": "Top values of destination.user.name",
+                              "operationType": "terms",
+                              "params": {
+                                "missingBucket": false,
+                                "orderBy": {
+                                  "type": "alphabetical"
+                                },
+                                "orderDirection": "asc",
+                                "otherBucket": true,
+                                "size": 10
+                              },
+                              "scale": "ordinal",
+                              "sourceField": "destination.user.name"
+                            },
+                            "e3526253-18e0-4122-b112-ee5b4b9e23d7": {
+                              "dataType": "number",
+                              "isBucketed": false,
+                              "label": "Count of records",
+                              "operationType": "count",
+                              "scale": "ratio",
+                              "sourceField": "Records"
+                            }
+                          },
+                          "incompleteColumns": {}
+                        }
+                      }
+                    }
+                  },
+                  "filters": [
+                    {
+                      "$state": {
+                        "store": "appState"
+                      },
+                      "meta": {
+                        "alias": null,
+                        "disabled": false,
+                        "indexRefName": "filter-index-pattern-0",
+                        "key": "event.dataset",
+                        "negate": false,
+                        "params": {
+                          "query": "cyberarkpas.audit"
+                        },
+                        "type": "phrase"
+                      },
+                      "query": {
+                        "match_phrase": {
+                          "event.dataset": "cyberarkpas.audit"
+                        }
+                      }
+                    },
+                    {
+                      "$state": {
+                        "store": "appState"
+                      },
+                      "meta": {
+                        "alias": null,
+                        "disabled": false,
+                        "indexRefName": "filter-index-pattern-1",
+                        "key": "event.code",
+                        "negate": false,
+                        "params": [
+                          "308",
+                          "22",
+                          "319",
+                          "295"
+                        ],
+                        "type": "phrases"
+                      },
+                      "query": {
+                        "bool": {
+                          "minimum_should_match": 1,
+                          "should": [
+                            {
+                              "match_phrase": {
+                                "event.code": "308"
+                              }
+                            },
+                            {
+                              "match_phrase": {
+                                "event.code": "22"
+                              }
+                            },
+                            {
+                              "match_phrase": {
+                                "event.code": "319"
+                              }
+                            },
+                            {
+                              "match_phrase": {
+                                "event.code": "295"
+                              }
+                            }
+                          ]
+                        }
+                      }
+                    }
+                  ],
+                  "query": {
+                    "language": "kuery",
+                    "query": ""
+                  },
+                  "visualization": {
+                    "layers": [
+                      {
+                        "categoryDisplay": "default",
+                        "groups": [
+                          "81dcff19-b14a-4e4b-999e-dbbcbdfdf816",
+                          "81dcff19-b14a-4e4b-999e-dbbcbdfdf816",
+                          "81dcff19-b14a-4e4b-999e-dbbcbdfdf816",
+                          "81dcff19-b14a-4e4b-999e-dbbcbdfdf816",
+                          "81dcff19-b14a-4e4b-999e-dbbcbdfdf816",
+                          "81dcff19-b14a-4e4b-999e-dbbcbdfdf816"
+                        ],
+                        "layerId": "19858811-84d1-4f50-901c-dc1451972324",
+                        "legendDisplay": "default",
+                        "metric": "e3526253-18e0-4122-b112-ee5b4b9e23d7",
+                        "nestedLegend": false,
+                        "numberDisplay": "percent"
+                      }
+                    ],
+                    "shape": "donut"
+                  }
+                },
+                "title": "",
+                "type": "lens",
+                "visualizationType": "lnsPie"
+              },
+              "enhancements": {},
+              "hidePanelTitles": false
+            },
+            "gridData": {
+              "h": 13,
+              "i": "a24b9c0c-da95-4016-9fe5-2c0d34005832",
+              "w": 11,
+              "x": 10,
+              "y": 13
+            },
+            "panelIndex": "a24b9c0c-da95-4016-9fe5-2c0d34005832",
+            "title": "Top 10 user credentials accessed",
+            "type": "lens",
+            "version": "7.12.0"
+          },
+          {
+            "embeddableConfig": {
+              "attributes": {
+                "references": [
+                  {
+                    "id": "filebeat-*",
+                    "name": "indexpattern-datasource-current-indexpattern",
+                    "type": "index-pattern"
+                  },
+                  {
+                    "id": "filebeat-*",
+                    "name": "indexpattern-datasource-layer-50325938-6a9e-4a26-946e-4468e68c6591",
+                    "type": "index-pattern"
+                  },
+                  {
+                    "id": "filebeat-*",
+                    "name": "filter-index-pattern-0",
+                    "type": "index-pattern"
+                  },
+                  {
+                    "id": "filebeat-*",
+                    "name": "filter-index-pattern-1",
+                    "type": "index-pattern"
+                  }
+                ],
+                "state": {
+                  "datasourceStates": {
+                    "indexpattern": {
+                      "layers": {
+                        "50325938-6a9e-4a26-946e-4468e68c6591": {
+                          "columnOrder": [
+                            "8a965540-daa1-4848-80bb-96ddf53a328f",
+                            "c05a39ad-2983-4f4a-900d-a939ecbda504",
+                            "a808a872-71b5-4a76-a939-354f68991881"
+                          ],
+                          "columns": {
+                            "8a965540-daa1-4848-80bb-96ddf53a328f": {
+                              "dataType": "string",
+                              "isBucketed": true,
+                              "label": "Top values of event.outcome",
+                              "operationType": "terms",
+                              "params": {
+                                "missingBucket": false,
+                                "orderBy": {
+                                  "columnId": "a808a872-71b5-4a76-a939-354f68991881",
+                                  "type": "column"
+                                },
+                                "orderDirection": "desc",
+                                "otherBucket": true,
+                                "size": 2
+                              },
+                              "scale": "ordinal",
+                              "sourceField": "event.outcome"
+                            },
+                            "a808a872-71b5-4a76-a939-354f68991881": {
+                              "customLabel": true,
+                              "dataType": "number",
+                              "isBucketed": false,
+                              "label": "Credentials accessed",
+                              "operationType": "count",
+                              "scale": "ratio",
+                              "sourceField": "Records"
+                            },
+                            "c05a39ad-2983-4f4a-900d-a939ecbda504": {
+                              "dataType": "date",
+                              "isBucketed": true,
+                              "label": "@timestamp",
+                              "operationType": "date_histogram",
+                              "params": {
+                                "interval": "auto"
+                              },
+                              "scale": "interval",
+                              "sourceField": "@timestamp"
+                            }
+                          },
+                          "incompleteColumns": {}
+                        }
+                      }
+                    }
+                  },
+                  "filters": [
+                    {
+                      "$state": {
+                        "store": "appState"
+                      },
+                      "meta": {
+                        "alias": null,
+                        "disabled": false,
+                        "indexRefName": "filter-index-pattern-0",
+                        "key": "event.dataset",
+                        "negate": false,
+                        "params": {
+                          "query": "cyberarkpas.audit"
+                        },
+                        "type": "phrase"
+                      },
+                      "query": {
+                        "match_phrase": {
+                          "event.dataset": "cyberarkpas.audit"
+                        }
+                      }
+                    },
+                    {
+                      "$state": {
+                        "store": "appState"
+                      },
+                      "meta": {
+                        "alias": null,
+                        "disabled": false,
+                        "indexRefName": "filter-index-pattern-1",
+                        "key": "event.code",
+                        "negate": false,
+                        "params": [
+                          "308",
+                          "22",
+                          "319",
+                          "295",
+                          "38"
+                        ],
+                        "type": "phrases"
+                      },
+                      "query": {
+                        "bool": {
+                          "minimum_should_match": 1,
+                          "should": [
+                            {
+                              "match_phrase": {
+                                "event.code": "308"
+                              }
+                            },
+                            {
+                              "match_phrase": {
+                                "event.code": "22"
+                              }
+                            },
+                            {
+                              "match_phrase": {
+                                "event.code": "319"
+                              }
+                            },
+                            {
+                              "match_phrase": {
+                                "event.code": "295"
+                              }
+                            },
+                            {
+                              "match_phrase": {
+                                "event.code": "38"
+                              }
+                            }
+                          ]
+                        }
+                      }
+                    }
+                  ],
+                  "query": {
+                    "language": "kuery",
+                    "query": ""
+                  },
+                  "visualization": {
+                    "axisTitlesVisibilitySettings": {
+                      "x": true,
+                      "yLeft": true,
+                      "yRight": true
+                    },
+                    "fittingFunction": "None",
+                    "gridlinesVisibilitySettings": {
+                      "x": true,
+                      "yLeft": true,
+                      "yRight": true
+                    },
+                    "layers": [
+                      {
+                        "accessors": [
+                          "a808a872-71b5-4a76-a939-354f68991881"
+                        ],
+                        "layerId": "50325938-6a9e-4a26-946e-4468e68c6591",
+                        "position": "top",
+                        "seriesType": "area_stacked",
+                        "showGridlines": false,
+                        "splitAccessor": "8a965540-daa1-4848-80bb-96ddf53a328f",
+                        "xAccessor": "c05a39ad-2983-4f4a-900d-a939ecbda504"
+                      }
+                    ],
+                    "legend": {
+                      "isVisible": true,
+                      "position": "right"
+                    },
+                    "preferredSeriesType": "area_stacked",
+                    "tickLabelsVisibilitySettings": {
+                      "x": true,
+                      "yLeft": true,
+                      "yRight": true
+                    },
+                    "valueLabels": "hide"
+                  }
+                },
+                "title": "",
+                "type": "lens",
+                "visualizationType": "lnsXY"
+              },
+              "enhancements": {},
+              "hidePanelTitles": false
+            },
+            "gridData": {
+              "h": 13,
+              "i": "1dc68cc6-e1b3-43ea-9b0e-f423d194b99a",
+              "w": 27,
+              "x": 21,
+              "y": 13
+            },
+            "panelIndex": "1dc68cc6-e1b3-43ea-9b0e-f423d194b99a",
+            "title": "Credential access by time",
+            "type": "lens",
+            "version": "7.12.0"
+          },
+          {
+            "embeddableConfig": {
+              "attributes": {
+                "references": [
+                  {
+                    "id": "filebeat-*",
+                    "name": "indexpattern-datasource-current-indexpattern",
+                    "type": "index-pattern"
+                  },
+                  {
+                    "id": "filebeat-*",
+                    "name": "indexpattern-datasource-layer-105faf70-8330-46b3-a82a-573a383068fa",
+                    "type": "index-pattern"
+                  },
+                  {
+                    "id": "filebeat-*",
+                    "name": "filter-index-pattern-0",
+                    "type": "index-pattern"
+                  }
+                ],
+                "state": {
+                  "datasourceStates": {
+                    "indexpattern": {
+                      "layers": {
+                        "105faf70-8330-46b3-a82a-573a383068fa": {
+                          "columnOrder": [
+                            "c51d6847-2fcc-4d13-a44f-49786cb979ed",
+                            "d73b823b-ae68-4e73-bbe2-90a35bc825e7",
+                            "c0147524-accc-4dee-a4fc-44199e3459f1"
+                          ],
+                          "columns": {
+                            "c0147524-accc-4dee-a4fc-44199e3459f1": {
+                              "customLabel": true,
+                              "dataType": "number",
+                              "isBucketed": false,
+                              "label": "Authentications",
+                              "operationType": "count",
+                              "scale": "ratio",
+                              "sourceField": "Records"
+                            },
+                            "c51d6847-2fcc-4d13-a44f-49786cb979ed": {
+                              "customLabel": true,
+                              "dataType": "string",
+                              "isBucketed": true,
+                              "label": "Users",
+                              "operationType": "terms",
+                              "params": {
+                                "missingBucket": false,
+                                "orderBy": {
+                                  "columnId": "c0147524-accc-4dee-a4fc-44199e3459f1",
+                                  "type": "column"
+                                },
+                                "orderDirection": "desc",
+                                "otherBucket": true,
+                                "size": 8
+                              },
+                              "scale": "ordinal",
+                              "sourceField": "user.name"
+                            },
+                            "d73b823b-ae68-4e73-bbe2-90a35bc825e7": {
+                              "dataType": "string",
+                              "isBucketed": true,
+                              "label": "Top values of event.outcome",
+                              "operationType": "terms",
+                              "params": {
+                                "missingBucket": false,
+                                "orderBy": {
+                                  "type": "alphabetical"
+                                },
+                                "orderDirection": "desc",
+                                "otherBucket": true,
+                                "size": 2
+                              },
+                              "scale": "ordinal",
+                              "sourceField": "event.outcome"
+                            }
+                          },
+                          "incompleteColumns": {}
+                        }
+                      }
+                    }
+                  },
+                  "filters": [
+                    {
+                      "$state": {
+                        "store": "appState"
+                      },
+                      "meta": {
+                        "alias": null,
+                        "disabled": false,
+                        "indexRefName": "filter-index-pattern-0",
+                        "key": "event.category",
+                        "negate": false,
+                        "params": [
+                          "authentication"
+                        ],
+                        "type": "phrases"
+                      },
+                      "query": {
+                        "bool": {
+                          "minimum_should_match": 1,
+                          "should": [
+                            {
+                              "match_phrase": {
+                                "event.category": "authentication"
+                              }
+                            }
+                          ]
+                        }
+                      }
+                    }
+                  ],
+                  "query": {
+                    "language": "kuery",
+                    "query": ""
+                  },
+                  "visualization": {
+                    "axisTitlesVisibilitySettings": {
+                      "x": true,
+                      "yLeft": true,
+                      "yRight": true
+                    },
+                    "fittingFunction": "None",
+                    "gridlinesVisibilitySettings": {
+                      "x": true,
+                      "yLeft": true,
+                      "yRight": true
+                    },
+                    "layers": [
+                      {
+                        "accessors": [
+                          "c0147524-accc-4dee-a4fc-44199e3459f1"
+                        ],
+                        "layerId": "105faf70-8330-46b3-a82a-573a383068fa",
+                        "palette": {
+                          "name": "status",
+                          "type": "palette"
+                        },
+                        "position": "top",
+                        "seriesType": "bar_horizontal_stacked",
+                        "showGridlines": false,
+                        "splitAccessor": "d73b823b-ae68-4e73-bbe2-90a35bc825e7",
+                        "xAccessor": "c51d6847-2fcc-4d13-a44f-49786cb979ed"
+                      }
+                    ],
+                    "legend": {
+                      "isVisible": true,
+                      "position": "right",
+                      "showSingleSeries": false
+                    },
+                    "preferredSeriesType": "bar_horizontal_stacked",
+                    "tickLabelsVisibilitySettings": {
+                      "x": true,
+                      "yLeft": true,
+                      "yRight": true
+                    },
+                    "valueLabels": "hide"
+                  }
+                },
+                "title": "",
+                "type": "lens",
+                "visualizationType": "lnsXY"
+              },
+              "enhancements": {},
+              "hidePanelTitles": false
+            },
+            "gridData": {
+              "h": 23,
+              "i": "c56b3e4d-bfb6-4b06-a62b-282753b85f7a",
+              "w": 15,
+              "x": 0,
+              "y": 26
+            },
+            "panelIndex": "c56b3e4d-bfb6-4b06-a62b-282753b85f7a",
+            "title": "Vault Authentication attempts",
+            "type": "lens",
+            "version": "7.12.0"
+          },
+          {
+            "embeddableConfig": {
+              "attributes": {
+                "description": "",
+                "layerListJSON": "[{\"sourceDescriptor\":{\"type\":\"EMS_TMS\",\"id\":null,\"isAutoSelect\":true},\"id\":\"a3734143-d6e1-4551-b0b1-8282a37e151b\",\"label\":null,\"minZoom\":0,\"maxZoom\":24,\"alpha\":1,\"visible\":true,\"style\":{\"type\":\"TILE\"},\"type\":\"VECTOR_TILE\"},{\"label\":\"filebeat-* | Source Point\",\"sourceDescriptor\":{\"indexPatternId\":\"filebeat-*\",\"geoField\":\"source.geo.location\",\"scalingType\":\"TOP_HITS\",\"topHitsSplitField\":\"source.ip\",\"tooltipProperties\":[\"host.name\",\"source.ip\",\"source.domain\",\"source.geo.country_iso_code\",\"source.as.organization.name\"],\"id\":\"5f2b25a1-01ea-45ca-a4a2-f1a670c3b149\",\"type\":\"ES_SEARCH\",\"applyGlobalQuery\":true,\"applyGlobalTime\":true,\"filterByMapBounds\":true,\"sortField\":\"\",\"sortOrder\":\"desc\",\"topHitsSize\":22},\"style\":{\"type\":\"VECTOR\",\"properties\":{\"icon\":{\"type\":\"STATIC\",\"options\":{\"value\":\"home\"}},\"fillColor\":{\"type\":\"STATIC\",\"options\":{\"color\":\"#6092C0\"}},\"lineColor\":{\"type\":\"STATIC\",\"options\":{\"color\":\"#FFFFFF\"}},\"lineWidth\":{\"type\":\"STATIC\",\"options\":{\"size\":2}},\"iconSize\":{\"type\":\"STATIC\",\"options\":{\"size\":8}},\"iconOrientation\":{\"type\":\"STATIC\",\"options\":{\"orientation\":0}},\"labelText\":{\"type\":\"STATIC\",\"options\":{\"value\":\"\"}},\"labelColor\":{\"type\":\"STATIC\",\"options\":{\"color\":\"#000000\"}},\"labelSize\":{\"type\":\"STATIC\",\"options\":{\"size\":14}},\"labelBorderColor\":{\"type\":\"STATIC\",\"options\":{\"color\":\"#FFFFFF\"}},\"symbolizeAs\":{\"options\":{\"value\":\"icon\"}},\"labelBorderSize\":{\"options\":{\"size\":\"SMALL\"}}},\"isTimeAware\":true},\"id\":\"2ad8e318-4ef4-4e89-94f2-f37e395c488c\",\"minZoom\":0,\"maxZoom\":24,\"alpha\":0.75,\"visible\":true,\"type\":\"VECTOR\",\"joins\":[]},{\"label\":\"filebeat-* | Destination point\",\"sourceDescriptor\":{\"indexPatternId\":\"filebeat-*\",\"geoField\":\"destination.geo.location\",\"scalingType\":\"TOP_HITS\",\"topHitsSplitField\":\"destination.ip\",\"tooltipProperties\":[\"host.name\",\"destination.ip\",\"destination.domain\",\"destination.geo.country_iso_code\",\"destination.as.organization.name\"],\"id\":\"bc95f479-964f-4498-be1e-376d34a01b0a\",\"type\":\"ES_SEARCH\",\"applyGlobalQuery\":true,\"applyGlobalTime\":true,\"filterByMapBounds\":true,\"sortField\":\"\",\"sortOrder\":\"desc\",\"topHitsSize\":35},\"style\":{\"type\":\"VECTOR\",\"properties\":{\"icon\":{\"type\":\"STATIC\",\"options\":{\"value\":\"marker\"}},\"fillColor\":{\"type\":\"STATIC\",\"options\":{\"color\":\"#D36086\"}},\"lineColor\":{\"type\":\"STATIC\",\"options\":{\"color\":\"#FFFFFF\"}},\"lineWidth\":{\"type\":\"STATIC\",\"options\":{\"size\":2}},\"iconSize\":{\"type\":\"STATIC\",\"options\":{\"size\":8}},\"iconOrientation\":{\"type\":\"STATIC\",\"options\":{\"orientation\":0}},\"labelText\":{\"type\":\"STATIC\",\"options\":{\"value\":\"\"}},\"labelColor\":{\"type\":\"STATIC\",\"options\":{\"color\":\"#000000\"}},\"labelSize\":{\"type\":\"STATIC\",\"options\":{\"size\":14}},\"labelBorderColor\":{\"type\":\"STATIC\",\"options\":{\"color\":\"#FFFFFF\"}},\"symbolizeAs\":{\"options\":{\"value\":\"icon\"}},\"labelBorderSize\":{\"options\":{\"size\":\"SMALL\"}}},\"isTimeAware\":true},\"id\":\"dbb878c8-4039-49f1-b2ff-ab7fb942ba55\",\"minZoom\":0,\"maxZoom\":24,\"alpha\":0.75,\"visible\":true,\"type\":\"VECTOR\",\"joins\":[]},{\"label\":\"filebeat-* | Line\",\"sourceDescriptor\":{\"indexPatternId\":\"filebeat-*\",\"sourceGeoField\":\"source.geo.location\",\"destGeoField\":\"destination.geo.location\",\"metrics\":[{\"type\":\"count\"},{\"type\":\"sum\",\"field\":\"destination.bytes\"}],\"id\":\"faf6884d-b7cb-41dd-ab86-95970d7c59d2\",\"type\":\"ES_PEW_PEW\",\"applyGlobalQuery\":true,\"applyGlobalTime\":true},\"style\":{\"type\":\"VECTOR\",\"properties\":{\"icon\":{\"type\":\"STATIC\",\"options\":{\"value\":\"marker\"}},\"fillColor\":{\"type\":\"STATIC\",\"options\":{\"color\":\"#54B399\"}},\"lineColor\":{\"type\":\"STATIC\",\"options\":{\"color\":\"#6092C0\"}},\"lineWidth\":{\"type\":\"DYNAMIC\",\"options\":{\"minSize\":1,\"maxSize\":8,\"field\":{\"name\":\"doc_count\",\"origin\":\"source\"},\"fieldMetaOptions\":{\"isEnabled\":true,\"sigma\":3}}},\"iconSize\":{\"type\":\"STATIC\",\"options\":{\"size\":6}},\"iconOrientation\":{\"type\":\"STATIC\",\"options\":{\"orientation\":0}},\"labelText\":{\"type\":\"STATIC\",\"options\":{\"value\":\"\"}},\"labelColor\":{\"type\":\"STATIC\",\"options\":{\"color\":\"#000000\"}},\"labelSize\":{\"type\":\"STATIC\",\"options\":{\"size\":14}},\"labelBorderColor\":{\"type\":\"STATIC\",\"options\":{\"color\":\"#FFFFFF\"}},\"symbolizeAs\":{\"options\":{\"value\":\"circle\"}},\"labelBorderSize\":{\"options\":{\"size\":\"SMALL\"}}},\"isTimeAware\":true},\"id\":\"9c450fbf-b009-4b53-9810-2f47ca8dcfa8\",\"minZoom\":0,\"maxZoom\":24,\"alpha\":0.75,\"visible\":true,\"type\":\"VECTOR\",\"joins\":[]}]",
+                "mapStateJSON": "{\"zoom\":1.24,\"center\":{\"lon\":-49.38072,\"lat\":7.87497},\"timeFilters\":{\"from\":\"now-15w\",\"to\":\"now\"},\"refreshConfig\":{\"isPaused\":true,\"interval\":0},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"settings\":{\"autoFitToDataBounds\":false,\"backgroundColor\":\"#ffffff\",\"disableInteractive\":false,\"disableTooltipControl\":false,\"hideToolbarOverlay\":false,\"hideLayerControl\":false,\"hideViewControl\":false,\"initialLocation\":\"LAST_SAVED_LOCATION\",\"fixedLocation\":{\"lat\":0,\"lon\":0,\"zoom\":2},\"browserLocation\":{\"zoom\":2},\"maxZoom\":24,\"minZoom\":0,\"showScaleControl\":false,\"showSpatialFilters\":true,\"spatialFiltersAlpa\":0.3,\"spatialFiltersFillColor\":\"#DA8B45\",\"spatialFiltersLineColor\":\"#DA8B45\"}}",
+                "title": "",
+                "uiStateJSON": "{\"isLayerTOCOpen\":true,\"openTOCDetails\":[]}"
+              },
+              "enhancements": {},
+              "hiddenLayers": [],
+              "hidePanelTitles": false,
+              "isLayerTOCOpen": false,
+              "mapBuffer": {
+                "maxLat": 148.88690000000003,
+                "maxLon": 438.09868,
+                "minLat": -116.68142,
+                "minLon": -417.60444
+              },
+              "mapCenter": {
+                "lat": 43.83453,
+                "lon": 10.24712,
+                "zoom": 1
+              },
+              "openTOCDetails": []
+            },
+            "gridData": {
+              "h": 23,
+              "i": "cd1e20e7-706f-4d02-949c-d9f5908bad67",
+              "w": 33,
+              "x": 15,
+              "y": 26
+            },
+            "panelIndex": "cd1e20e7-706f-4d02-949c-d9f5908bad67",
+            "title": "Network sources and destinations",
+            "type": "map",
+            "version": "7.12.0"
+          },
+          {
+            "embeddableConfig": {
+              "attributes": {
+                "references": [
+                  {
+                    "id": "filebeat-*",
+                    "name": "indexpattern-datasource-current-indexpattern",
+                    "type": "index-pattern"
+                  },
+                  {
+                    "id": "filebeat-*",
+                    "name": "indexpattern-datasource-layer-028c5c1e-79f9-4999-8438-4889ac2b714c",
+                    "type": "index-pattern"
+                  },
+                  {
+                    "id": "filebeat-*",
+                    "name": "filter-index-pattern-0",
+                    "type": "index-pattern"
+                  },
+                  {
+                    "id": "filebeat-*",
+                    "name": "filter-index-pattern-1",
+                    "type": "index-pattern"
+                  }
+                ],
+                "state": {
+                  "datasourceStates": {
+                    "indexpattern": {
+                      "layers": {
+                        "028c5c1e-79f9-4999-8438-4889ac2b714c": {
+                          "columnOrder": [
+                            "e55346c7-87bc-49f4-9215-8a36931d05f4",
+                            "f2cd86e2-fb91-48b2-b8dd-e98395d28e00"
+                          ],
+                          "columns": {
+                            "e55346c7-87bc-49f4-9215-8a36931d05f4": {
+                              "customLabel": true,
+                              "dataType": "string",
+                              "isBucketed": true,
+                              "label": "Users",
+                              "operationType": "terms",
+                              "params": {
+                                "missingBucket": false,
+                                "orderBy": {
+                                  "columnId": "f2cd86e2-fb91-48b2-b8dd-e98395d28e00",
+                                  "type": "column"
+                                },
+                                "orderDirection": "desc",
+                                "otherBucket": false,
+                                "size": 5
+                              },
+                              "scale": "ordinal",
+                              "sourceField": "user.name"
+                            },
+                            "f2cd86e2-fb91-48b2-b8dd-e98395d28e00": {
+                              "customLabel": true,
+                              "dataType": "number",
+                              "isBucketed": false,
+                              "label": "Failed authentications",
+                              "operationType": "count",
+                              "params": {},
+                              "scale": "ratio",
+                              "sourceField": "Records"
+                            }
+                          },
+                          "incompleteColumns": {}
+                        }
+                      }
+                    }
+                  },
+                  "filters": [
+                    {
+                      "$state": {
+                        "store": "appState"
+                      },
+                      "meta": {
+                        "alias": null,
+                        "disabled": false,
+                        "indexRefName": "filter-index-pattern-0",
+                        "key": "event.category",
+                        "negate": false,
+                        "params": {
+                          "query": "authentication"
+                        },
+                        "type": "phrase"
+                      },
+                      "query": {
+                        "match_phrase": {
+                          "event.category": "authentication"
+                        }
+                      }
+                    },
+                    {
+                      "$state": {
+                        "store": "appState"
+                      },
+                      "meta": {
+                        "alias": null,
+                        "disabled": false,
+                        "indexRefName": "filter-index-pattern-1",
+                        "key": "event.outcome",
+                        "negate": false,
+                        "params": {
+                          "query": "failure"
+                        },
+                        "type": "phrase"
+                      },
+                      "query": {
+                        "match_phrase": {
+                          "event.outcome": "failure"
+                        }
+                      }
+                    }
+                  ],
+                  "query": {
+                    "language": "kuery",
+                    "query": ""
+                  },
+                  "visualization": {
+                    "axisTitlesVisibilitySettings": {
+                      "x": true,
+                      "yLeft": true,
+                      "yRight": true
+                    },
+                    "fittingFunction": "None",
+                    "gridlinesVisibilitySettings": {
+                      "x": true,
+                      "yLeft": true,
+                      "yRight": true
+                    },
+                    "layers": [
+                      {
+                        "accessors": [
+                          "f2cd86e2-fb91-48b2-b8dd-e98395d28e00"
+                        ],
+                        "layerId": "028c5c1e-79f9-4999-8438-4889ac2b714c",
+                        "position": "top",
+                        "seriesType": "bar_horizontal",
+                        "showGridlines": false,
+                        "xAccessor": "e55346c7-87bc-49f4-9215-8a36931d05f4",
+                        "yConfig": [
+                          {
+                            "color": "#d36086",
+                            "forAccessor": "f2cd86e2-fb91-48b2-b8dd-e98395d28e00"
+                          }
+                        ]
+                      }
+                    ],
+                    "legend": {
+                      "isVisible": true,
+                      "position": "right"
+                    },
+                    "preferredSeriesType": "bar_horizontal",
+                    "tickLabelsVisibilitySettings": {
+                      "x": true,
+                      "yLeft": true,
+                      "yRight": true
+                    },
+                    "valueLabels": "hide"
+                  }
+                },
+                "title": "",
+                "type": "lens",
+                "visualizationType": "lnsXY"
+              },
+              "enhancements": {},
+              "hidePanelTitles": false
+            },
+            "gridData": {
+              "h": 15,
+              "i": "c6305b30-a7e2-4cc3-b49b-db99031f150e",
+              "w": 15,
+              "x": 0,
+              "y": 49
+            },
+            "panelIndex": "c6305b30-a7e2-4cc3-b49b-db99031f150e",
+            "title": "Top users by failed authentications to Vault",
+            "type": "lens",
+            "version": "7.12.0"
+          },
+          {
+            "embeddableConfig": {
+              "enhancements": {},
+              "hidePanelTitles": false
+            },
+            "gridData": {
+              "h": 15,
+              "i": "96a2c711-40a3-4dfc-87f5-4b193078e05a",
+              "w": 33,
+              "x": 15,
+              "y": 49
+            },
+            "panelIndex": "96a2c711-40a3-4dfc-87f5-4b193078e05a",
+            "panelRefName": "panel_9",
+            "title": "Credential Access",
+            "version": "7.12.0"
+          },
+          {
+            "embeddableConfig": {
+              "columns": [
+                "observer.hostname",
+                "cyberarkpas.audit.action",
+                "cyberarkpas.audit.issuer",
+                "cyberarkpas.audit.safe",
+                "file.path"
+              ],
+              "enhancements": {},
+              "hidePanelTitles": false
+            },
+            "gridData": {
+              "h": 18,
+              "i": "6cd62115-65e7-416f-8da7-96b0d7a9d932",
+              "w": 48,
+              "x": 0,
+              "y": 64
+            },
+            "panelIndex": "6cd62115-65e7-416f-8da7-96b0d7a9d932",
+            "panelRefName": "panel_10",
+            "title": "All logs",
+            "version": "7.12.0"
+          }
+        ],
+        "timeRestore": false,
+        "title": "[Filebeat CyberArk PAS] Overview",
+        "version": 1
+      },
+      "coreMigrationVersion": "7.12.0",
+      "id": "eb12ef60-96f6-11eb-bbf8-d77aef8ad7a6",
+      "migrationVersion": {
+        "dashboard": "7.11.0"
+      },
+      "namespaces": [
+        "default"
+      ],
+      "references": [
+        {
+          "id": "filebeat-*",
+          "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+          "type": "index-pattern"
+        },
+        {
+          "id": "filebeat-*",
+          "name": "control_0_index_pattern",
+          "type": "index-pattern"
+        },
+        {
+          "id": "filebeat-*",
+          "name": "control_1_index_pattern",
+          "type": "index-pattern"
+        },
+        {
+          "id": "filebeat-*",
+          "name": "indexpattern-datasource-current-indexpattern",
+          "type": "index-pattern"
+        },
+        {
+          "id": "filebeat-*",
+          "name": "indexpattern-datasource-layer-33bc0096-e418-4f81-9c7c-7fdd16cc5203",
+          "type": "index-pattern"
+        },
+        {
+          "id": "filebeat-*",
+          "name": "indexpattern-datasource-current-indexpattern",
+          "type": "index-pattern"
+        },
+        {
+          "id": "filebeat-*",
+          "name": "indexpattern-datasource-layer-de047c06-a965-47aa-8a15-8b0266d5abc3",
+          "type": "index-pattern"
+        },
+        {
+          "id": "filebeat-*",
+          "name": "indexpattern-datasource-current-indexpattern",
+          "type": "index-pattern"
+        },
+        {
+          "id": "filebeat-*",
+          "name": "indexpattern-datasource-layer-19858811-84d1-4f50-901c-dc1451972324",
+          "type": "index-pattern"
+        },
+        {
+          "id": "filebeat-*",
+          "name": "filter-index-pattern-0",
+          "type": "index-pattern"
+        },
+        {
+          "id": "filebeat-*",
+          "name": "filter-index-pattern-1",
+          "type": "index-pattern"
+        },
+        {
+          "id": "filebeat-*",
+          "name": "indexpattern-datasource-current-indexpattern",
+          "type": "index-pattern"
+        },
+        {
+          "id": "filebeat-*",
+          "name": "indexpattern-datasource-layer-50325938-6a9e-4a26-946e-4468e68c6591",
+          "type": "index-pattern"
+        },
+        {
+          "id": "filebeat-*",
+          "name": "filter-index-pattern-0",
+          "type": "index-pattern"
+        },
+        {
+          "id": "filebeat-*",
+          "name": "filter-index-pattern-1",
+          "type": "index-pattern"
+        },
+        {
+          "id": "filebeat-*",
+          "name": "indexpattern-datasource-current-indexpattern",
+          "type": "index-pattern"
+        },
+        {
+          "id": "filebeat-*",
+          "name": "indexpattern-datasource-layer-105faf70-8330-46b3-a82a-573a383068fa",
+          "type": "index-pattern"
+        },
+        {
+          "id": "filebeat-*",
+          "name": "filter-index-pattern-0",
+          "type": "index-pattern"
+        },
+        {
+          "id": "filebeat-*",
+          "name": "layer_1_source_index_pattern",
+          "type": "index-pattern"
+        },
+        {
+          "id": "filebeat-*",
+          "name": "layer_2_source_index_pattern",
+          "type": "index-pattern"
+        },
+        {
+          "id": "filebeat-*",
+          "name": "layer_3_source_index_pattern",
+          "type": "index-pattern"
+        },
+        {
+          "id": "filebeat-*",
+          "name": "indexpattern-datasource-current-indexpattern",
+          "type": "index-pattern"
+        },
+        {
+          "id": "filebeat-*",
+          "name": "indexpattern-datasource-layer-028c5c1e-79f9-4999-8438-4889ac2b714c",
+          "type": "index-pattern"
+        },
+        {
+          "id": "filebeat-*",
+          "name": "filter-index-pattern-0",
+          "type": "index-pattern"
+        },
+        {
+          "id": "filebeat-*",
+          "name": "filter-index-pattern-1",
+          "type": "index-pattern"
+        },
+        {
+          "id": "a9b82df0-97a5-11eb-bbf8-d77aef8ad7a6",
+          "name": "panel_9",
+          "type": "search"
+        },
+        {
+          "id": "fec0d170-96f7-11eb-bbf8-d77aef8ad7a6",
+          "name": "panel_10",
+          "type": "search"
+        }
+      ],
+      "type": "dashboard",
+      "updated_at": "2021-04-13T17:04:21.111Z",
+      "version": "WzM0ODYsM10="
+    },
+    {
+      "attributes": {
+        "columns": [
+          "event.action",
+          "event.outcome",
+          "source.address",
+          "source.user.name",
+          "destination.address",
+          "destination.user.name",
+          "event.reason"
+        ],
+        "description": "",
+        "hits": 0,
+        "kibanaSavedObjectMeta": {
+          "searchSourceJSON": {
+            "filter": [
+              {
+                "$state": {
+                  "store": "appState"
+                },
+                "meta": {
+                  "alias": null,
+                  "disabled": false,
+                  "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+                  "key": "event.dataset",
+                  "negate": false,
+                  "params": {
+                    "query": "cyberarkpas.audit"
+                  },
+                  "type": "phrase"
+                },
+                "query": {
+                  "match_phrase": {
+                    "event.dataset": "cyberarkpas.audit"
+                  }
+                }
+              },
+              {
+                "$state": {
+                  "store": "appState"
+                },
+                "meta": {
+                  "alias": null,
+                  "disabled": false,
+                  "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index",
+                  "key": "event.code",
+                  "negate": false,
+                  "params": [
+                    "308",
+                    "319",
+                    "295",
+                    "22",
+                    "38",
+                    "300",
+                    "302"
+                  ],
+                  "type": "phrases",
+                  "value": "308, 319, 295, 22, 38, 300, 302"
+                },
+                "query": {
+                  "bool": {
+                    "minimum_should_match": 1,
+                    "should": [
+                      {
+                        "match_phrase": {
+                          "event.code": "308"
+                        }
+                      },
+                      {
+                        "match_phrase": {
+                          "event.code": "319"
+                        }
+                      },
+                      {
+                        "match_phrase": {
+                          "event.code": "295"
+                        }
+                      },
+                      {
+                        "match_phrase": {
+                          "event.code": "22"
+                        }
+                      },
+                      {
+                        "match_phrase": {
+                          "event.code": "38"
+                        }
+                      },
+                      {
+                        "match_phrase": {
+                          "event.code": "300"
+                        }
+                      },
+                      {
+                        "match_phrase": {
+                          "event.code": "302"
+                        }
+                      }
+                    ]
+                  }
+                }
+              }
+            ],
+            "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index",
+            "query": {
+              "language": "kuery",
+              "query": ""
+            }
+          }
+        },
+        "sort": [
+          [
+            "@timestamp",
+            "desc"
+          ]
+        ],
+        "title": "Credential Access logs [Filebeat CyberArk PAS] ECS",
+        "version": 1
+      },
+      "coreMigrationVersion": "7.12.0",
+      "id": "a9b82df0-97a5-11eb-bbf8-d77aef8ad7a6",
+      "migrationVersion": {
+        "search": "7.9.3"
+      },
+      "namespaces": [
+        "default"
+      ],
+      "references": [
+        {
+          "id": "filebeat-*",
+          "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+          "type": "index-pattern"
+        },
+        {
+          "id": "filebeat-*",
+          "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+          "type": "index-pattern"
+        },
+        {
+          "id": "filebeat-*",
+          "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index",
+          "type": "index-pattern"
+        }
+      ],
+      "type": "search",
+      "updated_at": "2021-04-13T13:24:02.327Z",
+      "version": "WzI4NzgsM10="
+    },
+    {
+      "attributes": {
+        "columns": [],
+        "description": "",
+        "hits": 0,
+        "kibanaSavedObjectMeta": {
+          "searchSourceJSON": {
+            "filter": [],
+            "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index",
+            "query": {
+              "language": "kuery",
+              "query": "event.dataset:\"cyberarkpas.audit\" "
+            }
+          }
+        },
+        "sort": [
+          [
+            "@timestamp",
+            "desc"
+          ]
+        ],
+        "title": "All logs [Filebeat CyberArk PAS] ECS",
+        "version": 1
+      },
+      "coreMigrationVersion": "7.12.0",
+      "id": "fec0d170-96f7-11eb-bbf8-d77aef8ad7a6",
+      "migrationVersion": {
+        "search": "7.9.3"
+      },
+      "namespaces": [
+        "default"
+      ],
+      "references": [
+        {
+          "id": "filebeat-*",
+          "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+          "type": "index-pattern"
+        }
+      ],
+      "type": "search",
+      "updated_at": "2021-04-13T13:24:02.327Z",
+      "version": "WzI4NzksM10="
+    }
+  ],
+  "version": "7.12.0"
+}
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/_meta/fields.yml b/x-pack/filebeat/module/cyberarkpas/audit/_meta/fields.yml
new file mode 100644
index 00000000000..9dcb53669fd
--- /dev/null
+++ b/x-pack/filebeat/module/cyberarkpas/audit/_meta/fields.yml
@@ -0,0 +1,97 @@
+- name: audit
+  default_field: false
+  type: group
+  description: >
+    Cyberark Privileged Access Security Audit fields.
+  fields:
+    - name: action
+      type: keyword
+      description: A description of the audit record.
+    - name: ca_properties
+      type: flattened
+      description: Account metadata.
+    - name: category
+      type: keyword
+      description: The category name (for category-related operations).
+    - name: desc
+      type: keyword
+      description: A static value that displays a description of the audit codes.
+    - name: extra_details
+      type: flattened
+      description: Specific extra details of the audit records.
+    - name: file
+      type: keyword
+      description: The name of the target file.
+    - name: gateway_station
+      type: ip
+      description: The IP of the web application machine (PVWA).
+    - name: hostname
+      type: keyword
+      description: The hostname, in upper case.
+      example: MY-COMPUTER
+    - name: iso_timestamp
+      type: date
+      description: The timestamp, in ISO Timestamp format (RFC 3339).
+      example: 2013-6-25T10:47:19Z
+    - name: issuer
+      type: keyword
+      description: The Vault user who wrote the audit. This is usually the user who performed the operation.
+    - name: location
+      type: keyword
+      description: The target Location (for Location operations).
+      ignore_above: 4096
+      doc_values: false
+      index: false
+    - name: message
+      type: keyword
+      description: A description of the audit records (same information as in the Desc field).
+    - name: message_id
+      type: keyword
+      description: The code ID of the audit records.
+    - name: product
+      type: keyword
+      description: A static value that represents the product.
+    - name: pvwa_details
+      type: flattened
+      description: Specific details of the PVWA audit records.
+    - name: raw
+      type: keyword
+      description: >
+        Raw XML for the original audit record.
+        Only present when XSLT file has debugging enabled.
+      ignore_above: 4096
+      doc_values: false
+      index: false
+    - name: reason
+      type: text
+      description: The reason entered by the user.
+      norms: false
+    - name: rfc5424
+      type: boolean
+      description: Whether the syslog format complies with RFC5424.
+      example: yes
+    - name: safe
+      type: keyword
+      description: The name of the target Safe.
+    - name: severity
+      type: keyword
+      description: The severity of the audit records.
+    - name: source_user
+      type: keyword
+      description: The name of the Vault user who performed the operation.
+    - name: station
+      type: ip
+      description: The IP from where the operation was performed. For PVWA sessions, this will be the real client machine IP.
+    - name: target_user
+      type: keyword
+      description: The name of the Vault user on which the operation was performed.
+    - name: timestamp
+      type: keyword
+      description: The timestamp, in MMM DD HH:MM:SS format.
+      example: Jun 25 10:47:19
+    - name: vendor
+      type: keyword
+      description: A static value that represents the vendor.
+    - name: version
+      type: keyword
+      description: A static value that represents the version of the Vault.
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/config/input.yml b/x-pack/filebeat/module/cyberarkpas/audit/config/input.yml
new file mode 100644
index 00000000000..0cc1c5003c1
--- /dev/null
+++ b/x-pack/filebeat/module/cyberarkpas/audit/config/input.yml
@@ -0,0 +1,32 @@
+{{ if eq .input "file" }}
+
+type: log
+paths:
+  {{ range $i, $path := .paths }}
+- {{$path}}
+  {{ end }}
+exclude_files: [".gz$"]
+
+{{ else }}
+
+type: {{.input}}
+host: "{{.syslog_host}}:{{.syslog_port}}"
+ssl: {{ .ssl | tojson }}
+
+{{ end }}
+
+tags:
+{{ if .preserve_original_event }}
+  - preserve_original_event
+{{ end }}
+{{ range $i, $tag := .tags }}
+  - {{$tag}}
+{{ end }}
+publisher_pipeline.disable_host: {{ inList .tags "forwarded" }}
+
+processors:
+  - add_locale: ~
+  - add_fields:
+      target: ''
+      fields:
+        ecs.version: 1.8.0
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/ingest/pipeline.yml b/x-pack/filebeat/module/cyberarkpas/audit/ingest/pipeline.yml
new file mode 100644
index 00000000000..2a27502a365
--- /dev/null
+++ b/x-pack/filebeat/module/cyberarkpas/audit/ingest/pipeline.yml
@@ -0,0 +1,1114 @@
+---
+description: Pipeline for CyberArk PAS
+
+processors:
+  #
+  # Set ECS event.ingested
+  #
+  - set:
+        field: event.ingested
+        value: '{{{_ingest.timestamp}}}'
+
+  #
+  # Set event.original from message, unless reindexing.
+  #
+  - rename:
+      field: message
+      target_field: event.original
+      if: 'ctx.event?.original == null'
+
+  #
+  # Parse syslog headers (if any) and extract JSON payload.
+  #
+  - grok:
+      field: event.original
+      patterns:
+        # RFC5424 from Cyberark.
+        # UseLegacySyslogFormat=No
+        # <5>1 2021-03-04T17:28:23Z VAULT {"format":"elastic","version":"1.0",...}
+        - "^<%{NONNEGINT:log.syslog.priority}>%{NONNEGINT} %{TIMESTAMP_ISO8601:_tmp.syslog_ts} %{SYSLOGHOST:_tmp.hostname} %{JSON_PAYLOAD:_tmp.payload}"
+
+        # Legacy format.
+        # UseLegacySyslogFormat=Yes
+        # Mar 08 02:57:42 VAULT {"format":"elastic","version":"1.0",...}
+        - "^%{SYSLOGTIMESTAMP:_tmp.syslog_ts} %{SYSLOGHOST:_tmp.hostname} %{JSON_PAYLOAD:_tmp.payload}"
+
+        # Catch-all mode, just JSON payload.
+        - "%{JSON_PAYLOAD:_tmp.payload}"
+      pattern_definitions:
+        JSON_PAYLOAD: '{"format":"elastic","version":"1.0",.*}'
+      on_failure:
+        - fail:
+            message: "unexpected event format: {{{_ingest.on_failure_message}}}"
+
+  - json:
+      field: _tmp.payload
+      target_field: _tmp.json
+      on_failure:
+        - fail:
+            message: "malformed JSON event: {{{_ingest.on_failure_message}}}"
+
+  - rename:
+      field: _tmp.json.syslog.audit_record
+      target_field: cyberarkpas.audit
+      on_failure:
+        - fail:
+            message: "unexpected event structure: {{{_ingest.on_failure_message}}}"
+
+
+  #
+  # Remove all empty fields
+  #
+  - script:
+      lang: painless
+      description: 'Removes empty audit fields'
+      source: >-
+        ctx.cyberarkpas.audit.entrySet().removeIf(entry -> entry.getValue() == "");
+
+  - rename:
+      field: _tmp.json.raw
+      target_field: cyberarkpas.audit.raw
+      ignore_missing: true
+
+  # The following processors populate @timestamp from the different sources that can exist in an event.
+  # In the following order of precedence:
+  # - IsoTimestamp field (expected ISO8601). Present when new syslog format is used (rfc5424: yes).
+  # - Timestamp (expected MMM dd HH:mm:ss). Also present only when new syslog format is used.
+  # - Syslog header timestamp. Either ISO8601 or legacy MMM dd HH:mm:ss, depending on the syslog format in use.
+  # - Original @timestamp from Filebeat.
+  - date:
+      if: 'ctx.cyberarkpas.audit.IsoTimestamp != null'
+      field: cyberarkpas.audit.IsoTimestamp
+      target_field: _tmp.timestamp
+      formats:
+        - ISO8601
+      on_failure:
+        - append:
+            field: error.message
+            value: "failed to parse ISO timestamp field: {{{cyberarkpas.audit.IsoTimestamp}}}: {{{_ingest.on_failure_message}}}"
+
+  - date:
+      if: 'ctx._tmp.timestamp == null && ctx.cyberarkpas.audit.Timestamp != null'
+      field: cyberarkpas.audit.Timestamp
+      target_field: _tmp.timestamp
+      formats:
+        # This is the default format.
+        - 'MMM dd HH:mm:ss'
+        # Drop a few other formats in case the above fails.
+        - ISO8601
+        - 'MMM  d HH:mm:ss'
+        - "EEE MMM dd HH:mm:ss"
+        - "EEE MMM  d HH:mm:ss"
+        - "MMM  d HH:mm:ss z"
+        - "MMM dd HH:mm:ss z"
+        - "EEE MMM  d HH:mm:ss z"
+        - "EEE MMM dd HH:mm:ss z"
+        - "MMM  d yyyy HH:mm:ss"
+        - "MMM dd yyyy HH:mm:ss"
+        - "EEE MMM  d yyyy HH:mm:ss"
+        - "EEE MMM dd yyyy HH:mm:ss"
+        - "MMM  d yyyy HH:mm:ss z"
+        - "MMM dd yyyy HH:mm:ss z"
+        - "EEE MMM  d yyyy HH:mm:ss z"
+        - "EEE MMM dd yyyy HH:mm:ss z"
+      on_failure:
+        - append:
+            field: error.message
+            value: "failed to parse timestamp field: {{{cyberarkpas.audit.Timestamp}}}: {{{_ingest.on_failure_message}}}"
+
+  - date:
+      if: 'ctx._tmp.timestamp == null && ctx._tmp.syslog_ts != null && ctx.event?.timezone == null'
+      field: _tmp.syslog_ts
+      target_field: _tmp.timestamp
+      formats:
+        # This is the default format.
+        - 'MMM dd HH:mm:ss'
+        # Drop a few other formats in case the above fails.
+        - ISO8601
+        - 'MMM  d HH:mm:ss'
+        - "EEE MMM dd HH:mm:ss"
+        - "EEE MMM  d HH:mm:ss"
+        - "MMM  d HH:mm:ss z"
+        - "MMM dd HH:mm:ss z"
+        - "EEE MMM  d HH:mm:ss z"
+        - "EEE MMM dd HH:mm:ss z"
+        - "MMM  d yyyy HH:mm:ss"
+        - "MMM dd yyyy HH:mm:ss"
+        - "EEE MMM  d yyyy HH:mm:ss"
+        - "EEE MMM dd yyyy HH:mm:ss"
+        - "MMM  d yyyy HH:mm:ss z"
+        - "MMM dd yyyy HH:mm:ss z"
+        - "EEE MMM  d yyyy HH:mm:ss z"
+        - "EEE MMM dd yyyy HH:mm:ss z"
+      on_failure:
+        - append:
+            field: error.message
+            value: "failed to parse legacy syslog timestamp: {{{_tmp.syslog_ts}}}: {{{_ingest.on_failure_message}}}"
+
+  - date:
+      if: 'ctx._tmp.timestamp == null && ctx._tmp.syslog_ts != null && ctx.event?.timezone != null'
+      field: _tmp.syslog_ts
+      target_field: _tmp.timestamp
+      timezone: '{{{event.timezone}}}'
+      formats:
+        # This is the default format.
+        - 'MMM dd HH:mm:ss'
+        # Drop a few other formats in case the above fails.
+        - ISO8601
+        - 'MMM  d HH:mm:ss'
+        - "EEE MMM dd HH:mm:ss"
+        - "EEE MMM  d HH:mm:ss"
+        - "MMM  d HH:mm:ss z"
+        - "MMM dd HH:mm:ss z"
+        - "EEE MMM  d HH:mm:ss z"
+        - "EEE MMM dd HH:mm:ss z"
+        - "MMM  d yyyy HH:mm:ss"
+        - "MMM dd yyyy HH:mm:ss"
+        - "EEE MMM  d yyyy HH:mm:ss"
+        - "EEE MMM dd yyyy HH:mm:ss"
+        - "MMM  d yyyy HH:mm:ss z"
+        - "MMM dd yyyy HH:mm:ss z"
+        - "EEE MMM  d yyyy HH:mm:ss z"
+        - "EEE MMM dd yyyy HH:mm:ss z"
+      on_failure:
+        - append:
+            field: error.message
+            value: "failed to parse legacy syslog timestamp: {{{_tmp.syslog_ts}}}: {{{_ingest.on_failure_message}}}"
+
+  - set:
+      field: '@timestamp'
+      value: '{{{_tmp.timestamp}}}'
+      ignore_empty_value: true
+      override: true
+
+  # This script converts the nested object under cyberarkpas.audit.CAProperties.CAProperty
+  # into an object under cyberarkpas.audit.CAProperties:
+  #
+  # input:
+  # "cyberarkpas.audit.CAProperties.CAProperty": [
+  #            {
+  #                "Name": "PolicyID",
+  #                "Value": "LINUX-SSH"
+  #            },
+  #            {
+  #                "Name": "UserName",
+  #                "Value": "test12"
+  #            }
+  # output:
+  # "cyberarkpas.audit.CAProperties":
+  #            {
+  #                "PolicyID": "LINUX-SSH",
+  #                "UserName": "test12"
+  #            }
+  - foreach:
+      field: cyberarkpas.audit.CAProperties.CAProperty
+      ignore_missing: true
+      processor:
+        set:
+          field: 'cyberarkpas.audit.CAProperties.{{{_ingest._value.Name}}}'
+          value: '{{{_ingest._value.Value}}}'
+      on_failure:
+        - append:
+            field: error.message
+            value: "failed to process CAProperties array: {{{_ingest.on_failure_message}}}"
+  - remove:
+      field: cyberarkpas.audit.CAProperties.CAProperty
+      ignore_missing: true
+
+  # Parse key-value pairs at ExtraDetails:
+  # input:
+  #   "cyberarkpas.audit.ExtraDetails": "Command=ls \"/var/tmp\";ConnectionComponentId=PSMP-SSH;DstHost=[...]",
+  #
+  # output:
+  #   "cyberarkpas.audit.ExtraDetails":
+  #     {
+  #       "Command": "ls \"/var/tmp\"",
+  #       "ConnectionComponentId": "PSMP-SSH",
+  #       "DstHost": [...]
+  #
+  # The original string can contain escaped separators, \= and \;
+  - kv:
+      field: cyberarkpas.audit.ExtraDetails
+      field_split: '(?<!\\);' # unescaped ;
+      value_split: '(?<!\\)=' # uneescaped =
+      target_field: _tmp.kv
+      ignore_missing: true
+      on_failure:
+        - append:
+            field: error.message
+            value: "failed to process ExtraDetails expression '{{{cyberarkpas.audit.ExtraDetails}}}': {{{_ingest.on_failure_message}}}"
+  - remove:
+      field: cyberarkpas.audit.ExtraDetails
+      ignore_missing: true
+
+  - rename:
+      field: _tmp.kv
+      target_field: cyberarkpas.audit.ExtraDetails
+      ignore_missing: true
+
+  #
+  # Convert field names from CamelCase to snake_case.
+  #
+  - script:
+      lang: painless
+      description: "Converts audit field's names from CamelCase to snake_case"
+      source: >
+        String to_snake_case(String s) {
+          /* faster code path for strings that won't need an underscore */
+          if (s.chars().skip(1).noneMatch(Character::isUpperCase)) {
+            return s.toLowerCase();
+          }
+          int run = 0;
+          boolean first = true;
+          StringBuilder result = new StringBuilder();
+          for (char c : s.toCharArray()) {
+            char o = Character.toLowerCase(c);
+            if (c != o) {
+              if (run == 0 && !first) {
+                result.append('_');
+              }
+              run ++;
+            } else {
+              if (run > 1) {
+                char prev = result.charAt(result.length()-1);
+                result.setCharAt(result.length()-1, (char)'_');
+                result.append(prev);
+              }
+              run = 0;
+              first = false;
+            }
+            result.append(o);
+          }
+          return result.toString();
+        }
+        def keys_to_snake_case_recursive(Map object) {
+          return object.entrySet().stream().collect(
+            Collectors.toMap(
+              e -> to_snake_case(e.getKey()),
+              e -> e.getValue() instanceof Map? keys_to_snake_case_recursive(e.getValue()) : e.getValue()
+            )
+          );
+        }
+        ctx.cyberarkpas.audit = keys_to_snake_case_recursive(ctx.cyberarkpas.audit);
+
+  #
+  # Convert rfc5424 field to boolean.
+  #
+  - script:
+      description: 'Converts the rfc5424 audit field to a boolean'
+      lang: painless
+      source: >
+        def value = ctx.cyberarkpas.audit.rfc5424;
+        ctx.cyberarkpas.audit["rfc5424"] = value == 'yes';
+
+  ########################################################
+  # ECS enrichment
+  #
+  # All processors from this point use the snake_case form
+  # to access Cyberark fields.
+  ########################################################
+
+  - set:
+      field: event.kind
+      value: event
+
+  - lowercase:
+      field: cyberarkpas.audit.action
+      target_field: event.action
+      ignore_missing: true
+
+  # Severity to number
+  #
+  # Possible values:
+  # Info -> 0
+  # Error -> 7
+  # Critical -> 10
+  - set:
+      field: event.severity
+      value: 2
+      if: 'ctx.cyberarkpas.audit.severity == "Info"'
+  - set:
+      field: event.severity
+      value: 7
+      if: 'ctx.cyberarkpas.audit.severity == "Error"'
+  - set:
+      field: event.severity
+      value: 10
+      if: 'ctx.cyberarkpas.audit.severity == "Critical"'
+  - set:
+      field: event.type
+      value: error
+      if: 'ctx.event?.severity > 6'
+
+  - rename:
+      field: cyberarkpas.audit.message_id
+      target_field: event.code
+      ignore_missing: true
+
+  - set:
+      field: source.address
+      value: '{{{cyberarkpas.audit.station}}}'
+      ignore_empty_value: true
+
+  - set:
+      field: destination.address
+      value: '{{{cyberarkpas.audit.gateway_station}}}'
+      ignore_empty_value: true
+
+  - set:
+      field: file.path
+      value: '{{{cyberarkpas.audit.file}}}'
+      if: 'ctx.cyberarkpas.audit?.file != null'
+
+  #
+  # Observer fields
+  #
+  - rename:
+      field: cyberarkpas.audit.vendor
+      target_field: observer.vendor
+      ignore_missing: true
+  - rename:
+      field: cyberarkpas.audit.product
+      target_field: observer.product
+      ignore_missing: true
+  - rename:
+      field: cyberarkpas.audit.version
+      target_field: observer.version
+      ignore_missing: true
+  - rename:
+      field: cyberarkpas.audit.hostname
+      target_field: observer.hostname
+      ignore_missing: true
+  # Use hostname from syslog if audit record's Hostname field is missing.
+  - rename:
+      field: _tmp.hostname
+      target_field: observer.hostname
+      ignore_missing: true
+      if: 'ctx.observer?.hostname == null'
+  #
+  # Enrichment based on message_id
+  #
+  # This script is overly complicated (read_field) because at this time
+  # there is no processor that allows to set one field from a source
+  # field using indirection (it is possible with rename, but that
+  # removes the original field).
+  #
+  # Once something like this is possible:
+  # set:
+  #   target_field: '{{{_ingest.value.to}}}'
+  #   copy_from: '{{{_ingest.value.from}}}'
+  #
+  # ... this script can be updated to just create two output lists, one
+  # for value-to pairs, another for value-from pairs.
+  #
+  - script:
+      lang: painless
+      description: 'ECS enrichment based on message_id'
+      params:
+        # 4 - User Authentication
+        #
+        # Always a failure.
+        "4":
+          - set: user.name
+            from: cyberarkpas.audit.issuer
+          - set: event.category
+            value: ["authentication"]
+          - set: event.type
+            value: ["error"]
+          - set: event.action
+            value:  "authentication_failure"
+          - set: event.outcome
+            value: "failure"
+
+        # 7 - Logon
+        #
+        # User logged on to the PVWA.
+        "7":
+          - set: user.name
+            from: cyberarkpas.audit.issuer
+          - set: event.category
+            value: [ "authentication", "session"]
+          - set: event.type
+            value: [ "start"]
+          - set: event.action
+            value:  "authentication_success"
+          - set: event.outcome
+            value: "success"
+
+        # 8 - Logoff
+        #
+        # User logged of from the PVWA.
+        "8": # Logoff
+          - set: user.name
+            from: cyberarkpas.audit.issuer
+          - set: event.category
+            value: [ "authentication", "session"]
+          - set: event.type
+            value: ["end"]
+          - set: event.outcome
+            value: "success"
+
+        # 19 - Full gateway connection.
+        "19":
+          - set: source.user.name
+            from: cyberarkpas.audit.source_user
+          - set: user.name
+            from: cyberarkpas.audit.source_user
+          - set: destination.user.name
+            from: cyberarkpas.audit.issuer
+          - set: event.category
+            value: ["network"]
+          - set: event.type
+            value: ["start"]
+          - set: event.outcome
+            value: "success"
+
+        # 22 - CPM Verify Password
+        #
+        # Password on a target host is verified.
+        "22":
+          # Address of device that hosts the account.
+          - set: destination.address
+            from: cyberarkpas.audit.ca_properties.address
+          - set: event.outcome
+            from: cyberarkpas.audit.ca_properties.cpm_status
+          - set: destination.user.name
+            from: cyberarkpas.audit.ca_properties.user_name
+          - set: source.user.name
+            from: cyberarkpas.audit.issuer
+          - set: user.name
+            from: cyberarkpas.audit.issuer
+          - set: event.category
+            value: ["iam"]
+          - set: event.type
+            value: ["admin", "info"]
+
+        # 23 - Action on closed safe
+        #
+        # Nothing remarkable.
+        #
+        # "23":
+
+        # 24 - CPM Change Password
+        "24":
+          - set: destination.address # This could be host.* or user.target.* (doesn't exists).
+            from: cyberarkpas.audit.ca_properties.address
+          - set: event.outcome
+            from: cyberarkpas.audit.ca_properties.cpm_status
+          - set: user.target.name
+            from: cyberarkpas.audit.ca_properties.user_name
+          - set: user.name
+            from: cyberarkpas.audit.issuer
+          - set: event.category
+            value: ["iam"]
+          - set: event.type
+            value: ["user", "change"]
+
+        # 31 - CPM Reconcile Password
+        #
+        "31":
+          - set: destination.address # This could be host.* or user.target.* (doesn't exists).
+            from: cyberarkpas.audit.ca_properties.address
+          - set: event.outcome
+            from: cyberarkpas.audit.ca_properties.cpm_status
+          - set: user.target.name
+            from: cyberarkpas.audit.ca_properties.user_name
+          - set: user.name
+            from: cyberarkpas.audit.issuer
+          - set: event.category
+            value: ["iam"]
+          - set: event.type
+            value: ["user", "change"]
+
+        # 32 - Add Owner
+        #
+        # Change owner of a Safe.
+        # source_user performs the action, docs suggest otherwise.
+        "32":
+          - set: user.name
+            from: cyberarkpas.audit.issuer
+          - set: user.target.name
+            from: cyberarkpas.audit.source_user
+          - set: event.category
+            value: ["iam"] # How to best model Vault/Safes? An IAM system? A Database?
+          - set: event.type
+            value: ["admin", "change"]
+          - set: event.outcome
+            value: "success"
+
+        # 33 - Update Owner
+        #
+        # Same as above
+        "33":
+          - set: user.name
+            from: cyberarkpas.audit.issuer
+          - set: user.target.name
+            from: cyberarkpas.audit.source_user
+          - set: event.category
+            value: ["iam"] # How to best model Vault/Safes? An IAM system? A Database?
+          - set: event.type
+            value: ["admin", "change"]
+          - set: event.outcome
+            value: "success"
+
+        # 38 - CPM Verify Password Failed
+        #
+        # Like 22 but failed.
+        "38":
+          # Address of device that hosts the account.
+          - set: destination.address
+            from: cyberarkpas.audit.ca_properties.address
+          - set: event.outcome
+            value: "failure"
+          - set: event.reason
+            from: cyberarkpas.audit.ca_properties.cpm_error_details
+          - set: destination.user.name
+            from: cyberarkpas.audit.ca_properties.user_name
+          - set: source.user.name
+            from: cyberarkpas.audit.issuer
+          - set: user.name
+            from: cyberarkpas.audit.issuer
+          - set: event.category
+            value: ["iam"]
+          - set: event.type
+            value: ["error"]
+
+        # 50 - Store File
+        #
+        # I don't think it makes much sense to enrich Vault file events as "file" category.
+        # This will involve probably constructing a file.path prefixed by the safe name.
+        # Then these file events may be treated as file events in SIEM, which can have
+        # unwanted consequences.
+        # "50":
+
+        # 57 - CPM Change Password Failed
+        "57":
+          - set: destination.address # This could be host.* or user.target.* (doesn't exists).
+            from: cyberarkpas.audit.ca_properties.address
+          - set: event.outcome
+            value: "failure"
+          - set: user.target.name
+            from: cyberarkpas.audit.ca_properties.user_name
+          - set: user.name
+            from: cyberarkpas.audit.issuer
+          - set: event.category
+            value: ["iam"]
+          - set: event.type
+            value: ["user", "change", "error"]
+          - set: event.reason
+            from: cyberarkpas.audit.ca_properties.cpm_error_details
+
+        # 60 - CPM Reconcile Password Failed
+        "60":
+          - set: destination.address # This could be host.* or user.target.* (doesn't exists).
+            from: cyberarkpas.audit.ca_properties.address
+          - set: event.outcome
+            value: "failure"
+          - set: user.target.name
+            from: cyberarkpas.audit.ca_properties.user_name
+          - set: user.name
+            from: cyberarkpas.audit.issuer
+          - set: event.category
+            value: ["iam"]
+          - set: event.type
+            value: ["user", "change", "error"]
+          - set: event.reason
+            from: cyberarkpas.audit.ca_properties.cpm_error_details
+
+        # 130 - CPM Disable Password
+        "130":
+          - set: event.outcome
+            value: "failure"
+          - set: user.target.name
+            from: cyberarkpas.audit.ca_properties.user_name
+          - set: user.name
+            from: cyberarkpas.audit.issuer
+          - set: event.category
+            value: ["iam"]
+          - set: event.type
+            value: ["user", "change"]
+          - set: event.reason
+            from: cyberarkpas.audit.ca_properties.cpm_error_details
+          - set: event.outcome
+            from: cyberarkpas.audit.ca_properties.cpm_status
+
+        # 174 - Change User (untested)
+        "174":
+          - set: user.target.name
+            from: cyberarkpas.audit.source_user
+          - set: event.type
+            value: ["user", "change"]
+          - set: event.category
+            value: ["iam"]
+          - set: event.outcome
+            value: "success"
+
+        # 175 - Change Your User (untested)
+        "175":
+          - set: user.target.name
+            from: cyberarkpas.audit.source_user
+          - set: event.type
+            value: ["user", "change"]
+          - set: event.category
+            value: ["iam"]
+          - set: event.outcome
+            value: "success"
+
+        # 176 - Delete User (untested)
+        "176":
+          - set: user.target.name
+            from: cyberarkpas.audit.source_user
+          - set: event.type
+            value: ["user", "deletion"]
+          - set: event.category
+            value: ["iam"]
+          - set: event.outcome
+            value: "success"
+
+        # 177 - Delete Your User (untested)
+        "177":
+          - set: user.target.name
+            from: cyberarkpas.audit.source_user
+          - set: event.type
+            value: ["user", "deletion"]
+          - set: event.category
+            value: ["iam"]
+          - set: event.outcome
+            value: "success"
+
+        # 173 - Add User (alternative to 180, untested)
+        "173":
+          - set: user.target.name
+            from: cyberarkpas.audit.source_user
+          - set: event.type
+            value: ["user", "creation"]
+          - set: event.category
+            value: ["iam"]
+          - set: event.outcome
+            value: "success"
+
+        # 180 - Add User
+        "180":
+          - set: user.target.name
+            from: cyberarkpas.audit.source_user
+          - set: event.type
+            value: ["user", "creation"]
+          - set: event.category
+            value: ["iam"]
+          - set: event.outcome
+            value: "success"
+
+        # 295 - Retrieve Password succeeded
+        "295":
+          - set: destination.address
+            from: cyberarkpas.audit.ca_properties.address
+          - set: destination.user.name
+            from: cyberarkpas.audit.ca_properties.user_name
+          - set: source.user.name
+            from: cyberarkpas.audit.issuer
+          - set: user.name
+            from: cyberarkpas.audit.issuer
+          - set: event.category
+            value: ["iam"]
+          - set: event.type
+            value: ["admin", "access"]
+          - set: event.outcome
+            value: "success"
+          - set: event.reason
+            from: cyberarkpas.audit.reason
+
+        # 300 - PSM Connect
+        "300":
+          - set: destination.address
+            from: cyberarkpas.audit.extra_details.dst_host
+          - set: destination.user.name
+            from: cyberarkpas.audit.extra_details.user
+          - set: source.address
+            from: cyberarkpas.audit.extra_details.src_host
+          - set: source.user.name
+            from: cyberarkpas.audit.issuer
+          - set: user.name
+            from: cyberarkpas.audit.issuer
+          - set: network.application
+            from: cyberarkpas.audit.extra_details.protocol
+          - set: event.category
+            value: ["session"]
+          - set: event.type
+            value: ["start"]
+          - set: event.outcome
+            value: "success"
+
+        # 302 - PSM Disconnect
+        "302":
+          - set: destination.address
+            from: cyberarkpas.audit.extra_details.dst_host
+          - set: destination.user.name
+            from: cyberarkpas.audit.extra_details.user
+          - set: source.address
+            from: cyberarkpas.audit.extra_details.src_host
+          - set: source.user.name
+            from: cyberarkpas.audit.issuer
+          - set: user.name
+            from: cyberarkpas.audit.issuer
+          - set: network.application
+            from: cyberarkpas.audit.extra_details.protocol
+          - set: _tmp.duration_hms
+            from: cyberarkpas.audit.extra_details.session_duration
+          - set: event.category
+            value: ["session"]
+          - set: event.type
+            value: ["end"]
+          - set: event.outcome
+            value: "success"
+
+        # 308 - Use Password
+        "308":
+          - set: destination.address
+            from: cyberarkpas.audit.ca_properties.address
+          - set: destination.user.name
+            from: cyberarkpas.audit.ca_properties.user_name
+          - set: source.user.name
+            from: cyberarkpas.audit.issuer
+          - set: user.name
+            from: cyberarkpas.audit.issuer
+          - set: event.category
+            value: ["iam"]
+          - set: event.type
+            value: ["admin", "access"]
+          - set: event.outcome
+            from: cyberarkpas.audit.ca_properties.cpm_status
+          - set: event.reason
+            from: cyberarkpas.audit.reason
+
+        # 309 - Undefined user logon
+        #
+        "309":
+          - set: user.name
+            from: cyberarkpas.audit.issuer
+          - set: event.category
+            value: ["authentication"]
+          - set: event.type
+            value: ["error"]
+          - set: event.action
+            value:  "authentication_failure"
+          - set: event.outcome
+            value: "failure"
+
+        # 361 - Keystroke logging
+        "361":
+          - set: destination.address
+            from: cyberarkpas.audit.extra_details.dst_host
+          - set: destination.user.name
+            from: cyberarkpas.audit.extra_details.user
+          - set: source.address
+            from: cyberarkpas.audit.extra_details.src_host
+          - set: source.user.name
+            from: cyberarkpas.audit.issuer
+          - set: user.name
+            from: cyberarkpas.audit.issuer
+          - set: network.application
+            from: cyberarkpas.audit.extra_details.protocol
+          - set: event.category
+            value: ["session"]
+          - set: event.type
+            value: ["info"]
+
+        # 412 - Keystroke logging (same as 361?)
+        "412":
+          - set: destination.address
+            from: cyberarkpas.audit.extra_details.dst_host
+          - set: destination.user.name
+            from: cyberarkpas.audit.extra_details.user
+          - set: source.address
+            from: cyberarkpas.audit.extra_details.src_host
+          - set: source.user.name
+            from: cyberarkpas.audit.issuer
+          - set: user.name
+            from: cyberarkpas.audit.issuer
+          - set: network.application
+            from: cyberarkpas.audit.extra_details.protocol
+          - set: event.category
+            value: ["session"]
+          - set: event.type
+            value: ["info"]
+
+        # 359 - SQL Command
+        "359":
+          - set: destination.address
+            from: cyberarkpas.audit.extra_details.dst_host
+          - set: destination.user.name
+            from: cyberarkpas.audit.extra_details.user
+          - set: source.address
+            from: cyberarkpas.audit.extra_details.src_host
+          - set: source.user.name
+            from: cyberarkpas.audit.issuer
+          - set: user.name
+            from: cyberarkpas.audit.issuer
+          - set: network.application
+            from: cyberarkpas.audit.extra_details.protocol
+          - set: event.category
+            value: ["database"]
+          - set: event.type
+            value: ["access"]
+          - set: event.outcome
+            from: cyberarkpas.audit.ca_properties.cpm_status
+
+        # 411 - Window Title
+        "411":
+          - set: destination.address
+            from: cyberarkpas.audit.extra_details.dst_host
+          - set: destination.user.name
+            from: cyberarkpas.audit.extra_details.user
+          - set: source.address
+            from: cyberarkpas.audit.extra_details.src_host
+          - set: source.user.name
+            from: cyberarkpas.audit.issuer
+          - set: user.name
+            from: cyberarkpas.audit.issuer
+          - set: network.application
+            from: cyberarkpas.audit.extra_details.protocol
+          - set: process.pid
+            from: cyberarkpas.audit.extra_details.process_id
+          - set: process.name
+            from: cyberarkpas.audit.extra_details.process_name
+          - set: event.category
+            value: ["process"]
+          - set: event.type
+            value: ["access", "info"]
+
+        # 414 - CPM Verify SSH Key
+        #
+        # SSH-key on a target host is verified.
+        "414":
+          # Address of device that hosts the account.
+          - set: destination.address
+            from: cyberarkpas.audit.ca_properties.address
+          - set: event.outcome
+            from: cyberarkpas.audit.ca_properties.cpm_status
+          - set: destination.user.name
+            from: cyberarkpas.audit.ca_properties.user_name
+          - set: source.user.name
+            from: cyberarkpas.audit.issuer
+          - set: user.name
+            from: cyberarkpas.audit.issuer
+          - set: event.category
+            value: ["iam"]
+          - set: event.type
+            value: ["admin", "info"]
+
+        # 428 - Retrieve SSH Key
+        "428":
+          - set: destination.address
+            from: cyberarkpas.audit.ca_properties.address
+          - set: destination.user.name
+            from: cyberarkpas.audit.ca_properties.user_name
+          - set: source.user.name
+            from: cyberarkpas.audit.issuer
+          - set: user.name
+            from: cyberarkpas.audit.issuer
+          - set: event.category
+            value: ["iam"]
+          - set: event.type
+            value: ["admin", "access"]
+          - set: event.outcome
+            value: "success"
+          - set: event.reason
+            from: cyberarkpas.audit.reason
+
+      source: >
+        def clone(def val) {
+            return val instanceof List? new ArrayList(val) : val;
+        }
+        def read_field(def map, String name) {
+          if (map == null || !(map instanceof Map)) return null;
+          int pos = name.indexOf(".");
+          return pos == -1? map[name]
+                          : read_field(map[name.substring(0, pos)], name.substring(pos+1));
+        }
+        String msgID = ctx.event?.code;
+        def actions = params.get(msgID);
+        if (actions == null) return;
+        List values = new ArrayList();
+        for (def item : actions) {
+          def val = item.value;
+          if (val == null && (val = read_field(ctx, item.from)) == null || val == "") continue;
+          values.add([
+            "to": item.set,
+            "value": clone(val)
+          ]);
+        }
+        if (!values.isEmpty()) ctx._tmp["values"] = values;
+
+  - foreach:
+      field: _tmp.values
+      ignore_missing: true
+      processor:
+        set:
+          field: '{{{_ingest._value.to}}}'
+          copy_from: '_ingest._value.value'
+          ignore_empty_value: true
+          override: true
+
+  #
+  # Force event.outcome: unknown in case it gets a value other than one of the allowed.
+  #
+  - set:
+      field: event.outcome
+      value: 'unknown'
+      if: 'ctx.event?.outcome != null && !["success", "failure"].contains(ctx.event.outcome)'
+
+
+  #
+  # Set event.duration from the session duration ("hh:mm:ss") present in some messages.
+  #
+  - script:
+      lang: painless
+      description: 'Set event.duration from the session duration ("hh:mm:ss")'
+      if: "ctx._tmp?.duration_hms != null"
+      source: >
+        long parse_hms(String s) {
+            long cur = 0, total = 0;
+            for (char c: s.toCharArray()) {
+                if (c >= (char)'0' && c <= (char)'9') {
+                    cur = (cur*10) + (long)c - (char)'0';
+                } else if (c == (char)':') {
+                    total = (total + cur) * 60;
+                    cur = 0;
+                } else {
+                    return 0;
+                }
+            }
+            return total + cur;
+        }
+        long nanos = parse_hms(ctx._tmp.duration_hms) * 1000000000L;
+        ctx.event['duration'] = nanos;
+
+  #
+  # Populate ip/domain fields from address.
+  #
+  - convert:
+      field: source.address
+      target_field: source.ip
+      type: ip
+      ignore_missing: true
+      on_failure:
+        - set:
+            field: source.domain
+            copy_from: source.address
+  - convert:
+      field: destination.address
+      target_field: destination.ip
+      type: ip
+      ignore_missing: true
+      on_failure:
+        - set:
+            field: destination.domain
+            copy_from: destination.address
+
+  #
+  # Populate related.ip
+  #
+  - append:
+      field: related.ip
+      value: '{{{source.ip}}}'
+      if: 'ctx.source?.ip != null'
+      allow_duplicates: false
+  - append:
+      field: related.ip
+      value: '{{{destination.ip}}}'
+      if: 'ctx.destination?.ip != null'
+      allow_duplicates: false
+  - append:
+      field: related.ip
+      value: '{{{cyberarkpas.audit.station}}}'
+      if: 'ctx.cyberarkpas.audit.station != null'
+      allow_duplicates: false
+  - append:
+      field: related.ip
+      value: '{{{cyberarkpas.audit.gateway_station}}}'
+      if: 'ctx.cyberarkpas.audit.gateway_station != null'
+      allow_duplicates: false
+
+  #
+  # Populate related.user
+  #
+  - append:
+      field: related.user
+      value: '{{{user.name}}}'
+      if: 'ctx.user?.name != null'
+      allow_duplicates: false
+  - append:
+      field: related.user
+      value: '{{{source.user.name}}}'
+      if: 'ctx.source?.user?.name != null'
+      allow_duplicates: false
+  - append:
+      field: related.user
+      value: '{{{destination.user.name}}}'
+      if: 'ctx.destination?.user?.name != null'
+      allow_duplicates: false
+  - append:
+      field: related.user
+      value: '{{{user.target.name}}}'
+      if: 'ctx.user?.target?.name != null'
+      allow_duplicates: false
+
+  #
+  # sometimes application is capitalized.
+  #
+  - lowercase:
+      field: network.application
+      ignore_missing: true
+
+  - geoip:
+      field: source.ip
+      target_field: source.geo
+      ignore_missing: true
+
+  - geoip:
+      field: destination.ip
+      target_field: destination.geo
+      ignore_missing: true
+
+  #
+  # Set host.name
+  # This sets host.name from observer.hostname when the original event from Filebeat didn't
+  # have a host.name. This is the case of forwarded events (the tag "forwarded" is present).
+  #
+  - set:
+      field: host.name
+      value: '{{{observer.hostname}}}'
+      ignore_empty_value: true
+      if: 'ctx.host?.name == null'
+
+  - network_direction:
+      ignore_missing: true
+      internal_networks:
+        - loopback
+        - private
+        - unspecified
+
+  #
+  # Cleanup
+  #
+  - remove:
+      field: _tmp
+      ignore_missing: true
+
+  - remove:
+      field: event.original
+      ignore_missing: true
+      if: 'ctx.tags == null || !ctx.tags.contains("preserve_original_event")'
+
+on_failure:
+  - append:
+        field: error.message
+        value: '{{{_ingest.on_failure_message}}}'
+
+  - remove:
+      field: _tmp
+      ignore_missing: true
+
+  - set:
+      field: event.kind
+      value: pipeline_error
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/manifest.yml b/x-pack/filebeat/module/cyberarkpas/audit/manifest.yml
new file mode 100644
index 00000000000..025a519a5b7
--- /dev/null
+++ b/x-pack/filebeat/module/cyberarkpas/audit/manifest.yml
@@ -0,0 +1,22 @@
+module_version: "1.0"
+
+var:
+  - name: paths
+  - name: tags
+    default: ["cyberarkpas.audit", "forwarded"]
+  - name: syslog_host
+    default: localhost
+  - name: syslog_port
+    default: 9301
+  - name: input
+    default: tcp
+  - name: ssl
+  - name: preserve_original_event
+    default: false
+
+ingest_pipeline: ingest/pipeline.yml
+input: config/input.yml
+
+requires.processors:
+- name: geoip
+  plugin: ingest-geoip
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/105_add_file_category.log b/x-pack/filebeat/module/cyberarkpas/audit/test/105_add_file_category.log
new file mode 100644
index 00000000000..cb662d0ec48
--- /dev/null
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/105_add_file_category.log
@@ -0,0 +1,6 @@
+<5>1 2021-03-08T18:24:49Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 08 10:24:49","IsoTimestamp":"2021-03-08T18:24:49Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"105","Desc":"Add File Category","Severity":"Info","Issuer":"Administrator","Action":"Add File Category","SourceUser":"","TargetUser":"","Safe":"Test","File":"Root\\Operating System-WinDesktopLocal-Address-adriansr","Station":"127.0.0.1","Location":"","Category":"Address","RequestId":"","Reason":"Value=[Address]","ExtraDetails":"","Message":"Add File Category","GatewayStation":"10.0.1.20"}}}
+<5>1 2021-03-10T09:11:54Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:54","IsoTimestamp":"2021-03-10T09:11:54Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"105","Desc":"Add File Category","Severity":"Info","Issuer":"PSMPApp_localhost.localdomain","Action":"Add File Category","SourceUser":"","TargetUser":"","Safe":"PSMPLiveSessions","File":"Root\\PSMPApp_localhost.localdomain.LiveSessions","Station":"81.32.170.205","Location":"","Category":"_PSMLiveSessions_1","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add File Category","GatewayStation":""}}}
+<5>1 2021-03-10T18:46:48Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 10:46:48","IsoTimestamp":"2021-03-10T18:46:48Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"105","Desc":"Add File Category","Severity":"Info","Issuer":"PSMApp_VAGRANT","Action":"Add File Category","SourceUser":"","TargetUser":"","Safe":"PSMLiveSessions","File":"Root\\PSMServer.LiveSessions","Station":"81.32.170.205","Location":"","Category":"_PSMLiveSessions_1","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add File Category","GatewayStation":""}}}
+<5>1 2021-03-10T22:17:26Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 14:17:26","IsoTimestamp":"2021-03-10T22:17:26Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"105","Desc":"Add File Category","Severity":"Info","Issuer":"Administrator","Action":"Add File Category","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\PSM-ASR-CYBERARK-WI","Station":"35.192.121.42","Location":"","Category":"LogonDomain","RequestId":"","Reason":"Value=[ASR-CYBERARK-WI]","ExtraDetails":"","Message":"Add File Category","GatewayStation":""}}}
+<5>1 2021-03-10T22:20:12Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 14:20:12","IsoTimestamp":"2021-03-10T22:20:12Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"105","Desc":"Add File Category","Severity":"Info","Issuer":"PSMApp_ASR-WIN","Action":"Add File Category","SourceUser":"","TargetUser":"","Safe":"PSMLiveSessions","File":"Root\\PSM-ASR-CYBERARK-WI.LiveSessions","Station":"35.192.121.42","Location":"","Category":"_PSMLiveSessions_1","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add File Category","GatewayStation":""}}}
+<5>1 2021-03-11T16:59:58Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 08:59:58</Timestamp>\n    <IsoTimestamp>2021-03-11T16:59:58Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>105</MessageID>\n    <Desc>Add File Category</Desc>\n    <Severity>Info</Severity>\n    <Issuer>PSMPApp_VAGRANT</Issuer>\n    <Action>Add File Category</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>PSMPLiveSessions</Safe>\n    <File>Root\\PSMPApp_VAGRANT.LiveSessions</File>\n    <Station>81.32.170.205</Station>\n    <Location></Location>\n    <Category>_PSMLiveSessions_1</Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Add File Category</Message>\n    <GatewayStation></GatewayStation>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 08:59:58","IsoTimestamp":"2021-03-11T16:59:58Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"105","Desc":"Add File Category","Severity":"Info","Issuer":"PSMPApp_VAGRANT","Action":"Add File Category","SourceUser":"","TargetUser":"","Safe":"PSMPLiveSessions","File":"Root\\PSMPApp_VAGRANT.LiveSessions","Station":"81.32.170.205","Location":"","Category":"_PSMLiveSessions_1","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add File Category","GatewayStation":""}}}
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/105_add_file_category.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/105_add_file_category.log-expected.json
new file mode 100644
index 00000000000..713d0730107
--- /dev/null
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/105_add_file_category.log-expected.json
@@ -0,0 +1,302 @@
+[
+    {
+        "@timestamp": "2021-03-08T18:24:49.000Z",
+        "cyberarkpas.audit.action": "Add File Category",
+        "cyberarkpas.audit.category": "Address",
+        "cyberarkpas.audit.desc": "Add File Category",
+        "cyberarkpas.audit.file": "Root\\Operating System-WinDesktopLocal-Address-adriansr",
+        "cyberarkpas.audit.gateway_station": "10.0.1.20",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-08T18:24:49Z",
+        "cyberarkpas.audit.issuer": "Administrator",
+        "cyberarkpas.audit.message": "Add File Category",
+        "cyberarkpas.audit.reason": "Value=[Address]",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.safe": "Test",
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.station": "127.0.0.1",
+        "cyberarkpas.audit.timestamp": "Mar 08 10:24:49",
+        "destination.address": "10.0.1.20",
+        "destination.ip": "10.0.1.20",
+        "event.action": "add file category",
+        "event.code": "105",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "file.path": "Root\\Operating System-WinDesktopLocal-Address-adriansr",
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 0,
+        "log.syslog.priority": "5",
+        "network.direction": "internal",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "127.0.0.1",
+            "10.0.1.20"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "127.0.0.1",
+        "source.ip": "127.0.0.1",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ]
+    },
+    {
+        "@timestamp": "2021-03-10T09:11:54.000Z",
+        "cyberarkpas.audit.action": "Add File Category",
+        "cyberarkpas.audit.category": "_PSMLiveSessions_1",
+        "cyberarkpas.audit.desc": "Add File Category",
+        "cyberarkpas.audit.file": "Root\\PSMPApp_localhost.localdomain.LiveSessions",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-10T09:11:54Z",
+        "cyberarkpas.audit.issuer": "PSMPApp_localhost.localdomain",
+        "cyberarkpas.audit.message": "Add File Category",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.safe": "PSMPLiveSessions",
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.station": "81.32.170.205",
+        "cyberarkpas.audit.timestamp": "Mar 10 01:11:54",
+        "event.action": "add file category",
+        "event.code": "105",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "file.path": "Root\\PSMPApp_localhost.localdomain.LiveSessions",
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 665,
+        "log.syslog.priority": "5",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "81.32.170.205"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "81.32.170.205",
+        "source.geo.city_name": "Barcelona",
+        "source.geo.continent_name": "Europe",
+        "source.geo.country_iso_code": "ES",
+        "source.geo.country_name": "Spain",
+        "source.geo.location.lat": 41.387,
+        "source.geo.location.lon": 2.1701,
+        "source.geo.region_iso_code": "ES-B",
+        "source.geo.region_name": "Barcelona",
+        "source.ip": "81.32.170.205",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ]
+    },
+    {
+        "@timestamp": "2021-03-10T18:46:48.000Z",
+        "cyberarkpas.audit.action": "Add File Category",
+        "cyberarkpas.audit.category": "_PSMLiveSessions_1",
+        "cyberarkpas.audit.desc": "Add File Category",
+        "cyberarkpas.audit.file": "Root\\PSMServer.LiveSessions",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-10T18:46:48Z",
+        "cyberarkpas.audit.issuer": "PSMApp_VAGRANT",
+        "cyberarkpas.audit.message": "Add File Category",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.safe": "PSMLiveSessions",
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.station": "81.32.170.205",
+        "cyberarkpas.audit.timestamp": "Mar 10 10:46:48",
+        "event.action": "add file category",
+        "event.code": "105",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "file.path": "Root\\PSMServer.LiveSessions",
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 1342,
+        "log.syslog.priority": "5",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "81.32.170.205"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "81.32.170.205",
+        "source.geo.city_name": "Barcelona",
+        "source.geo.continent_name": "Europe",
+        "source.geo.country_iso_code": "ES",
+        "source.geo.country_name": "Spain",
+        "source.geo.location.lat": 41.387,
+        "source.geo.location.lon": 2.1701,
+        "source.geo.region_iso_code": "ES-B",
+        "source.geo.region_name": "Barcelona",
+        "source.ip": "81.32.170.205",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ]
+    },
+    {
+        "@timestamp": "2021-03-10T22:17:26.000Z",
+        "cyberarkpas.audit.action": "Add File Category",
+        "cyberarkpas.audit.category": "LogonDomain",
+        "cyberarkpas.audit.desc": "Add File Category",
+        "cyberarkpas.audit.file": "Root\\PSM-ASR-CYBERARK-WI",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-10T22:17:26Z",
+        "cyberarkpas.audit.issuer": "Administrator",
+        "cyberarkpas.audit.message": "Add File Category",
+        "cyberarkpas.audit.reason": "Value=[ASR-CYBERARK-WI]",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.safe": "PSM",
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.station": "35.192.121.42",
+        "cyberarkpas.audit.timestamp": "Mar 10 14:17:26",
+        "event.action": "add file category",
+        "event.code": "105",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "file.path": "Root\\PSM-ASR-CYBERARK-WI",
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 1983,
+        "log.syslog.priority": "5",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "35.192.121.42"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "35.192.121.42",
+        "source.geo.city_name": "Council Bluffs",
+        "source.geo.continent_name": "North America",
+        "source.geo.country_iso_code": "US",
+        "source.geo.country_name": "United States",
+        "source.geo.location.lat": 41.2591,
+        "source.geo.location.lon": -95.8517,
+        "source.geo.region_iso_code": "US-IA",
+        "source.geo.region_name": "Iowa",
+        "source.ip": "35.192.121.42",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ]
+    },
+    {
+        "@timestamp": "2021-03-10T22:20:12.000Z",
+        "cyberarkpas.audit.action": "Add File Category",
+        "cyberarkpas.audit.category": "_PSMLiveSessions_1",
+        "cyberarkpas.audit.desc": "Add File Category",
+        "cyberarkpas.audit.file": "Root\\PSM-ASR-CYBERARK-WI.LiveSessions",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-10T22:20:12Z",
+        "cyberarkpas.audit.issuer": "PSMApp_ASR-WIN",
+        "cyberarkpas.audit.message": "Add File Category",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.safe": "PSMLiveSessions",
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.station": "35.192.121.42",
+        "cyberarkpas.audit.timestamp": "Mar 10 14:20:12",
+        "event.action": "add file category",
+        "event.code": "105",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "file.path": "Root\\PSM-ASR-CYBERARK-WI.LiveSessions",
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 2624,
+        "log.syslog.priority": "5",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "35.192.121.42"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "35.192.121.42",
+        "source.geo.city_name": "Council Bluffs",
+        "source.geo.continent_name": "North America",
+        "source.geo.country_iso_code": "US",
+        "source.geo.country_name": "United States",
+        "source.geo.location.lat": 41.2591,
+        "source.geo.location.lon": -95.8517,
+        "source.geo.region_iso_code": "US-IA",
+        "source.geo.region_name": "Iowa",
+        "source.ip": "35.192.121.42",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ]
+    },
+    {
+        "@timestamp": "2021-03-11T16:59:58.000Z",
+        "cyberarkpas.audit.action": "Add File Category",
+        "cyberarkpas.audit.category": "_PSMLiveSessions_1",
+        "cyberarkpas.audit.desc": "Add File Category",
+        "cyberarkpas.audit.file": "Root\\PSMPApp_VAGRANT.LiveSessions",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-11T16:59:58Z",
+        "cyberarkpas.audit.issuer": "PSMPApp_VAGRANT",
+        "cyberarkpas.audit.message": "Add File Category",
+        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 08:59:58</Timestamp>\n    <IsoTimestamp>2021-03-11T16:59:58Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>105</MessageID>\n    <Desc>Add File Category</Desc>\n    <Severity>Info</Severity>\n    <Issuer>PSMPApp_VAGRANT</Issuer>\n    <Action>Add File Category</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>PSMPLiveSessions</Safe>\n    <File>Root\\PSMPApp_VAGRANT.LiveSessions</File>\n    <Station>81.32.170.205</Station>\n    <Location></Location>\n    <Category>_PSMLiveSessions_1</Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Add File Category</Message>\n    <GatewayStation></GatewayStation>\n  </audit_record>\n\n</syslog>",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.safe": "PSMPLiveSessions",
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.station": "81.32.170.205",
+        "cyberarkpas.audit.timestamp": "Mar 11 08:59:58",
+        "event.action": "add file category",
+        "event.code": "105",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "file.path": "Root\\PSMPApp_VAGRANT.LiveSessions",
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 3275,
+        "log.syslog.priority": "5",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "81.32.170.205"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "81.32.170.205",
+        "source.geo.city_name": "Barcelona",
+        "source.geo.continent_name": "Europe",
+        "source.geo.country_iso_code": "ES",
+        "source.geo.country_name": "Spain",
+        "source.geo.location.lat": 41.387,
+        "source.geo.location.lon": 2.1701,
+        "source.geo.region_iso_code": "ES-B",
+        "source.geo.region_name": "Barcelona",
+        "source.ip": "81.32.170.205",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ]
+    }
+]
\ No newline at end of file
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/106_update_file_category.log b/x-pack/filebeat/module/cyberarkpas/audit/test/106_update_file_category.log
new file mode 100644
index 00000000000..14adbc29da4
--- /dev/null
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/106_update_file_category.log
@@ -0,0 +1,6 @@
+<5>1 2021-03-08T18:25:52Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 08 10:25:52","IsoTimestamp":"2021-03-08T18:25:52Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"106","Desc":"Update File Category","Severity":"Info","Issuer":"Administrator","Action":"Update File Category","SourceUser":"","TargetUser":"","Safe":"Test","File":"Root\\Operating System-WinDesktopLocal-Address-adriansr","Station":"127.0.0.1","Location":"","Category":"Address","RequestId":"","Reason":"Value=[components] Old Value=[Address]","ExtraDetails":"","Message":"Update File Category","GatewayStation":"10.0.1.20"}}}
+<5>1 2021-03-10T18:46:48Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 10:46:48","IsoTimestamp":"2021-03-10T18:46:48Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"106","Desc":"Update File Category","Severity":"Info","Issuer":"PSMApp_VAGRANT","Action":"Update File Category","SourceUser":"","TargetUser":"","Safe":"PSMLiveSessions","File":"Root\\PSMServer.LiveSessions","Station":"81.32.170.205","Location":"","Category":"_PSMLiveSessions_1","RequestId":"","Reason":"","ExtraDetails":"","Message":"Update File Category","GatewayStation":""}}}
+<5>1 2021-03-10T22:20:12Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 14:20:12","IsoTimestamp":"2021-03-10T22:20:12Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"106","Desc":"Update File Category","Severity":"Info","Issuer":"PSMApp_ASR-WIN","Action":"Update File Category","SourceUser":"","TargetUser":"","Safe":"PSMLiveSessions","File":"Root\\PSM-ASR-CYBERARK-WI.LiveSessions","Station":"35.192.121.42","Location":"","Category":"_PSMLiveSessions_1","RequestId":"","Reason":"","ExtraDetails":"","Message":"Update File Category","GatewayStation":""}}}
+<5>1 2021-03-11T17:38:26Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 09:38:26</Timestamp>\n    <IsoTimestamp>2021-03-11T17:38:26Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>106</MessageID>\n    <Desc>Update File Category</Desc>\n    <Severity>Info</Severity>\n    <Issuer>PSMPApp_VAGRANT</Issuer>\n    <Action>Update File Category</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>PSMRecordings</Safe>\n    <File>root\\87012dcc-8290-11eb-949e-080027efd402.session</File>\n    <Station>81.32.170.205</Station>\n    <Location></Location>\n    <Category>PSMStatus</Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Update File Category</Message>\n    <GatewayStation></GatewayStation>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 09:38:26","IsoTimestamp":"2021-03-11T17:38:26Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"106","Desc":"Update File Category","Severity":"Info","Issuer":"PSMPApp_VAGRANT","Action":"Update File Category","SourceUser":"","TargetUser":"","Safe":"PSMRecordings","File":"root\\87012dcc-8290-11eb-949e-080027efd402.session","Station":"81.32.170.205","Location":"","Category":"PSMStatus","RequestId":"","Reason":"","ExtraDetails":"","Message":"Update File Category","GatewayStation":""}}}
+<5>1 2021-03-11T20:10:33Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 12:10:33</Timestamp>\n    <IsoTimestamp>2021-03-11T20:10:33Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>106</MessageID>\n    <Desc>Update File Category</Desc>\n    <Severity>Info</Severity>\n    <Issuer>PSMApp_ASR-WIN</Issuer>\n    <Action>Update File Category</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>PSMLiveSessions</Safe>\n    <File>Root\\PSM-ASR-CYBERARK-WI.LiveSessions</File>\n    <Station>34.66.114.180</Station>\n    <Location></Location>\n    <Category>_PSMLiveSessions_1</Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Update File Category</Message>\n    <GatewayStation></GatewayStation>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 12:10:33","IsoTimestamp":"2021-03-11T20:10:33Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"106","Desc":"Update File Category","Severity":"Info","Issuer":"PSMApp_ASR-WIN","Action":"Update File Category","SourceUser":"","TargetUser":"","Safe":"PSMLiveSessions","File":"Root\\PSM-ASR-CYBERARK-WI.LiveSessions","Station":"34.66.114.180","Location":"","Category":"_PSMLiveSessions_1","RequestId":"","Reason":"","ExtraDetails":"","Message":"Update File Category","GatewayStation":""}}}
+<5>1 2021-03-14T13:49:38Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 14 06:49:38</Timestamp>\n    <IsoTimestamp>2021-03-14T13:49:38Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>106</MessageID>\n    <Desc>Update File Category</Desc>\n    <Severity>Info</Severity>\n    <Issuer>PSMPApp_SSH</Issuer>\n    <Action>Update File Category</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>PSMPLiveSessions</Safe>\n    <File>Root\\PSMPApp_SSH.LiveSessions</File>\n    <Station>34.71.250.247</Station>\n    <Location></Location>\n    <Category>_PSMLiveSessions_1</Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Update File Category</Message>\n    <GatewayStation></GatewayStation>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 06:49:38","IsoTimestamp":"2021-03-14T13:49:38Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"106","Desc":"Update File Category","Severity":"Info","Issuer":"PSMPApp_SSH","Action":"Update File Category","SourceUser":"","TargetUser":"","Safe":"PSMPLiveSessions","File":"Root\\PSMPApp_SSH.LiveSessions","Station":"34.71.250.247","Location":"","Category":"_PSMLiveSessions_1","RequestId":"","Reason":"","ExtraDetails":"","Message":"Update File Category","GatewayStation":""}}}
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/106_update_file_category.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/106_update_file_category.log-expected.json
new file mode 100644
index 00000000000..b84e56e08dd
--- /dev/null
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/106_update_file_category.log-expected.json
@@ -0,0 +1,303 @@
+[
+    {
+        "@timestamp": "2021-03-08T18:25:52.000Z",
+        "cyberarkpas.audit.action": "Update File Category",
+        "cyberarkpas.audit.category": "Address",
+        "cyberarkpas.audit.desc": "Update File Category",
+        "cyberarkpas.audit.file": "Root\\Operating System-WinDesktopLocal-Address-adriansr",
+        "cyberarkpas.audit.gateway_station": "10.0.1.20",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-08T18:25:52Z",
+        "cyberarkpas.audit.issuer": "Administrator",
+        "cyberarkpas.audit.message": "Update File Category",
+        "cyberarkpas.audit.reason": "Value=[components] Old Value=[Address]",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.safe": "Test",
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.station": "127.0.0.1",
+        "cyberarkpas.audit.timestamp": "Mar 08 10:25:52",
+        "destination.address": "10.0.1.20",
+        "destination.ip": "10.0.1.20",
+        "event.action": "update file category",
+        "event.code": "106",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "file.path": "Root\\Operating System-WinDesktopLocal-Address-adriansr",
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 0,
+        "log.syslog.priority": "5",
+        "network.direction": "internal",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "127.0.0.1",
+            "10.0.1.20"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "127.0.0.1",
+        "source.ip": "127.0.0.1",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ]
+    },
+    {
+        "@timestamp": "2021-03-10T18:46:48.000Z",
+        "cyberarkpas.audit.action": "Update File Category",
+        "cyberarkpas.audit.category": "_PSMLiveSessions_1",
+        "cyberarkpas.audit.desc": "Update File Category",
+        "cyberarkpas.audit.file": "Root\\PSMServer.LiveSessions",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-10T18:46:48Z",
+        "cyberarkpas.audit.issuer": "PSMApp_VAGRANT",
+        "cyberarkpas.audit.message": "Update File Category",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.safe": "PSMLiveSessions",
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.station": "81.32.170.205",
+        "cyberarkpas.audit.timestamp": "Mar 10 10:46:48",
+        "event.action": "update file category",
+        "event.code": "106",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "file.path": "Root\\PSMServer.LiveSessions",
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 697,
+        "log.syslog.priority": "5",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "81.32.170.205"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "81.32.170.205",
+        "source.geo.city_name": "Barcelona",
+        "source.geo.continent_name": "Europe",
+        "source.geo.country_iso_code": "ES",
+        "source.geo.country_name": "Spain",
+        "source.geo.location.lat": 41.387,
+        "source.geo.location.lon": 2.1701,
+        "source.geo.region_iso_code": "ES-B",
+        "source.geo.region_name": "Barcelona",
+        "source.ip": "81.32.170.205",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ]
+    },
+    {
+        "@timestamp": "2021-03-10T22:20:12.000Z",
+        "cyberarkpas.audit.action": "Update File Category",
+        "cyberarkpas.audit.category": "_PSMLiveSessions_1",
+        "cyberarkpas.audit.desc": "Update File Category",
+        "cyberarkpas.audit.file": "Root\\PSM-ASR-CYBERARK-WI.LiveSessions",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-10T22:20:12Z",
+        "cyberarkpas.audit.issuer": "PSMApp_ASR-WIN",
+        "cyberarkpas.audit.message": "Update File Category",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.safe": "PSMLiveSessions",
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.station": "35.192.121.42",
+        "cyberarkpas.audit.timestamp": "Mar 10 14:20:12",
+        "event.action": "update file category",
+        "event.code": "106",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "file.path": "Root\\PSM-ASR-CYBERARK-WI.LiveSessions",
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 1347,
+        "log.syslog.priority": "5",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "35.192.121.42"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "35.192.121.42",
+        "source.geo.city_name": "Council Bluffs",
+        "source.geo.continent_name": "North America",
+        "source.geo.country_iso_code": "US",
+        "source.geo.country_name": "United States",
+        "source.geo.location.lat": 41.2591,
+        "source.geo.location.lon": -95.8517,
+        "source.geo.region_iso_code": "US-IA",
+        "source.geo.region_name": "Iowa",
+        "source.ip": "35.192.121.42",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ]
+    },
+    {
+        "@timestamp": "2021-03-11T17:38:26.000Z",
+        "cyberarkpas.audit.action": "Update File Category",
+        "cyberarkpas.audit.category": "PSMStatus",
+        "cyberarkpas.audit.desc": "Update File Category",
+        "cyberarkpas.audit.file": "root\\87012dcc-8290-11eb-949e-080027efd402.session",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-11T17:38:26Z",
+        "cyberarkpas.audit.issuer": "PSMPApp_VAGRANT",
+        "cyberarkpas.audit.message": "Update File Category",
+        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 09:38:26</Timestamp>\n    <IsoTimestamp>2021-03-11T17:38:26Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>106</MessageID>\n    <Desc>Update File Category</Desc>\n    <Severity>Info</Severity>\n    <Issuer>PSMPApp_VAGRANT</Issuer>\n    <Action>Update File Category</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>PSMRecordings</Safe>\n    <File>root\\87012dcc-8290-11eb-949e-080027efd402.session</File>\n    <Station>81.32.170.205</Station>\n    <Location></Location>\n    <Category>PSMStatus</Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Update File Category</Message>\n    <GatewayStation></GatewayStation>\n  </audit_record>\n\n</syslog>",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.safe": "PSMRecordings",
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.station": "81.32.170.205",
+        "cyberarkpas.audit.timestamp": "Mar 11 09:38:26",
+        "event.action": "update file category",
+        "event.code": "106",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "file.path": "root\\87012dcc-8290-11eb-949e-080027efd402.session",
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 2007,
+        "log.syslog.priority": "5",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "81.32.170.205"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "81.32.170.205",
+        "source.geo.city_name": "Barcelona",
+        "source.geo.continent_name": "Europe",
+        "source.geo.country_iso_code": "ES",
+        "source.geo.country_name": "Spain",
+        "source.geo.location.lat": 41.387,
+        "source.geo.location.lon": 2.1701,
+        "source.geo.region_iso_code": "ES-B",
+        "source.geo.region_name": "Barcelona",
+        "source.ip": "81.32.170.205",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ]
+    },
+    {
+        "@timestamp": "2021-03-11T20:10:33.000Z",
+        "cyberarkpas.audit.action": "Update File Category",
+        "cyberarkpas.audit.category": "_PSMLiveSessions_1",
+        "cyberarkpas.audit.desc": "Update File Category",
+        "cyberarkpas.audit.file": "Root\\PSM-ASR-CYBERARK-WI.LiveSessions",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-11T20:10:33Z",
+        "cyberarkpas.audit.issuer": "PSMApp_ASR-WIN",
+        "cyberarkpas.audit.message": "Update File Category",
+        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 12:10:33</Timestamp>\n    <IsoTimestamp>2021-03-11T20:10:33Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>106</MessageID>\n    <Desc>Update File Category</Desc>\n    <Severity>Info</Severity>\n    <Issuer>PSMApp_ASR-WIN</Issuer>\n    <Action>Update File Category</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>PSMLiveSessions</Safe>\n    <File>Root\\PSM-ASR-CYBERARK-WI.LiveSessions</File>\n    <Station>34.66.114.180</Station>\n    <Location></Location>\n    <Category>_PSMLiveSessions_1</Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Update File Category</Message>\n    <GatewayStation></GatewayStation>\n  </audit_record>\n\n</syslog>",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.safe": "PSMLiveSessions",
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.station": "34.66.114.180",
+        "cyberarkpas.audit.timestamp": "Mar 11 12:10:33",
+        "event.action": "update file category",
+        "event.code": "106",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "file.path": "Root\\PSM-ASR-CYBERARK-WI.LiveSessions",
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 3611,
+        "log.syslog.priority": "5",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "34.66.114.180"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "34.66.114.180",
+        "source.geo.city_name": "Council Bluffs",
+        "source.geo.continent_name": "North America",
+        "source.geo.country_iso_code": "US",
+        "source.geo.country_name": "United States",
+        "source.geo.location.lat": 41.2591,
+        "source.geo.location.lon": -95.8517,
+        "source.geo.region_iso_code": "US-IA",
+        "source.geo.region_name": "Iowa",
+        "source.ip": "34.66.114.180",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ]
+    },
+    {
+        "@timestamp": "2021-03-14T13:49:38.000Z",
+        "cyberarkpas.audit.action": "Update File Category",
+        "cyberarkpas.audit.category": "_PSMLiveSessions_1",
+        "cyberarkpas.audit.desc": "Update File Category",
+        "cyberarkpas.audit.file": "Root\\PSMPApp_SSH.LiveSessions",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-14T13:49:38Z",
+        "cyberarkpas.audit.issuer": "PSMPApp_SSH",
+        "cyberarkpas.audit.message": "Update File Category",
+        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 14 06:49:38</Timestamp>\n    <IsoTimestamp>2021-03-14T13:49:38Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>106</MessageID>\n    <Desc>Update File Category</Desc>\n    <Severity>Info</Severity>\n    <Issuer>PSMPApp_SSH</Issuer>\n    <Action>Update File Category</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>PSMPLiveSessions</Safe>\n    <File>Root\\PSMPApp_SSH.LiveSessions</File>\n    <Station>34.71.250.247</Station>\n    <Location></Location>\n    <Category>_PSMLiveSessions_1</Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Update File Category</Message>\n    <GatewayStation></GatewayStation>\n  </audit_record>\n\n</syslog>",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.safe": "PSMPLiveSessions",
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.station": "34.71.250.247",
+        "cyberarkpas.audit.timestamp": "Mar 14 06:49:38",
+        "event.action": "update file category",
+        "event.code": "106",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "file.path": "Root\\PSMPApp_SSH.LiveSessions",
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 5211,
+        "log.syslog.priority": "5",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "34.71.250.247"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "34.71.250.247",
+        "source.geo.city_name": "Council Bluffs",
+        "source.geo.continent_name": "North America",
+        "source.geo.country_iso_code": "US",
+        "source.geo.country_name": "United States",
+        "source.geo.location.lat": 41.2591,
+        "source.geo.location.lon": -95.8517,
+        "source.geo.region_iso_code": "US-IA",
+        "source.geo.region_name": "Iowa",
+        "source.ip": "34.71.250.247",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ]
+    }
+]
\ No newline at end of file
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/107_delete_file_category.log b/x-pack/filebeat/module/cyberarkpas/audit/test/107_delete_file_category.log
new file mode 100644
index 00000000000..92fadaab728
--- /dev/null
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/107_delete_file_category.log
@@ -0,0 +1 @@
+<5>1 2021-03-15T10:22:24Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 15 03:22:24</Timestamp>\n    <IsoTimestamp>2021-03-15T10:22:24Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>107</MessageID>\n    <Desc>Delete File Category</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Delete File Category</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Operating System-UnixSSH-34.123.103.115-testark</File>\n    <Station>127.0.0.1</Station>\n    <Location></Location>\n    <Category>LastFailDate</Category>\n    <RequestId></RequestId>\n    <Reason>Old Value=[1615803137]</Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Delete File Category</Message>\n    <GatewayStation>10.0.1.20</GatewayStation>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 03:22:24","IsoTimestamp":"2021-03-15T10:22:24Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"107","Desc":"Delete File Category","Severity":"Info","Issuer":"Administrator","Action":"Delete File Category","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-34.123.103.115-testark","Station":"127.0.0.1","Location":"","Category":"LastFailDate","RequestId":"","Reason":"Old Value=[1615803137]","ExtraDetails":"","Message":"Delete File Category","GatewayStation":"10.0.1.20"}}}
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/107_delete_file_category.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/107_delete_file_category.log-expected.json
new file mode 100644
index 00000000000..262c670a528
--- /dev/null
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/107_delete_file_category.log-expected.json
@@ -0,0 +1,51 @@
+[
+    {
+        "@timestamp": "2021-03-15T10:22:24.000Z",
+        "cyberarkpas.audit.action": "Delete File Category",
+        "cyberarkpas.audit.category": "LastFailDate",
+        "cyberarkpas.audit.desc": "Delete File Category",
+        "cyberarkpas.audit.file": "Root\\Operating System-UnixSSH-34.123.103.115-testark",
+        "cyberarkpas.audit.gateway_station": "10.0.1.20",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-15T10:22:24Z",
+        "cyberarkpas.audit.issuer": "Administrator",
+        "cyberarkpas.audit.message": "Delete File Category",
+        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 15 03:22:24</Timestamp>\n    <IsoTimestamp>2021-03-15T10:22:24Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>107</MessageID>\n    <Desc>Delete File Category</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Delete File Category</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Operating System-UnixSSH-34.123.103.115-testark</File>\n    <Station>127.0.0.1</Station>\n    <Location></Location>\n    <Category>LastFailDate</Category>\n    <RequestId></RequestId>\n    <Reason>Old Value=[1615803137]</Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Delete File Category</Message>\n    <GatewayStation>10.0.1.20</GatewayStation>\n  </audit_record>\n\n</syslog>",
+        "cyberarkpas.audit.reason": "Old Value=[1615803137]",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.safe": "partner",
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.station": "127.0.0.1",
+        "cyberarkpas.audit.timestamp": "Mar 15 03:22:24",
+        "destination.address": "10.0.1.20",
+        "destination.ip": "10.0.1.20",
+        "event.action": "delete file category",
+        "event.code": "107",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "file.path": "Root\\Operating System-UnixSSH-34.123.103.115-testark",
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 0,
+        "log.syslog.priority": "5",
+        "network.direction": "internal",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "127.0.0.1",
+            "10.0.1.20"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "127.0.0.1",
+        "source.ip": "127.0.0.1",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ]
+    }
+]
\ No newline at end of file
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/124_rename_file.log b/x-pack/filebeat/module/cyberarkpas/audit/test/124_rename_file.log
new file mode 100644
index 00000000000..b3191445d81
--- /dev/null
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/124_rename_file.log
@@ -0,0 +1 @@
+<5>1 2021-03-14T13:42:20Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 14 06:42:20</Timestamp>\n    <IsoTimestamp>2021-03-14T13:42:20Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>124</MessageID>\n    <Desc>Rename File</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Rename File</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>PSM</Safe>\n    <File>Root\\Operating System-UnixSSH-34.123.103.115-PSMConnect</File>\n    <Station>127.0.0.1</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Rename File</Message>\n    <GatewayStation>10.0.1.20</GatewayStation>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 06:42:20","IsoTimestamp":"2021-03-14T13:42:20Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"124","Desc":"Rename File","Severity":"Info","Issuer":"Administrator","Action":"Rename File","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\Operating System-UnixSSH-34.123.103.115-PSMConnect","Station":"127.0.0.1","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Rename File","GatewayStation":"10.0.1.20"}}}
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/124_rename_file.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/124_rename_file.log-expected.json
new file mode 100644
index 00000000000..0b008d88f7a
--- /dev/null
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/124_rename_file.log-expected.json
@@ -0,0 +1,49 @@
+[
+    {
+        "@timestamp": "2021-03-14T13:42:20.000Z",
+        "cyberarkpas.audit.action": "Rename File",
+        "cyberarkpas.audit.desc": "Rename File",
+        "cyberarkpas.audit.file": "Root\\Operating System-UnixSSH-34.123.103.115-PSMConnect",
+        "cyberarkpas.audit.gateway_station": "10.0.1.20",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-14T13:42:20Z",
+        "cyberarkpas.audit.issuer": "Administrator",
+        "cyberarkpas.audit.message": "Rename File",
+        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 14 06:42:20</Timestamp>\n    <IsoTimestamp>2021-03-14T13:42:20Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>124</MessageID>\n    <Desc>Rename File</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Rename File</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>PSM</Safe>\n    <File>Root\\Operating System-UnixSSH-34.123.103.115-PSMConnect</File>\n    <Station>127.0.0.1</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Rename File</Message>\n    <GatewayStation>10.0.1.20</GatewayStation>\n  </audit_record>\n\n</syslog>",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.safe": "PSM",
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.station": "127.0.0.1",
+        "cyberarkpas.audit.timestamp": "Mar 14 06:42:20",
+        "destination.address": "10.0.1.20",
+        "destination.ip": "10.0.1.20",
+        "event.action": "rename file",
+        "event.code": "124",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "file.path": "Root\\Operating System-UnixSSH-34.123.103.115-PSMConnect",
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 0,
+        "log.syslog.priority": "5",
+        "network.direction": "internal",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "127.0.0.1",
+            "10.0.1.20"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "127.0.0.1",
+        "source.ip": "127.0.0.1",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ]
+    }
+]
\ No newline at end of file
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/125_rename_file_cont.log b/x-pack/filebeat/module/cyberarkpas/audit/test/125_rename_file_cont.log
new file mode 100644
index 00000000000..d9c83a42d98
--- /dev/null
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/125_rename_file_cont.log
@@ -0,0 +1 @@
+<5>1 2021-03-14T13:42:20Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 14 06:42:20</Timestamp>\n    <IsoTimestamp>2021-03-14T13:42:20Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>125</MessageID>\n    <Desc>Rename File (Cont.)</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Rename File (Cont.)</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>PSM</Safe>\n    <File>Operating System-UnixSSH-34.71.250.247-PSMConnect</File>\n    <Station>127.0.0.1</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Rename File (Cont.)</Message>\n    <GatewayStation>10.0.1.20</GatewayStation>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 06:42:20","IsoTimestamp":"2021-03-14T13:42:20Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"125","Desc":"Rename File (Cont.)","Severity":"Info","Issuer":"Administrator","Action":"Rename File (Cont.)","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Operating System-UnixSSH-34.71.250.247-PSMConnect","Station":"127.0.0.1","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Rename File (Cont.)","GatewayStation":"10.0.1.20"}}}
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/125_rename_file_cont.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/125_rename_file_cont.log-expected.json
new file mode 100644
index 00000000000..9f23e422362
--- /dev/null
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/125_rename_file_cont.log-expected.json
@@ -0,0 +1,49 @@
+[
+    {
+        "@timestamp": "2021-03-14T13:42:20.000Z",
+        "cyberarkpas.audit.action": "Rename File (Cont.)",
+        "cyberarkpas.audit.desc": "Rename File (Cont.)",
+        "cyberarkpas.audit.file": "Operating System-UnixSSH-34.71.250.247-PSMConnect",
+        "cyberarkpas.audit.gateway_station": "10.0.1.20",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-14T13:42:20Z",
+        "cyberarkpas.audit.issuer": "Administrator",
+        "cyberarkpas.audit.message": "Rename File (Cont.)",
+        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 14 06:42:20</Timestamp>\n    <IsoTimestamp>2021-03-14T13:42:20Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>125</MessageID>\n    <Desc>Rename File (Cont.)</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Rename File (Cont.)</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>PSM</Safe>\n    <File>Operating System-UnixSSH-34.71.250.247-PSMConnect</File>\n    <Station>127.0.0.1</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Rename File (Cont.)</Message>\n    <GatewayStation>10.0.1.20</GatewayStation>\n  </audit_record>\n\n</syslog>",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.safe": "PSM",
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.station": "127.0.0.1",
+        "cyberarkpas.audit.timestamp": "Mar 14 06:42:20",
+        "destination.address": "10.0.1.20",
+        "destination.ip": "10.0.1.20",
+        "event.action": "rename file (cont.)",
+        "event.code": "125",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "file.path": "Operating System-UnixSSH-34.71.250.247-PSMConnect",
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 0,
+        "log.syslog.priority": "5",
+        "network.direction": "internal",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "127.0.0.1",
+            "10.0.1.20"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "127.0.0.1",
+        "source.ip": "127.0.0.1",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ]
+    }
+]
\ No newline at end of file
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/126_unlock_file.log b/x-pack/filebeat/module/cyberarkpas/audit/test/126_unlock_file.log
new file mode 100644
index 00000000000..eeacd9685bc
--- /dev/null
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/126_unlock_file.log
@@ -0,0 +1 @@
+<5>1 2021-03-10T18:33:34Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 10:33:34","IsoTimestamp":"2021-03-10T18:33:34Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"126","Desc":"Unlock File","Severity":"Info","Issuer":"Administrator","Action":"Unlock File","SourceUser":"","TargetUser":"","Safe":"PVWAConfig","File":"Root\\PVConfiguration.xml","Station":"127.0.0.1","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Unlock File","GatewayStation":""}}}
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/126_unlock_file.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/126_unlock_file.log-expected.json
new file mode 100644
index 00000000000..76a9cffafb9
--- /dev/null
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/126_unlock_file.log-expected.json
@@ -0,0 +1,43 @@
+[
+    {
+        "@timestamp": "2021-03-10T18:33:34.000Z",
+        "cyberarkpas.audit.action": "Unlock File",
+        "cyberarkpas.audit.desc": "Unlock File",
+        "cyberarkpas.audit.file": "Root\\PVConfiguration.xml",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-10T18:33:34Z",
+        "cyberarkpas.audit.issuer": "Administrator",
+        "cyberarkpas.audit.message": "Unlock File",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.safe": "PVWAConfig",
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.station": "127.0.0.1",
+        "cyberarkpas.audit.timestamp": "Mar 10 10:33:34",
+        "event.action": "unlock file",
+        "event.code": "126",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "file.path": "Root\\PVConfiguration.xml",
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 0,
+        "log.syslog.priority": "5",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "127.0.0.1"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "127.0.0.1",
+        "source.ip": "127.0.0.1",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ]
+    }
+]
\ No newline at end of file
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/130_cpm_disable_password.log b/x-pack/filebeat/module/cyberarkpas/audit/test/130_cpm_disable_password.log
new file mode 100644
index 00000000000..3f6ae5f7871
--- /dev/null
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/130_cpm_disable_password.log
@@ -0,0 +1 @@
+<7>1 2021-03-15T12:57:13Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 15 05:57:13</Timestamp>\n    <IsoTimestamp>2021-03-15T12:57:13Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>130</MessageID>\n    <Desc>CPM Disable Password</Desc>\n    <Severity>Error</Severity>\n    <Issuer>PasswordManager</Issuer>\n    <Action>CPM Disable Password</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Operating System-WinDomain-35.192.121.42-ELASTICbart</File>\n    <Station>10.0.1.20</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason>MaxRetries. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-35.192.121.42-ELASTICbart failed (try #5). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\n</Reason>\n    <ExtraDetails>address=34.66.114.180;retriescount=5;username=ELASTIC\\bart;</ExtraDetails>\n    <Message>CPM Disable Password</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"WinDomain\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"ELASTIC\\bart\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.66.114.180\"></CAProperty>\n      <CAProperty Name=\"ResetImmediately\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"failure\"></CAProperty>\n      <CAProperty Name=\"CPMDisabled\" Value=\"(CPM)MaxRetries\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"5\"></CAProperty>\n      <CAProperty Name=\"LastFailDate\" Value=\"1615813031\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"LogonDomain\" Value=\"34.66.114.180\"></CAProperty>\n      <CAProperty Name=\"CPMErrorDetails\" Value=\"Parameter Reconcile account is mandatory but has an empty value or is not defined\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 05:57:13","IsoTimestamp":"2021-03-15T12:57:13Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"130","Desc":"CPM Disable Password","Severity":"Error","Issuer":"PasswordManager","Action":"CPM Disable Password","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-WinDomain-35.192.121.42-ELASTICbart","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"MaxRetries. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-35.192.121.42-ELASTICbart failed (try #5). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\n","ExtraDetails":"address=34.66.114.180;retriescount=5;username=ELASTIC\\bart;","Message":"CPM Disable Password","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"WinDomain"},{"Name":"UserName","Value":"ELASTIC\\bart"},{"Name":"Address","Value":"34.66.114.180"},{"Name":"ResetImmediately","Value":"ReconcileTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"CPMDisabled","Value":"(CPM)MaxRetries"},{"Name":"RetriesCount","Value":"5"},{"Name":"LastFailDate","Value":"1615813031"},{"Name":"LastTask","Value":"ReconcileTask"},{"Name":"LogonDomain","Value":"34.66.114.180"},{"Name":"CPMErrorDetails","Value":"Parameter Reconcile account is mandatory but has an empty value or is not defined"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}}
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/130_cpm_disable_password.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/130_cpm_disable_password.log-expected.json
new file mode 100644
index 00000000000..0f598e7e3f3
--- /dev/null
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/130_cpm_disable_password.log-expected.json
@@ -0,0 +1,76 @@
+[
+    {
+        "@timestamp": "2021-03-15T12:57:13.000Z",
+        "cyberarkpas.audit.action": "CPM Disable Password",
+        "cyberarkpas.audit.ca_properties.address": "34.66.114.180",
+        "cyberarkpas.audit.ca_properties.cpm_disabled": "(CPM)MaxRetries",
+        "cyberarkpas.audit.ca_properties.cpm_error_details": "Parameter Reconcile account is mandatory but has an empty value or is not defined",
+        "cyberarkpas.audit.ca_properties.cpm_status": "failure",
+        "cyberarkpas.audit.ca_properties.creation_method": "PVWA",
+        "cyberarkpas.audit.ca_properties.device_type": "Operating System",
+        "cyberarkpas.audit.ca_properties.last_fail_date": "1615813031",
+        "cyberarkpas.audit.ca_properties.last_task": "ReconcileTask",
+        "cyberarkpas.audit.ca_properties.logon_domain": "34.66.114.180",
+        "cyberarkpas.audit.ca_properties.policy_id": "WinDomain",
+        "cyberarkpas.audit.ca_properties.reset_immediately": "ReconcileTask",
+        "cyberarkpas.audit.ca_properties.retries_count": "5",
+        "cyberarkpas.audit.ca_properties.user_name": "ELASTIC\\bart",
+        "cyberarkpas.audit.desc": "CPM Disable Password",
+        "cyberarkpas.audit.extra_details.address": "34.66.114.180",
+        "cyberarkpas.audit.extra_details.retriescount": "5",
+        "cyberarkpas.audit.extra_details.username": "ELASTIC\\bart",
+        "cyberarkpas.audit.file": "Root\\Operating System-WinDomain-35.192.121.42-ELASTICbart",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-15T12:57:13Z",
+        "cyberarkpas.audit.issuer": "PasswordManager",
+        "cyberarkpas.audit.message": "CPM Disable Password",
+        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 15 05:57:13</Timestamp>\n    <IsoTimestamp>2021-03-15T12:57:13Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>130</MessageID>\n    <Desc>CPM Disable Password</Desc>\n    <Severity>Error</Severity>\n    <Issuer>PasswordManager</Issuer>\n    <Action>CPM Disable Password</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Operating System-WinDomain-35.192.121.42-ELASTICbart</File>\n    <Station>10.0.1.20</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason>MaxRetries. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-35.192.121.42-ELASTICbart failed (try #5). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\n</Reason>\n    <ExtraDetails>address=34.66.114.180;retriescount=5;username=ELASTIC\\bart;</ExtraDetails>\n    <Message>CPM Disable Password</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"WinDomain\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"ELASTIC\\bart\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.66.114.180\"></CAProperty>\n      <CAProperty Name=\"ResetImmediately\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"failure\"></CAProperty>\n      <CAProperty Name=\"CPMDisabled\" Value=\"(CPM)MaxRetries\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"5\"></CAProperty>\n      <CAProperty Name=\"LastFailDate\" Value=\"1615813031\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"LogonDomain\" Value=\"34.66.114.180\"></CAProperty>\n      <CAProperty Name=\"CPMErrorDetails\" Value=\"Parameter Reconcile account is mandatory but has an empty value or is not defined\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>",
+        "cyberarkpas.audit.reason": "MaxRetries. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-35.192.121.42-ELASTICbart failed (try #5). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\n",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.safe": "partner",
+        "cyberarkpas.audit.severity": "Error",
+        "cyberarkpas.audit.station": "10.0.1.20",
+        "cyberarkpas.audit.timestamp": "Mar 15 05:57:13",
+        "event.action": "cpm disable password",
+        "event.category": [
+            "iam"
+        ],
+        "event.code": "130",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.outcome": "failure",
+        "event.reason": "Parameter Reconcile account is mandatory but has an empty value or is not defined",
+        "event.severity": 7,
+        "event.timezone": "-02:00",
+        "event.type": [
+            "user",
+            "change"
+        ],
+        "file.path": "Root\\Operating System-WinDomain-35.192.121.42-ELASTICbart",
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 0,
+        "log.syslog.priority": "7",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "10.0.1.20"
+        ],
+        "related.user": [
+            "PasswordManager",
+            "ELASTIC\\bart"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "10.0.1.20",
+        "source.ip": "10.0.1.20",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ],
+        "user.name": "PasswordManager",
+        "user.target.name": "ELASTIC\\bart"
+    }
+]
\ No newline at end of file
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/178_get_user_s_details.log b/x-pack/filebeat/module/cyberarkpas/audit/test/178_get_user_s_details.log
new file mode 100644
index 00000000000..77869bddde4
--- /dev/null
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/178_get_user_s_details.log
@@ -0,0 +1 @@
+<7>1 2021-03-11T18:45:23Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 10:45:23</Timestamp>\n    <IsoTimestamp>2021-03-11T18:45:23Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>178</MessageID>\n    <Desc>Get User's Details</Desc>\n    <Severity>Error</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Get User's Details</Action>\n    <SourceUser>Master</SourceUser>\n    <TargetUser></TargetUser>\n    <Safe></Safe>\n    <File></File>\n    <Station>127.0.0.1</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Get User's Details</Message>\n    <GatewayStation></GatewayStation>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 10:45:23","IsoTimestamp":"2021-03-11T18:45:23Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"178","Desc":"Get User's Details","Severity":"Error","Issuer":"Administrator","Action":"Get User's Details","SourceUser":"Master","TargetUser":"","Safe":"","File":"","Station":"127.0.0.1","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Get User's Details","GatewayStation":""}}}
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/178_get_user_s_details.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/178_get_user_s_details.log-expected.json
new file mode 100644
index 00000000000..0b5f7793f35
--- /dev/null
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/178_get_user_s_details.log-expected.json
@@ -0,0 +1,43 @@
+[
+    {
+        "@timestamp": "2021-03-11T18:45:23.000Z",
+        "cyberarkpas.audit.action": "Get User's Details",
+        "cyberarkpas.audit.desc": "Get User's Details",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-11T18:45:23Z",
+        "cyberarkpas.audit.issuer": "Administrator",
+        "cyberarkpas.audit.message": "Get User's Details",
+        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 10:45:23</Timestamp>\n    <IsoTimestamp>2021-03-11T18:45:23Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>178</MessageID>\n    <Desc>Get User's Details</Desc>\n    <Severity>Error</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Get User's Details</Action>\n    <SourceUser>Master</SourceUser>\n    <TargetUser></TargetUser>\n    <Safe></Safe>\n    <File></File>\n    <Station>127.0.0.1</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Get User's Details</Message>\n    <GatewayStation></GatewayStation>\n  </audit_record>\n\n</syslog>",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.severity": "Error",
+        "cyberarkpas.audit.source_user": "Master",
+        "cyberarkpas.audit.station": "127.0.0.1",
+        "cyberarkpas.audit.timestamp": "Mar 11 10:45:23",
+        "event.action": "get user's details",
+        "event.code": "178",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.severity": 7,
+        "event.timezone": "-02:00",
+        "event.type": "error",
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 0,
+        "log.syslog.priority": "7",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "127.0.0.1"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "127.0.0.1",
+        "source.ip": "127.0.0.1",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ]
+    }
+]
\ No newline at end of file
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/180_add_user.log b/x-pack/filebeat/module/cyberarkpas/audit/test/180_add_user.log
new file mode 100644
index 00000000000..78ec9f57fe6
--- /dev/null
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/180_add_user.log
@@ -0,0 +1,12 @@
+<5>1 2021-03-10T09:11:20Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:20","IsoTimestamp":"2021-03-10T09:11:20Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"180","Desc":"Add User","Severity":"Info","Issuer":"Administrator","Action":"Add User","SourceUser":"PSMPApp_localhost.localdomain","TargetUser":"","Safe":"","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add User","GatewayStation":""}}}
+<5>1 2021-03-10T09:11:20Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:20","IsoTimestamp":"2021-03-10T09:11:20Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"180","Desc":"Add User","Severity":"Info","Issuer":"Administrator","Action":"Add User","SourceUser":"PSMPGW_localhost.localdomain","TargetUser":"","Safe":"","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add User","GatewayStation":""}}}
+<5>1 2021-03-10T09:11:35Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:35","IsoTimestamp":"2021-03-10T09:11:35Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"180","Desc":"Add User","Severity":"Info","Issuer":"Administrator","Action":"Add User","SourceUser":"PSMP_ADB_localhost.localdomain","TargetUser":"","Safe":"","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add User","GatewayStation":""}}}
+<5>1 2021-03-10T17:59:19Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 09:59:19","IsoTimestamp":"2021-03-10T17:59:19Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"180","Desc":"Add User","Severity":"Info","Issuer":"Administrator","Action":"Add User","SourceUser":"PSMApp_VAGRANT","TargetUser":"","Safe":"","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add User","GatewayStation":""}}}
+<5>1 2021-03-10T17:59:27Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 09:59:27","IsoTimestamp":"2021-03-10T17:59:27Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"180","Desc":"Add User","Severity":"Info","Issuer":"Administrator","Action":"Add User","SourceUser":"PSMGw_VAGRANT","TargetUser":"","Safe":"","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add User","GatewayStation":""}}}
+<5>1 2021-03-10T22:19:06Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 14:19:06","IsoTimestamp":"2021-03-10T22:19:06Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"180","Desc":"Add User","Severity":"Info","Issuer":"Administrator","Action":"Add User","SourceUser":"PSMApp_ASR-WIN","TargetUser":"","Safe":"","File":"","Station":"35.192.121.42","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add User","GatewayStation":""}}}
+<5>1 2021-03-10T22:19:15Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 14:19:15","IsoTimestamp":"2021-03-10T22:19:15Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"180","Desc":"Add User","Severity":"Info","Issuer":"Administrator","Action":"Add User","SourceUser":"PSMGw_ASR-WIN","TargetUser":"","Safe":"","File":"","Station":"35.192.121.42","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add User","GatewayStation":""}}}
+<5>1 2021-03-11T16:59:36Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 08:59:36</Timestamp>\n    <IsoTimestamp>2021-03-11T16:59:36Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>180</MessageID>\n    <Desc>Add User</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Add User</Action>\n    <SourceUser>PSMPApp_VAGRANT</SourceUser>\n    <TargetUser></TargetUser>\n    <Safe></Safe>\n    <File></File>\n    <Station>81.32.170.205</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Add User</Message>\n    <GatewayStation></GatewayStation>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 08:59:36","IsoTimestamp":"2021-03-11T16:59:36Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"180","Desc":"Add User","Severity":"Info","Issuer":"Administrator","Action":"Add User","SourceUser":"PSMPApp_VAGRANT","TargetUser":"","Safe":"","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add User","GatewayStation":""}}}
+<5>1 2021-03-11T16:59:36Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 08:59:36</Timestamp>\n    <IsoTimestamp>2021-03-11T16:59:36Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>180</MessageID>\n    <Desc>Add User</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Add User</Action>\n    <SourceUser>PSMPGW_VAGRANT</SourceUser>\n    <TargetUser></TargetUser>\n    <Safe></Safe>\n    <File></File>\n    <Station>81.32.170.205</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Add User</Message>\n    <GatewayStation></GatewayStation>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 08:59:36","IsoTimestamp":"2021-03-11T16:59:36Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"180","Desc":"Add User","Severity":"Info","Issuer":"Administrator","Action":"Add User","SourceUser":"PSMPGW_VAGRANT","TargetUser":"","Safe":"","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add User","GatewayStation":""}}}
+<5>1 2021-03-14T12:57:16Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 14 05:57:16</Timestamp>\n    <IsoTimestamp>2021-03-14T12:57:16Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>180</MessageID>\n    <Desc>Add User</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Add User</Action>\n    <SourceUser>PSMPGW_SSH</SourceUser>\n    <TargetUser></TargetUser>\n    <Safe></Safe>\n    <File></File>\n    <Station>34.71.250.247</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Add User</Message>\n    <GatewayStation></GatewayStation>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 05:57:16","IsoTimestamp":"2021-03-14T12:57:16Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"180","Desc":"Add User","Severity":"Info","Issuer":"Administrator","Action":"Add User","SourceUser":"PSMPGW_SSH","TargetUser":"","Safe":"","File":"","Station":"34.71.250.247","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add User","GatewayStation":""}}}
+<5>1 2021-03-14T12:57:16Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 14 05:57:16</Timestamp>\n    <IsoTimestamp>2021-03-14T12:57:16Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>180</MessageID>\n    <Desc>Add User</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Add User</Action>\n    <SourceUser>PSMPApp_SSH</SourceUser>\n    <TargetUser></TargetUser>\n    <Safe></Safe>\n    <File></File>\n    <Station>34.71.250.247</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Add User</Message>\n    <GatewayStation></GatewayStation>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 05:57:16","IsoTimestamp":"2021-03-14T12:57:16Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"180","Desc":"Add User","Severity":"Info","Issuer":"Administrator","Action":"Add User","SourceUser":"PSMPApp_SSH","TargetUser":"","Safe":"","File":"","Station":"34.71.250.247","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add User","GatewayStation":""}}}
+<5>1 2021-03-14T12:57:21Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 14 05:57:21</Timestamp>\n    <IsoTimestamp>2021-03-14T12:57:21Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>180</MessageID>\n    <Desc>Add User</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Add User</Action>\n    <SourceUser>PSMP_ADB_asr-cyberark-psm-ssh</SourceUser>\n    <TargetUser></TargetUser>\n    <Safe></Safe>\n    <File></File>\n    <Station>34.71.250.247</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Add User</Message>\n    <GatewayStation></GatewayStation>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 05:57:21","IsoTimestamp":"2021-03-14T12:57:21Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"180","Desc":"Add User","Severity":"Info","Issuer":"Administrator","Action":"Add User","SourceUser":"PSMP_ADB_asr-cyberark-psm-ssh","TargetUser":"","Safe":"","File":"","Station":"34.71.250.247","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add User","GatewayStation":""}}}
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/180_add_user.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/180_add_user.log-expected.json
new file mode 100644
index 00000000000..28d15b6fb3d
--- /dev/null
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/180_add_user.log-expected.json
@@ -0,0 +1,715 @@
+[
+    {
+        "@timestamp": "2021-03-10T09:11:20.000Z",
+        "cyberarkpas.audit.action": "Add User",
+        "cyberarkpas.audit.desc": "Add User",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-10T09:11:20Z",
+        "cyberarkpas.audit.issuer": "Administrator",
+        "cyberarkpas.audit.message": "Add User",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.source_user": "PSMPApp_localhost.localdomain",
+        "cyberarkpas.audit.station": "81.32.170.205",
+        "cyberarkpas.audit.timestamp": "Mar 10 01:11:20",
+        "event.action": "add user",
+        "event.category": [
+            "iam"
+        ],
+        "event.code": "180",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.outcome": "success",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "event.type": [
+            "user",
+            "creation"
+        ],
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 0,
+        "log.syslog.priority": "5",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "81.32.170.205"
+        ],
+        "related.user": [
+            "PSMPApp_localhost.localdomain"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "81.32.170.205",
+        "source.geo.city_name": "Barcelona",
+        "source.geo.continent_name": "Europe",
+        "source.geo.country_iso_code": "ES",
+        "source.geo.country_name": "Spain",
+        "source.geo.location.lat": 41.387,
+        "source.geo.location.lon": 2.1701,
+        "source.geo.region_iso_code": "ES-B",
+        "source.geo.region_name": "Barcelona",
+        "source.ip": "81.32.170.205",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ],
+        "user.target.name": "PSMPApp_localhost.localdomain"
+    },
+    {
+        "@timestamp": "2021-03-10T09:11:20.000Z",
+        "cyberarkpas.audit.action": "Add User",
+        "cyberarkpas.audit.desc": "Add User",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-10T09:11:20Z",
+        "cyberarkpas.audit.issuer": "Administrator",
+        "cyberarkpas.audit.message": "Add User",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.source_user": "PSMPGW_localhost.localdomain",
+        "cyberarkpas.audit.station": "81.32.170.205",
+        "cyberarkpas.audit.timestamp": "Mar 10 01:11:20",
+        "event.action": "add user",
+        "event.category": [
+            "iam"
+        ],
+        "event.code": "180",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.outcome": "success",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "event.type": [
+            "user",
+            "creation"
+        ],
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 581,
+        "log.syslog.priority": "5",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "81.32.170.205"
+        ],
+        "related.user": [
+            "PSMPGW_localhost.localdomain"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "81.32.170.205",
+        "source.geo.city_name": "Barcelona",
+        "source.geo.continent_name": "Europe",
+        "source.geo.country_iso_code": "ES",
+        "source.geo.country_name": "Spain",
+        "source.geo.location.lat": 41.387,
+        "source.geo.location.lon": 2.1701,
+        "source.geo.region_iso_code": "ES-B",
+        "source.geo.region_name": "Barcelona",
+        "source.ip": "81.32.170.205",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ],
+        "user.target.name": "PSMPGW_localhost.localdomain"
+    },
+    {
+        "@timestamp": "2021-03-10T09:11:35.000Z",
+        "cyberarkpas.audit.action": "Add User",
+        "cyberarkpas.audit.desc": "Add User",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-10T09:11:35Z",
+        "cyberarkpas.audit.issuer": "Administrator",
+        "cyberarkpas.audit.message": "Add User",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.source_user": "PSMP_ADB_localhost.localdomain",
+        "cyberarkpas.audit.station": "81.32.170.205",
+        "cyberarkpas.audit.timestamp": "Mar 10 01:11:35",
+        "event.action": "add user",
+        "event.category": [
+            "iam"
+        ],
+        "event.code": "180",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.outcome": "success",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "event.type": [
+            "user",
+            "creation"
+        ],
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 1161,
+        "log.syslog.priority": "5",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "81.32.170.205"
+        ],
+        "related.user": [
+            "PSMP_ADB_localhost.localdomain"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "81.32.170.205",
+        "source.geo.city_name": "Barcelona",
+        "source.geo.continent_name": "Europe",
+        "source.geo.country_iso_code": "ES",
+        "source.geo.country_name": "Spain",
+        "source.geo.location.lat": 41.387,
+        "source.geo.location.lon": 2.1701,
+        "source.geo.region_iso_code": "ES-B",
+        "source.geo.region_name": "Barcelona",
+        "source.ip": "81.32.170.205",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ],
+        "user.target.name": "PSMP_ADB_localhost.localdomain"
+    },
+    {
+        "@timestamp": "2021-03-10T17:59:19.000Z",
+        "cyberarkpas.audit.action": "Add User",
+        "cyberarkpas.audit.desc": "Add User",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-10T17:59:19Z",
+        "cyberarkpas.audit.issuer": "Administrator",
+        "cyberarkpas.audit.message": "Add User",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.source_user": "PSMApp_VAGRANT",
+        "cyberarkpas.audit.station": "81.32.170.205",
+        "cyberarkpas.audit.timestamp": "Mar 10 09:59:19",
+        "event.action": "add user",
+        "event.category": [
+            "iam"
+        ],
+        "event.code": "180",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.outcome": "success",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "event.type": [
+            "user",
+            "creation"
+        ],
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 1743,
+        "log.syslog.priority": "5",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "81.32.170.205"
+        ],
+        "related.user": [
+            "PSMApp_VAGRANT"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "81.32.170.205",
+        "source.geo.city_name": "Barcelona",
+        "source.geo.continent_name": "Europe",
+        "source.geo.country_iso_code": "ES",
+        "source.geo.country_name": "Spain",
+        "source.geo.location.lat": 41.387,
+        "source.geo.location.lon": 2.1701,
+        "source.geo.region_iso_code": "ES-B",
+        "source.geo.region_name": "Barcelona",
+        "source.ip": "81.32.170.205",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ],
+        "user.target.name": "PSMApp_VAGRANT"
+    },
+    {
+        "@timestamp": "2021-03-10T17:59:27.000Z",
+        "cyberarkpas.audit.action": "Add User",
+        "cyberarkpas.audit.desc": "Add User",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-10T17:59:27Z",
+        "cyberarkpas.audit.issuer": "Administrator",
+        "cyberarkpas.audit.message": "Add User",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.source_user": "PSMGw_VAGRANT",
+        "cyberarkpas.audit.station": "81.32.170.205",
+        "cyberarkpas.audit.timestamp": "Mar 10 09:59:27",
+        "event.action": "add user",
+        "event.category": [
+            "iam"
+        ],
+        "event.code": "180",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.outcome": "success",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "event.type": [
+            "user",
+            "creation"
+        ],
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 2309,
+        "log.syslog.priority": "5",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "81.32.170.205"
+        ],
+        "related.user": [
+            "PSMGw_VAGRANT"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "81.32.170.205",
+        "source.geo.city_name": "Barcelona",
+        "source.geo.continent_name": "Europe",
+        "source.geo.country_iso_code": "ES",
+        "source.geo.country_name": "Spain",
+        "source.geo.location.lat": 41.387,
+        "source.geo.location.lon": 2.1701,
+        "source.geo.region_iso_code": "ES-B",
+        "source.geo.region_name": "Barcelona",
+        "source.ip": "81.32.170.205",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ],
+        "user.target.name": "PSMGw_VAGRANT"
+    },
+    {
+        "@timestamp": "2021-03-10T22:19:06.000Z",
+        "cyberarkpas.audit.action": "Add User",
+        "cyberarkpas.audit.desc": "Add User",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-10T22:19:06Z",
+        "cyberarkpas.audit.issuer": "Administrator",
+        "cyberarkpas.audit.message": "Add User",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.source_user": "PSMApp_ASR-WIN",
+        "cyberarkpas.audit.station": "35.192.121.42",
+        "cyberarkpas.audit.timestamp": "Mar 10 14:19:06",
+        "event.action": "add user",
+        "event.category": [
+            "iam"
+        ],
+        "event.code": "180",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.outcome": "success",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "event.type": [
+            "user",
+            "creation"
+        ],
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 2874,
+        "log.syslog.priority": "5",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "35.192.121.42"
+        ],
+        "related.user": [
+            "PSMApp_ASR-WIN"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "35.192.121.42",
+        "source.geo.city_name": "Council Bluffs",
+        "source.geo.continent_name": "North America",
+        "source.geo.country_iso_code": "US",
+        "source.geo.country_name": "United States",
+        "source.geo.location.lat": 41.2591,
+        "source.geo.location.lon": -95.8517,
+        "source.geo.region_iso_code": "US-IA",
+        "source.geo.region_name": "Iowa",
+        "source.ip": "35.192.121.42",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ],
+        "user.target.name": "PSMApp_ASR-WIN"
+    },
+    {
+        "@timestamp": "2021-03-10T22:19:15.000Z",
+        "cyberarkpas.audit.action": "Add User",
+        "cyberarkpas.audit.desc": "Add User",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-10T22:19:15Z",
+        "cyberarkpas.audit.issuer": "Administrator",
+        "cyberarkpas.audit.message": "Add User",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.source_user": "PSMGw_ASR-WIN",
+        "cyberarkpas.audit.station": "35.192.121.42",
+        "cyberarkpas.audit.timestamp": "Mar 10 14:19:15",
+        "event.action": "add user",
+        "event.category": [
+            "iam"
+        ],
+        "event.code": "180",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.outcome": "success",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "event.type": [
+            "user",
+            "creation"
+        ],
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 3440,
+        "log.syslog.priority": "5",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "35.192.121.42"
+        ],
+        "related.user": [
+            "PSMGw_ASR-WIN"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "35.192.121.42",
+        "source.geo.city_name": "Council Bluffs",
+        "source.geo.continent_name": "North America",
+        "source.geo.country_iso_code": "US",
+        "source.geo.country_name": "United States",
+        "source.geo.location.lat": 41.2591,
+        "source.geo.location.lon": -95.8517,
+        "source.geo.region_iso_code": "US-IA",
+        "source.geo.region_name": "Iowa",
+        "source.ip": "35.192.121.42",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ],
+        "user.target.name": "PSMGw_ASR-WIN"
+    },
+    {
+        "@timestamp": "2021-03-11T16:59:36.000Z",
+        "cyberarkpas.audit.action": "Add User",
+        "cyberarkpas.audit.desc": "Add User",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-11T16:59:36Z",
+        "cyberarkpas.audit.issuer": "Administrator",
+        "cyberarkpas.audit.message": "Add User",
+        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 08:59:36</Timestamp>\n    <IsoTimestamp>2021-03-11T16:59:36Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>180</MessageID>\n    <Desc>Add User</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Add User</Action>\n    <SourceUser>PSMPApp_VAGRANT</SourceUser>\n    <TargetUser></TargetUser>\n    <Safe></Safe>\n    <File></File>\n    <Station>81.32.170.205</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Add User</Message>\n    <GatewayStation></GatewayStation>\n  </audit_record>\n\n</syslog>",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.source_user": "PSMPApp_VAGRANT",
+        "cyberarkpas.audit.station": "81.32.170.205",
+        "cyberarkpas.audit.timestamp": "Mar 11 08:59:36",
+        "event.action": "add user",
+        "event.category": [
+            "iam"
+        ],
+        "event.code": "180",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.outcome": "success",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "event.type": [
+            "user",
+            "creation"
+        ],
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 4005,
+        "log.syslog.priority": "5",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "81.32.170.205"
+        ],
+        "related.user": [
+            "PSMPApp_VAGRANT"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "81.32.170.205",
+        "source.geo.city_name": "Barcelona",
+        "source.geo.continent_name": "Europe",
+        "source.geo.country_iso_code": "ES",
+        "source.geo.country_name": "Spain",
+        "source.geo.location.lat": 41.387,
+        "source.geo.location.lon": 2.1701,
+        "source.geo.region_iso_code": "ES-B",
+        "source.geo.region_name": "Barcelona",
+        "source.ip": "81.32.170.205",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ],
+        "user.target.name": "PSMPApp_VAGRANT"
+    },
+    {
+        "@timestamp": "2021-03-11T16:59:36.000Z",
+        "cyberarkpas.audit.action": "Add User",
+        "cyberarkpas.audit.desc": "Add User",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-11T16:59:36Z",
+        "cyberarkpas.audit.issuer": "Administrator",
+        "cyberarkpas.audit.message": "Add User",
+        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 08:59:36</Timestamp>\n    <IsoTimestamp>2021-03-11T16:59:36Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>180</MessageID>\n    <Desc>Add User</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Add User</Action>\n    <SourceUser>PSMPGW_VAGRANT</SourceUser>\n    <TargetUser></TargetUser>\n    <Safe></Safe>\n    <File></File>\n    <Station>81.32.170.205</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Add User</Message>\n    <GatewayStation></GatewayStation>\n  </audit_record>\n\n</syslog>",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.source_user": "PSMPGW_VAGRANT",
+        "cyberarkpas.audit.station": "81.32.170.205",
+        "cyberarkpas.audit.timestamp": "Mar 11 08:59:36",
+        "event.action": "add user",
+        "event.category": [
+            "iam"
+        ],
+        "event.code": "180",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.outcome": "success",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "event.type": [
+            "user",
+            "creation"
+        ],
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 5419,
+        "log.syslog.priority": "5",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "81.32.170.205"
+        ],
+        "related.user": [
+            "PSMPGW_VAGRANT"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "81.32.170.205",
+        "source.geo.city_name": "Barcelona",
+        "source.geo.continent_name": "Europe",
+        "source.geo.country_iso_code": "ES",
+        "source.geo.country_name": "Spain",
+        "source.geo.location.lat": 41.387,
+        "source.geo.location.lon": 2.1701,
+        "source.geo.region_iso_code": "ES-B",
+        "source.geo.region_name": "Barcelona",
+        "source.ip": "81.32.170.205",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ],
+        "user.target.name": "PSMPGW_VAGRANT"
+    },
+    {
+        "@timestamp": "2021-03-14T12:57:16.000Z",
+        "cyberarkpas.audit.action": "Add User",
+        "cyberarkpas.audit.desc": "Add User",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-14T12:57:16Z",
+        "cyberarkpas.audit.issuer": "Administrator",
+        "cyberarkpas.audit.message": "Add User",
+        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 14 05:57:16</Timestamp>\n    <IsoTimestamp>2021-03-14T12:57:16Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>180</MessageID>\n    <Desc>Add User</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Add User</Action>\n    <SourceUser>PSMPGW_SSH</SourceUser>\n    <TargetUser></TargetUser>\n    <Safe></Safe>\n    <File></File>\n    <Station>34.71.250.247</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Add User</Message>\n    <GatewayStation></GatewayStation>\n  </audit_record>\n\n</syslog>",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.source_user": "PSMPGW_SSH",
+        "cyberarkpas.audit.station": "34.71.250.247",
+        "cyberarkpas.audit.timestamp": "Mar 14 05:57:16",
+        "event.action": "add user",
+        "event.category": [
+            "iam"
+        ],
+        "event.code": "180",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.outcome": "success",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "event.type": [
+            "user",
+            "creation"
+        ],
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 6831,
+        "log.syslog.priority": "5",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "34.71.250.247"
+        ],
+        "related.user": [
+            "PSMPGW_SSH"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "34.71.250.247",
+        "source.geo.city_name": "Council Bluffs",
+        "source.geo.continent_name": "North America",
+        "source.geo.country_iso_code": "US",
+        "source.geo.country_name": "United States",
+        "source.geo.location.lat": 41.2591,
+        "source.geo.location.lon": -95.8517,
+        "source.geo.region_iso_code": "US-IA",
+        "source.geo.region_name": "Iowa",
+        "source.ip": "34.71.250.247",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ],
+        "user.target.name": "PSMPGW_SSH"
+    },
+    {
+        "@timestamp": "2021-03-14T12:57:16.000Z",
+        "cyberarkpas.audit.action": "Add User",
+        "cyberarkpas.audit.desc": "Add User",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-14T12:57:16Z",
+        "cyberarkpas.audit.issuer": "Administrator",
+        "cyberarkpas.audit.message": "Add User",
+        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 14 05:57:16</Timestamp>\n    <IsoTimestamp>2021-03-14T12:57:16Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>180</MessageID>\n    <Desc>Add User</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Add User</Action>\n    <SourceUser>PSMPApp_SSH</SourceUser>\n    <TargetUser></TargetUser>\n    <Safe></Safe>\n    <File></File>\n    <Station>34.71.250.247</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Add User</Message>\n    <GatewayStation></GatewayStation>\n  </audit_record>\n\n</syslog>",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.source_user": "PSMPApp_SSH",
+        "cyberarkpas.audit.station": "34.71.250.247",
+        "cyberarkpas.audit.timestamp": "Mar 14 05:57:16",
+        "event.action": "add user",
+        "event.category": [
+            "iam"
+        ],
+        "event.code": "180",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.outcome": "success",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "event.type": [
+            "user",
+            "creation"
+        ],
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 8235,
+        "log.syslog.priority": "5",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "34.71.250.247"
+        ],
+        "related.user": [
+            "PSMPApp_SSH"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "34.71.250.247",
+        "source.geo.city_name": "Council Bluffs",
+        "source.geo.continent_name": "North America",
+        "source.geo.country_iso_code": "US",
+        "source.geo.country_name": "United States",
+        "source.geo.location.lat": 41.2591,
+        "source.geo.location.lon": -95.8517,
+        "source.geo.region_iso_code": "US-IA",
+        "source.geo.region_name": "Iowa",
+        "source.ip": "34.71.250.247",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ],
+        "user.target.name": "PSMPApp_SSH"
+    },
+    {
+        "@timestamp": "2021-03-14T12:57:21.000Z",
+        "cyberarkpas.audit.action": "Add User",
+        "cyberarkpas.audit.desc": "Add User",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-14T12:57:21Z",
+        "cyberarkpas.audit.issuer": "Administrator",
+        "cyberarkpas.audit.message": "Add User",
+        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 14 05:57:21</Timestamp>\n    <IsoTimestamp>2021-03-14T12:57:21Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>180</MessageID>\n    <Desc>Add User</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Add User</Action>\n    <SourceUser>PSMP_ADB_asr-cyberark-psm-ssh</SourceUser>\n    <TargetUser></TargetUser>\n    <Safe></Safe>\n    <File></File>\n    <Station>34.71.250.247</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Add User</Message>\n    <GatewayStation></GatewayStation>\n  </audit_record>\n\n</syslog>",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.source_user": "PSMP_ADB_asr-cyberark-psm-ssh",
+        "cyberarkpas.audit.station": "34.71.250.247",
+        "cyberarkpas.audit.timestamp": "Mar 14 05:57:21",
+        "event.action": "add user",
+        "event.category": [
+            "iam"
+        ],
+        "event.code": "180",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.outcome": "success",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "event.type": [
+            "user",
+            "creation"
+        ],
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 9641,
+        "log.syslog.priority": "5",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "34.71.250.247"
+        ],
+        "related.user": [
+            "PSMP_ADB_asr-cyberark-psm-ssh"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "34.71.250.247",
+        "source.geo.city_name": "Council Bluffs",
+        "source.geo.continent_name": "North America",
+        "source.geo.country_iso_code": "US",
+        "source.geo.country_name": "United States",
+        "source.geo.location.lat": 41.2591,
+        "source.geo.location.lon": -95.8517,
+        "source.geo.region_iso_code": "US-IA",
+        "source.geo.region_name": "Iowa",
+        "source.ip": "34.71.250.247",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ],
+        "user.target.name": "PSMP_ADB_asr-cyberark-psm-ssh"
+    }
+]
\ No newline at end of file
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/181_update_safe.log b/x-pack/filebeat/module/cyberarkpas/audit/test/181_update_safe.log
new file mode 100644
index 00000000000..93d8a45a00e
--- /dev/null
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/181_update_safe.log
@@ -0,0 +1 @@
+<5>1 2021-03-10T18:15:44Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 10:15:44","IsoTimestamp":"2021-03-10T18:15:44Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"181","Desc":"Update Safe","Severity":"Info","Issuer":"Administrator","Action":"Update Safe","SourceUser":"","TargetUser":"","Safe":"PSM","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Update Safe","GatewayStation":""}}}
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/181_update_safe.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/181_update_safe.log-expected.json
new file mode 100644
index 00000000000..d32e6ebae7d
--- /dev/null
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/181_update_safe.log-expected.json
@@ -0,0 +1,49 @@
+[
+    {
+        "@timestamp": "2021-03-10T18:15:44.000Z",
+        "cyberarkpas.audit.action": "Update Safe",
+        "cyberarkpas.audit.desc": "Update Safe",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-10T18:15:44Z",
+        "cyberarkpas.audit.issuer": "Administrator",
+        "cyberarkpas.audit.message": "Update Safe",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.safe": "PSM",
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.station": "81.32.170.205",
+        "cyberarkpas.audit.timestamp": "Mar 10 10:15:44",
+        "event.action": "update safe",
+        "event.code": "181",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 0,
+        "log.syslog.priority": "5",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "81.32.170.205"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "81.32.170.205",
+        "source.geo.city_name": "Barcelona",
+        "source.geo.continent_name": "Europe",
+        "source.geo.country_iso_code": "ES",
+        "source.geo.country_name": "Spain",
+        "source.geo.location.lat": 41.387,
+        "source.geo.location.lon": 2.1701,
+        "source.geo.region_iso_code": "ES-B",
+        "source.geo.region_name": "Barcelona",
+        "source.ip": "81.32.170.205",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ]
+    }
+]
\ No newline at end of file
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/185_add_safe.log b/x-pack/filebeat/module/cyberarkpas/audit/test/185_add_safe.log
new file mode 100644
index 00000000000..21a17a2c729
--- /dev/null
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/185_add_safe.log
@@ -0,0 +1,2 @@
+<5>1 2021-03-10T09:11:20Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:20","IsoTimestamp":"2021-03-10T09:11:20Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"185","Desc":"Add Safe","Severity":"Info","Issuer":"Administrator","Action":"Add Safe","SourceUser":"","TargetUser":"","Safe":"PSMPConf","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Safe","GatewayStation":""}}}
+<5>1 2021-03-11T17:38:13Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 09:38:13</Timestamp>\n    <IsoTimestamp>2021-03-11T17:38:13Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>185</MessageID>\n    <Desc>Add Safe</Desc>\n    <Severity>Info</Severity>\n    <Issuer>PSMPApp_VAGRANT</Issuer>\n    <Action>Add Safe</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>PSMRecordings</Safe>\n    <File></File>\n    <Station>81.32.170.205</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Add Safe</Message>\n    <GatewayStation></GatewayStation>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 09:38:13","IsoTimestamp":"2021-03-11T17:38:13Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"185","Desc":"Add Safe","Severity":"Info","Issuer":"PSMPApp_VAGRANT","Action":"Add Safe","SourceUser":"","TargetUser":"","Safe":"PSMRecordings","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Safe","GatewayStation":""}}}
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/185_add_safe.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/185_add_safe.log-expected.json
new file mode 100644
index 00000000000..120cff5e1c4
--- /dev/null
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/185_add_safe.log-expected.json
@@ -0,0 +1,97 @@
+[
+    {
+        "@timestamp": "2021-03-10T09:11:20.000Z",
+        "cyberarkpas.audit.action": "Add Safe",
+        "cyberarkpas.audit.desc": "Add Safe",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-10T09:11:20Z",
+        "cyberarkpas.audit.issuer": "Administrator",
+        "cyberarkpas.audit.message": "Add Safe",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.safe": "PSMPConf",
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.station": "81.32.170.205",
+        "cyberarkpas.audit.timestamp": "Mar 10 01:11:20",
+        "event.action": "add safe",
+        "event.code": "185",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 0,
+        "log.syslog.priority": "5",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "81.32.170.205"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "81.32.170.205",
+        "source.geo.city_name": "Barcelona",
+        "source.geo.continent_name": "Europe",
+        "source.geo.country_iso_code": "ES",
+        "source.geo.country_name": "Spain",
+        "source.geo.location.lat": 41.387,
+        "source.geo.location.lon": 2.1701,
+        "source.geo.region_iso_code": "ES-B",
+        "source.geo.region_name": "Barcelona",
+        "source.ip": "81.32.170.205",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ]
+    },
+    {
+        "@timestamp": "2021-03-11T17:38:13.000Z",
+        "cyberarkpas.audit.action": "Add Safe",
+        "cyberarkpas.audit.desc": "Add Safe",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-11T17:38:13Z",
+        "cyberarkpas.audit.issuer": "PSMPApp_VAGRANT",
+        "cyberarkpas.audit.message": "Add Safe",
+        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 09:38:13</Timestamp>\n    <IsoTimestamp>2021-03-11T17:38:13Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>185</MessageID>\n    <Desc>Add Safe</Desc>\n    <Severity>Info</Severity>\n    <Issuer>PSMPApp_VAGRANT</Issuer>\n    <Action>Add Safe</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>PSMRecordings</Safe>\n    <File></File>\n    <Station>81.32.170.205</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Add Safe</Message>\n    <GatewayStation></GatewayStation>\n  </audit_record>\n\n</syslog>",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.safe": "PSMRecordings",
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.station": "81.32.170.205",
+        "cyberarkpas.audit.timestamp": "Mar 11 09:38:13",
+        "event.action": "add safe",
+        "event.code": "185",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 560,
+        "log.syslog.priority": "5",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "81.32.170.205"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "81.32.170.205",
+        "source.geo.city_name": "Barcelona",
+        "source.geo.continent_name": "Europe",
+        "source.geo.country_iso_code": "ES",
+        "source.geo.country_name": "Spain",
+        "source.geo.location.lat": 41.387,
+        "source.geo.location.lon": 2.1701,
+        "source.geo.region_iso_code": "ES-B",
+        "source.geo.region_name": "Barcelona",
+        "source.ip": "81.32.170.205",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ]
+    }
+]
\ No newline at end of file
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/187_add_folder.log b/x-pack/filebeat/module/cyberarkpas/audit/test/187_add_folder.log
new file mode 100644
index 00000000000..3f7fa511cc8
--- /dev/null
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/187_add_folder.log
@@ -0,0 +1,2 @@
+<5>1 2021-03-10T09:11:40Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:40","IsoTimestamp":"2021-03-10T09:11:40Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"187","Desc":"Add Folder","Severity":"Info","Issuer":"Administrator","Action":"Add Folder","SourceUser":"","TargetUser":"","Safe":"PSMPADBridgeConf","File":"Root\\Scripts\\","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Folder","GatewayStation":""}}}
+<5>1 2021-03-11T18:01:14Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 10:01:14</Timestamp>\n    <IsoTimestamp>2021-03-11T18:01:14Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>187</MessageID>\n    <Desc>Add Folder</Desc>\n    <Severity>Info</Severity>\n    <Issuer>PVWAAppUser</Issuer>\n    <Action>Add Folder</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>PSMUnmanagedSessionAccounts</Safe>\n    <File>Root\\2\\</File>\n    <Station>10.0.1.20</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Add Folder</Message>\n    <GatewayStation></GatewayStation>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 10:01:14","IsoTimestamp":"2021-03-11T18:01:14Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"187","Desc":"Add Folder","Severity":"Info","Issuer":"PVWAAppUser","Action":"Add Folder","SourceUser":"","TargetUser":"","Safe":"PSMUnmanagedSessionAccounts","File":"Root\\2\\","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Folder","GatewayStation":""}}}
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/187_add_folder.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/187_add_folder.log-expected.json
new file mode 100644
index 00000000000..e8857870f2e
--- /dev/null
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/187_add_folder.log-expected.json
@@ -0,0 +1,93 @@
+[
+    {
+        "@timestamp": "2021-03-10T09:11:40.000Z",
+        "cyberarkpas.audit.action": "Add Folder",
+        "cyberarkpas.audit.desc": "Add Folder",
+        "cyberarkpas.audit.file": "Root\\Scripts\\",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-10T09:11:40Z",
+        "cyberarkpas.audit.issuer": "Administrator",
+        "cyberarkpas.audit.message": "Add Folder",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.safe": "PSMPADBridgeConf",
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.station": "81.32.170.205",
+        "cyberarkpas.audit.timestamp": "Mar 10 01:11:40",
+        "event.action": "add folder",
+        "event.code": "187",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "file.path": "Root\\Scripts\\",
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 0,
+        "log.syslog.priority": "5",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "81.32.170.205"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "81.32.170.205",
+        "source.geo.city_name": "Barcelona",
+        "source.geo.continent_name": "Europe",
+        "source.geo.country_iso_code": "ES",
+        "source.geo.country_name": "Spain",
+        "source.geo.location.lat": 41.387,
+        "source.geo.location.lon": 2.1701,
+        "source.geo.region_iso_code": "ES-B",
+        "source.geo.region_name": "Barcelona",
+        "source.ip": "81.32.170.205",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ]
+    },
+    {
+        "@timestamp": "2021-03-11T18:01:14.000Z",
+        "cyberarkpas.audit.action": "Add Folder",
+        "cyberarkpas.audit.desc": "Add Folder",
+        "cyberarkpas.audit.file": "Root\\2\\",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-11T18:01:14Z",
+        "cyberarkpas.audit.issuer": "PVWAAppUser",
+        "cyberarkpas.audit.message": "Add Folder",
+        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 10:01:14</Timestamp>\n    <IsoTimestamp>2021-03-11T18:01:14Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>187</MessageID>\n    <Desc>Add Folder</Desc>\n    <Severity>Info</Severity>\n    <Issuer>PVWAAppUser</Issuer>\n    <Action>Add Folder</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>PSMUnmanagedSessionAccounts</Safe>\n    <File>Root\\2\\</File>\n    <Station>10.0.1.20</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Add Folder</Message>\n    <GatewayStation></GatewayStation>\n  </audit_record>\n\n</syslog>",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.safe": "PSMUnmanagedSessionAccounts",
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.station": "10.0.1.20",
+        "cyberarkpas.audit.timestamp": "Mar 11 10:01:14",
+        "event.action": "add folder",
+        "event.code": "187",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "file.path": "Root\\2\\",
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 589,
+        "log.syslog.priority": "5",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "10.0.1.20"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "10.0.1.20",
+        "source.ip": "10.0.1.20",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ]
+    }
+]
\ No newline at end of file
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/19_full_gateway_connection.log b/x-pack/filebeat/module/cyberarkpas/audit/test/19_full_gateway_connection.log
new file mode 100644
index 00000000000..88926eb1571
--- /dev/null
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/19_full_gateway_connection.log
@@ -0,0 +1,9 @@
+<5>1 2021-03-08T18:07:51Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 08 10:07:51","IsoTimestamp":"2021-03-08T18:07:51Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"19","Desc":"Full Gateway Connection","Severity":"Info","Issuer":"Administrator","Action":"Full Gateway Connection","SourceUser":"PVWAGWUser","TargetUser":"","Safe":"","File":"","Station":"127.0.0.1","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Full Gateway Connection","GatewayStation":"10.0.1.20"}}}
+<5>1 2021-03-09T08:32:51Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 09 00:32:51","IsoTimestamp":"2021-03-09T08:32:51Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"19","Desc":"Full Gateway Connection","Severity":"Info","Issuer":"Administrator","Action":"Full Gateway Connection","SourceUser":"PVWAGWUser","TargetUser":"","Safe":"","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Full Gateway Connection","GatewayStation":"10.0.1.20"}}}
+<5>1 2021-03-09T10:14:58Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 09 02:14:58","IsoTimestamp":"2021-03-09T10:14:58Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"19","Desc":"Full Gateway Connection","Severity":"Info","Issuer":"Administrator","Action":"Full Gateway Connection","SourceUser":"PVWAGWUser","TargetUser":"","Safe":"","File":"","Station":"37.223.7.45","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Full Gateway Connection","GatewayStation":"10.0.1.20"}}}
+<5>1 2021-03-10T08:31:50Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 00:31:50","IsoTimestamp":"2021-03-10T08:31:50Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"19","Desc":"Full Gateway Connection","Severity":"Info","Issuer":"PasswordManager","Action":"Full Gateway Connection","SourceUser":"PVWAGWUser","TargetUser":"","Safe":"","File":"","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Full Gateway Connection","GatewayStation":"10.0.1.20"}}}
+<5>1 2021-03-10T22:37:00Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 14:37:00","IsoTimestamp":"2021-03-10T22:37:00Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"19","Desc":"Full Gateway Connection","Severity":"Info","Issuer":"Administrator","Action":"Full Gateway Connection","SourceUser":"PVWAGWUser","TargetUser":"","Safe":"","File":"","Station":"10.0.1.10","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Full Gateway Connection","GatewayStation":"10.0.1.20"}}}
+<5>1 2021-03-11T17:38:05Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 09:38:05</Timestamp>\n    <IsoTimestamp>2021-03-11T17:38:05Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>19</MessageID>\n    <Desc>Full Gateway Connection</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Full Gateway Connection</Action>\n    <SourceUser>PSMPGW_VAGRANT</SourceUser>\n    <TargetUser></TargetUser>\n    <Safe></Safe>\n    <File></File>\n    <Station>127.0.0.1</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Full Gateway Connection</Message>\n    <GatewayStation>81.32.170.205</GatewayStation>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 09:38:05","IsoTimestamp":"2021-03-11T17:38:05Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"19","Desc":"Full Gateway Connection","Severity":"Info","Issuer":"Administrator","Action":"Full Gateway Connection","SourceUser":"PSMPGW_VAGRANT","TargetUser":"","Safe":"","File":"","Station":"127.0.0.1","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Full Gateway Connection","GatewayStation":"81.32.170.205"}}}
+<5>1 2021-03-11T17:48:22Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 09:48:22</Timestamp>\n    <IsoTimestamp>2021-03-11T17:48:22Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>19</MessageID>\n    <Desc>Full Gateway Connection</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Full Gateway Connection</Action>\n    <SourceUser>PSMPGW_VAGRANT</SourceUser>\n    <TargetUser></TargetUser>\n    <Safe></Safe>\n    <File></File>\n    <Station>10.0.2.2</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Full Gateway Connection</Message>\n    <GatewayStation>81.32.170.205</GatewayStation>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 09:48:22","IsoTimestamp":"2021-03-11T17:48:22Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"19","Desc":"Full Gateway Connection","Severity":"Info","Issuer":"Administrator","Action":"Full Gateway Connection","SourceUser":"PSMPGW_VAGRANT","TargetUser":"","Safe":"","File":"","Station":"10.0.2.2","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Full Gateway Connection","GatewayStation":"81.32.170.205"}}}
+<5>1 2021-03-11T18:02:57Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 10:02:57</Timestamp>\n    <IsoTimestamp>2021-03-11T18:02:57Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>19</MessageID>\n    <Desc>Full Gateway Connection</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Full Gateway Connection</Action>\n    <SourceUser>PVWAGWUser</SourceUser>\n    <TargetUser></TargetUser>\n    <Safe></Safe>\n    <File></File>\n    <Station>35.192.121.42</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Full Gateway Connection</Message>\n    <GatewayStation>10.0.1.20</GatewayStation>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 10:02:57","IsoTimestamp":"2021-03-11T18:02:57Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"19","Desc":"Full Gateway Connection","Severity":"Info","Issuer":"Administrator","Action":"Full Gateway Connection","SourceUser":"PVWAGWUser","TargetUser":"","Safe":"","File":"","Station":"35.192.121.42","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Full Gateway Connection","GatewayStation":"10.0.1.20"}}}
+<5>1 2021-03-14T13:49:35Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 14 06:49:35</Timestamp>\n    <IsoTimestamp>2021-03-14T13:49:35Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>19</MessageID>\n    <Desc>Full Gateway Connection</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Full Gateway Connection</Action>\n    <SourceUser>PSMPGW_SSH</SourceUser>\n    <TargetUser></TargetUser>\n    <Safe></Safe>\n    <File></File>\n    <Station>81.32.170.205</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Full Gateway Connection</Message>\n    <GatewayStation>34.71.250.247</GatewayStation>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 06:49:35","IsoTimestamp":"2021-03-14T13:49:35Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"19","Desc":"Full Gateway Connection","Severity":"Info","Issuer":"Administrator","Action":"Full Gateway Connection","SourceUser":"PSMPGW_SSH","TargetUser":"","Safe":"","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Full Gateway Connection","GatewayStation":"34.71.250.247"}}}
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/19_full_gateway_connection.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/19_full_gateway_connection.log-expected.json
new file mode 100644
index 00000000000..f8bc6e3e850
--- /dev/null
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/19_full_gateway_connection.log-expected.json
@@ -0,0 +1,583 @@
+[
+    {
+        "@timestamp": "2021-03-08T18:07:51.000Z",
+        "cyberarkpas.audit.action": "Full Gateway Connection",
+        "cyberarkpas.audit.desc": "Full Gateway Connection",
+        "cyberarkpas.audit.gateway_station": "10.0.1.20",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-08T18:07:51Z",
+        "cyberarkpas.audit.issuer": "Administrator",
+        "cyberarkpas.audit.message": "Full Gateway Connection",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.source_user": "PVWAGWUser",
+        "cyberarkpas.audit.station": "127.0.0.1",
+        "cyberarkpas.audit.timestamp": "Mar 08 10:07:51",
+        "destination.address": "10.0.1.20",
+        "destination.ip": "10.0.1.20",
+        "destination.user.name": "Administrator",
+        "event.action": "full gateway connection",
+        "event.category": [
+            "network"
+        ],
+        "event.code": "19",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.outcome": "success",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "event.type": [
+            "start"
+        ],
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 0,
+        "log.syslog.priority": "5",
+        "network.direction": "internal",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "127.0.0.1",
+            "10.0.1.20"
+        ],
+        "related.user": [
+            "PVWAGWUser",
+            "Administrator"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "127.0.0.1",
+        "source.ip": "127.0.0.1",
+        "source.user.name": "PVWAGWUser",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ],
+        "user.name": "PVWAGWUser"
+    },
+    {
+        "@timestamp": "2021-03-09T08:32:51.000Z",
+        "cyberarkpas.audit.action": "Full Gateway Connection",
+        "cyberarkpas.audit.desc": "Full Gateway Connection",
+        "cyberarkpas.audit.gateway_station": "10.0.1.20",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-09T08:32:51Z",
+        "cyberarkpas.audit.issuer": "Administrator",
+        "cyberarkpas.audit.message": "Full Gateway Connection",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.source_user": "PVWAGWUser",
+        "cyberarkpas.audit.station": "81.32.170.205",
+        "cyberarkpas.audit.timestamp": "Mar 09 00:32:51",
+        "destination.address": "10.0.1.20",
+        "destination.ip": "10.0.1.20",
+        "destination.user.name": "Administrator",
+        "event.action": "full gateway connection",
+        "event.category": [
+            "network"
+        ],
+        "event.code": "19",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.outcome": "success",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "event.type": [
+            "start"
+        ],
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 611,
+        "log.syslog.priority": "5",
+        "network.direction": "inbound",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "81.32.170.205",
+            "10.0.1.20"
+        ],
+        "related.user": [
+            "PVWAGWUser",
+            "Administrator"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "81.32.170.205",
+        "source.geo.city_name": "Barcelona",
+        "source.geo.continent_name": "Europe",
+        "source.geo.country_iso_code": "ES",
+        "source.geo.country_name": "Spain",
+        "source.geo.location.lat": 41.387,
+        "source.geo.location.lon": 2.1701,
+        "source.geo.region_iso_code": "ES-B",
+        "source.geo.region_name": "Barcelona",
+        "source.ip": "81.32.170.205",
+        "source.user.name": "PVWAGWUser",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ],
+        "user.name": "PVWAGWUser"
+    },
+    {
+        "@timestamp": "2021-03-09T10:14:58.000Z",
+        "cyberarkpas.audit.action": "Full Gateway Connection",
+        "cyberarkpas.audit.desc": "Full Gateway Connection",
+        "cyberarkpas.audit.gateway_station": "10.0.1.20",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-09T10:14:58Z",
+        "cyberarkpas.audit.issuer": "Administrator",
+        "cyberarkpas.audit.message": "Full Gateway Connection",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.source_user": "PVWAGWUser",
+        "cyberarkpas.audit.station": "37.223.7.45",
+        "cyberarkpas.audit.timestamp": "Mar 09 02:14:58",
+        "destination.address": "10.0.1.20",
+        "destination.ip": "10.0.1.20",
+        "destination.user.name": "Administrator",
+        "event.action": "full gateway connection",
+        "event.category": [
+            "network"
+        ],
+        "event.code": "19",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.outcome": "success",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "event.type": [
+            "start"
+        ],
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 1226,
+        "log.syslog.priority": "5",
+        "network.direction": "inbound",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "37.223.7.45",
+            "10.0.1.20"
+        ],
+        "related.user": [
+            "PVWAGWUser",
+            "Administrator"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "37.223.7.45",
+        "source.geo.city_name": "Barcelona",
+        "source.geo.continent_name": "Europe",
+        "source.geo.country_iso_code": "ES",
+        "source.geo.country_name": "Spain",
+        "source.geo.location.lat": 41.387,
+        "source.geo.location.lon": 2.1701,
+        "source.geo.region_iso_code": "ES-B",
+        "source.geo.region_name": "Barcelona",
+        "source.ip": "37.223.7.45",
+        "source.user.name": "PVWAGWUser",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ],
+        "user.name": "PVWAGWUser"
+    },
+    {
+        "@timestamp": "2021-03-10T08:31:50.000Z",
+        "cyberarkpas.audit.action": "Full Gateway Connection",
+        "cyberarkpas.audit.desc": "Full Gateway Connection",
+        "cyberarkpas.audit.gateway_station": "10.0.1.20",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-10T08:31:50Z",
+        "cyberarkpas.audit.issuer": "PasswordManager",
+        "cyberarkpas.audit.message": "Full Gateway Connection",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.source_user": "PVWAGWUser",
+        "cyberarkpas.audit.station": "10.0.1.20",
+        "cyberarkpas.audit.timestamp": "Mar 10 00:31:50",
+        "destination.address": "10.0.1.20",
+        "destination.ip": "10.0.1.20",
+        "destination.user.name": "PasswordManager",
+        "event.action": "full gateway connection",
+        "event.category": [
+            "network"
+        ],
+        "event.code": "19",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.outcome": "success",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "event.type": [
+            "start"
+        ],
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 1839,
+        "log.syslog.priority": "5",
+        "network.direction": "internal",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "10.0.1.20"
+        ],
+        "related.user": [
+            "PVWAGWUser",
+            "PasswordManager"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "10.0.1.20",
+        "source.ip": "10.0.1.20",
+        "source.user.name": "PVWAGWUser",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ],
+        "user.name": "PVWAGWUser"
+    },
+    {
+        "@timestamp": "2021-03-10T22:37:00.000Z",
+        "cyberarkpas.audit.action": "Full Gateway Connection",
+        "cyberarkpas.audit.desc": "Full Gateway Connection",
+        "cyberarkpas.audit.gateway_station": "10.0.1.20",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-10T22:37:00Z",
+        "cyberarkpas.audit.issuer": "Administrator",
+        "cyberarkpas.audit.message": "Full Gateway Connection",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.source_user": "PVWAGWUser",
+        "cyberarkpas.audit.station": "10.0.1.10",
+        "cyberarkpas.audit.timestamp": "Mar 10 14:37:00",
+        "destination.address": "10.0.1.20",
+        "destination.ip": "10.0.1.20",
+        "destination.user.name": "Administrator",
+        "event.action": "full gateway connection",
+        "event.category": [
+            "network"
+        ],
+        "event.code": "19",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.outcome": "success",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "event.type": [
+            "start"
+        ],
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 2452,
+        "log.syslog.priority": "5",
+        "network.direction": "internal",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "10.0.1.10",
+            "10.0.1.20"
+        ],
+        "related.user": [
+            "PVWAGWUser",
+            "Administrator"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "10.0.1.10",
+        "source.ip": "10.0.1.10",
+        "source.user.name": "PVWAGWUser",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ],
+        "user.name": "PVWAGWUser"
+    },
+    {
+        "@timestamp": "2021-03-11T17:38:05.000Z",
+        "cyberarkpas.audit.action": "Full Gateway Connection",
+        "cyberarkpas.audit.desc": "Full Gateway Connection",
+        "cyberarkpas.audit.gateway_station": "81.32.170.205",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-11T17:38:05Z",
+        "cyberarkpas.audit.issuer": "Administrator",
+        "cyberarkpas.audit.message": "Full Gateway Connection",
+        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 09:38:05</Timestamp>\n    <IsoTimestamp>2021-03-11T17:38:05Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>19</MessageID>\n    <Desc>Full Gateway Connection</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Full Gateway Connection</Action>\n    <SourceUser>PSMPGW_VAGRANT</SourceUser>\n    <TargetUser></TargetUser>\n    <Safe></Safe>\n    <File></File>\n    <Station>127.0.0.1</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Full Gateway Connection</Message>\n    <GatewayStation>81.32.170.205</GatewayStation>\n  </audit_record>\n\n</syslog>",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.source_user": "PSMPGW_VAGRANT",
+        "cyberarkpas.audit.station": "127.0.0.1",
+        "cyberarkpas.audit.timestamp": "Mar 11 09:38:05",
+        "destination.address": "81.32.170.205",
+        "destination.geo.city_name": "Barcelona",
+        "destination.geo.continent_name": "Europe",
+        "destination.geo.country_iso_code": "ES",
+        "destination.geo.country_name": "Spain",
+        "destination.geo.location.lat": 41.387,
+        "destination.geo.location.lon": 2.1701,
+        "destination.geo.region_iso_code": "ES-B",
+        "destination.geo.region_name": "Barcelona",
+        "destination.ip": "81.32.170.205",
+        "destination.user.name": "Administrator",
+        "event.action": "full gateway connection",
+        "event.category": [
+            "network"
+        ],
+        "event.code": "19",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.outcome": "success",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "event.type": [
+            "start"
+        ],
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 3063,
+        "log.syslog.priority": "5",
+        "network.direction": "outbound",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "127.0.0.1",
+            "81.32.170.205"
+        ],
+        "related.user": [
+            "PSMPGW_VAGRANT",
+            "Administrator"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "127.0.0.1",
+        "source.ip": "127.0.0.1",
+        "source.user.name": "PSMPGW_VAGRANT",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ],
+        "user.name": "PSMPGW_VAGRANT"
+    },
+    {
+        "@timestamp": "2021-03-11T17:48:22.000Z",
+        "cyberarkpas.audit.action": "Full Gateway Connection",
+        "cyberarkpas.audit.desc": "Full Gateway Connection",
+        "cyberarkpas.audit.gateway_station": "81.32.170.205",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-11T17:48:22Z",
+        "cyberarkpas.audit.issuer": "Administrator",
+        "cyberarkpas.audit.message": "Full Gateway Connection",
+        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 09:48:22</Timestamp>\n    <IsoTimestamp>2021-03-11T17:48:22Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>19</MessageID>\n    <Desc>Full Gateway Connection</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Full Gateway Connection</Action>\n    <SourceUser>PSMPGW_VAGRANT</SourceUser>\n    <TargetUser></TargetUser>\n    <Safe></Safe>\n    <File></File>\n    <Station>10.0.2.2</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Full Gateway Connection</Message>\n    <GatewayStation>81.32.170.205</GatewayStation>\n  </audit_record>\n\n</syslog>",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.source_user": "PSMPGW_VAGRANT",
+        "cyberarkpas.audit.station": "10.0.2.2",
+        "cyberarkpas.audit.timestamp": "Mar 11 09:48:22",
+        "destination.address": "81.32.170.205",
+        "destination.geo.city_name": "Barcelona",
+        "destination.geo.continent_name": "Europe",
+        "destination.geo.country_iso_code": "ES",
+        "destination.geo.country_name": "Spain",
+        "destination.geo.location.lat": 41.387,
+        "destination.geo.location.lon": 2.1701,
+        "destination.geo.region_iso_code": "ES-B",
+        "destination.geo.region_name": "Barcelona",
+        "destination.ip": "81.32.170.205",
+        "destination.user.name": "Administrator",
+        "event.action": "full gateway connection",
+        "event.category": [
+            "network"
+        ],
+        "event.code": "19",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.outcome": "success",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "event.type": [
+            "start"
+        ],
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 4581,
+        "log.syslog.priority": "5",
+        "network.direction": "outbound",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "10.0.2.2",
+            "81.32.170.205"
+        ],
+        "related.user": [
+            "PSMPGW_VAGRANT",
+            "Administrator"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "10.0.2.2",
+        "source.ip": "10.0.2.2",
+        "source.user.name": "PSMPGW_VAGRANT",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ],
+        "user.name": "PSMPGW_VAGRANT"
+    },
+    {
+        "@timestamp": "2021-03-11T18:02:57.000Z",
+        "cyberarkpas.audit.action": "Full Gateway Connection",
+        "cyberarkpas.audit.desc": "Full Gateway Connection",
+        "cyberarkpas.audit.gateway_station": "10.0.1.20",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-11T18:02:57Z",
+        "cyberarkpas.audit.issuer": "Administrator",
+        "cyberarkpas.audit.message": "Full Gateway Connection",
+        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 10:02:57</Timestamp>\n    <IsoTimestamp>2021-03-11T18:02:57Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>19</MessageID>\n    <Desc>Full Gateway Connection</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Full Gateway Connection</Action>\n    <SourceUser>PVWAGWUser</SourceUser>\n    <TargetUser></TargetUser>\n    <Safe></Safe>\n    <File></File>\n    <Station>35.192.121.42</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Full Gateway Connection</Message>\n    <GatewayStation>10.0.1.20</GatewayStation>\n  </audit_record>\n\n</syslog>",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.source_user": "PVWAGWUser",
+        "cyberarkpas.audit.station": "35.192.121.42",
+        "cyberarkpas.audit.timestamp": "Mar 11 10:02:57",
+        "destination.address": "10.0.1.20",
+        "destination.ip": "10.0.1.20",
+        "destination.user.name": "Administrator",
+        "event.action": "full gateway connection",
+        "event.category": [
+            "network"
+        ],
+        "event.code": "19",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.outcome": "success",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "event.type": [
+            "start"
+        ],
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 6097,
+        "log.syslog.priority": "5",
+        "network.direction": "inbound",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "35.192.121.42",
+            "10.0.1.20"
+        ],
+        "related.user": [
+            "PVWAGWUser",
+            "Administrator"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "35.192.121.42",
+        "source.geo.city_name": "Council Bluffs",
+        "source.geo.continent_name": "North America",
+        "source.geo.country_iso_code": "US",
+        "source.geo.country_name": "United States",
+        "source.geo.location.lat": 41.2591,
+        "source.geo.location.lon": -95.8517,
+        "source.geo.region_iso_code": "US-IA",
+        "source.geo.region_name": "Iowa",
+        "source.ip": "35.192.121.42",
+        "source.user.name": "PVWAGWUser",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ],
+        "user.name": "PVWAGWUser"
+    },
+    {
+        "@timestamp": "2021-03-14T13:49:35.000Z",
+        "cyberarkpas.audit.action": "Full Gateway Connection",
+        "cyberarkpas.audit.desc": "Full Gateway Connection",
+        "cyberarkpas.audit.gateway_station": "34.71.250.247",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-14T13:49:35Z",
+        "cyberarkpas.audit.issuer": "Administrator",
+        "cyberarkpas.audit.message": "Full Gateway Connection",
+        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 14 06:49:35</Timestamp>\n    <IsoTimestamp>2021-03-14T13:49:35Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>19</MessageID>\n    <Desc>Full Gateway Connection</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Full Gateway Connection</Action>\n    <SourceUser>PSMPGW_SSH</SourceUser>\n    <TargetUser></TargetUser>\n    <Safe></Safe>\n    <File></File>\n    <Station>81.32.170.205</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Full Gateway Connection</Message>\n    <GatewayStation>34.71.250.247</GatewayStation>\n  </audit_record>\n\n</syslog>",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.source_user": "PSMPGW_SSH",
+        "cyberarkpas.audit.station": "81.32.170.205",
+        "cyberarkpas.audit.timestamp": "Mar 14 06:49:35",
+        "destination.address": "34.71.250.247",
+        "destination.geo.city_name": "Council Bluffs",
+        "destination.geo.continent_name": "North America",
+        "destination.geo.country_iso_code": "US",
+        "destination.geo.country_name": "United States",
+        "destination.geo.location.lat": 41.2591,
+        "destination.geo.location.lon": -95.8517,
+        "destination.geo.region_iso_code": "US-IA",
+        "destination.geo.region_name": "Iowa",
+        "destination.ip": "34.71.250.247",
+        "destination.user.name": "Administrator",
+        "event.action": "full gateway connection",
+        "event.category": [
+            "network"
+        ],
+        "event.code": "19",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.outcome": "success",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "event.type": [
+            "start"
+        ],
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 7607,
+        "log.syslog.priority": "5",
+        "network.direction": "external",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "81.32.170.205",
+            "34.71.250.247"
+        ],
+        "related.user": [
+            "PSMPGW_SSH",
+            "Administrator"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "81.32.170.205",
+        "source.geo.city_name": "Barcelona",
+        "source.geo.continent_name": "Europe",
+        "source.geo.country_iso_code": "ES",
+        "source.geo.country_name": "Spain",
+        "source.geo.location.lat": 41.387,
+        "source.geo.location.lon": 2.1701,
+        "source.geo.region_iso_code": "ES-B",
+        "source.geo.region_name": "Barcelona",
+        "source.ip": "81.32.170.205",
+        "source.user.name": "PSMPGW_SSH",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ],
+        "user.name": "PSMPGW_SSH"
+    }
+]
\ No newline at end of file
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/202_old_backup_files_deletion_start.log b/x-pack/filebeat/module/cyberarkpas/audit/test/202_old_backup_files_deletion_start.log
new file mode 100644
index 00000000000..46036841299
--- /dev/null
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/202_old_backup_files_deletion_start.log
@@ -0,0 +1 @@
+<5>1 2021-03-09T10:17:54Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 09 02:17:54","IsoTimestamp":"2021-03-09T10:17:54Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"202","Desc":"Old Backup Files Deletion Start","Severity":"Info","Issuer":"Batch","Action":"Old Backup Files Deletion Start","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"0.0.0.0","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Old Backup Files Deletion Start","GatewayStation":""}}}
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/202_old_backup_files_deletion_start.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/202_old_backup_files_deletion_start.log-expected.json
new file mode 100644
index 00000000000..8e24b5e0d54
--- /dev/null
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/202_old_backup_files_deletion_start.log-expected.json
@@ -0,0 +1,40 @@
+[
+    {
+        "@timestamp": "2021-03-09T10:17:54.000Z",
+        "cyberarkpas.audit.action": "Old Backup Files Deletion Start",
+        "cyberarkpas.audit.desc": "Old Backup Files Deletion Start",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-09T10:17:54Z",
+        "cyberarkpas.audit.issuer": "Batch",
+        "cyberarkpas.audit.message": "Old Backup Files Deletion Start",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.station": "0.0.0.0",
+        "cyberarkpas.audit.timestamp": "Mar 09 02:17:54",
+        "event.action": "old backup files deletion start",
+        "event.code": "202",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 0,
+        "log.syslog.priority": "5",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "0.0.0.0"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "0.0.0.0",
+        "source.ip": "0.0.0.0",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ]
+    }
+]
\ No newline at end of file
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/203_old_backup_files_deletion_end.log b/x-pack/filebeat/module/cyberarkpas/audit/test/203_old_backup_files_deletion_end.log
new file mode 100644
index 00000000000..015edc3e25e
--- /dev/null
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/203_old_backup_files_deletion_end.log
@@ -0,0 +1 @@
+<5>1 2021-03-09T10:17:54Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 09 02:17:54","IsoTimestamp":"2021-03-09T10:17:54Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"203","Desc":"Old Backup Files Deletion End","Severity":"Info","Issuer":"Batch","Action":"Old Backup Files Deletion End","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"0.0.0.0","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Old Backup Files Deletion End","GatewayStation":""}}}
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/203_old_backup_files_deletion_end.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/203_old_backup_files_deletion_end.log-expected.json
new file mode 100644
index 00000000000..0c1dbfbdb61
--- /dev/null
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/203_old_backup_files_deletion_end.log-expected.json
@@ -0,0 +1,40 @@
+[
+    {
+        "@timestamp": "2021-03-09T10:17:54.000Z",
+        "cyberarkpas.audit.action": "Old Backup Files Deletion End",
+        "cyberarkpas.audit.desc": "Old Backup Files Deletion End",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-09T10:17:54Z",
+        "cyberarkpas.audit.issuer": "Batch",
+        "cyberarkpas.audit.message": "Old Backup Files Deletion End",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.station": "0.0.0.0",
+        "cyberarkpas.audit.timestamp": "Mar 09 02:17:54",
+        "event.action": "old backup files deletion end",
+        "event.code": "203",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 0,
+        "log.syslog.priority": "5",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "0.0.0.0"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "0.0.0.0",
+        "source.ip": "0.0.0.0",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ]
+    }
+]
\ No newline at end of file
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/20_partial_gateway_connection.log b/x-pack/filebeat/module/cyberarkpas/audit/test/20_partial_gateway_connection.log
new file mode 100644
index 00000000000..4c7b137fe67
--- /dev/null
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/20_partial_gateway_connection.log
@@ -0,0 +1 @@
+<5>1 2021-03-25T09:20:07Z VLT01 {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 25 05:20:07</Timestamp>\n    <IsoTimestamp>2021-03-25T09:20:07Z</IsoTimestamp>\n    <Hostname>VLT01</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>12.0.0000</Version>\n    <MessageID>20</MessageID>\n    <Desc>Partial Gateway Connection</Desc>\n    <Severity>Info</Severity>\n    <Issuer>PSMGw_COMP01</Issuer>\n    <Action>Partial Gateway Connection</Action>\n    <SourceUser>Administrator</SourceUser>\n    <TargetUser></TargetUser>\n    <Safe></Safe>\n    <File></File>\n    <Station>10.0.0.15</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Partial Gateway Connection</Message>\n    <GatewayStation></GatewayStation>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 25 05:20:07","IsoTimestamp":"2021-03-25T09:20:07Z","Hostname":"VLT01","Vendor":"Cyber-Ark","Product":"Vault","Version":"12.0.0000","MessageID":"20","Desc":"Partial Gateway Connection","Severity":"Info","Issuer":"PSMGw_COMP01","Action":"Partial Gateway Connection","SourceUser":"Administrator","TargetUser":"","Safe":"","File":"","Station":"10.0.0.15","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Partial Gateway Connection","GatewayStation":""}}}
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/20_partial_gateway_connection.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/20_partial_gateway_connection.log-expected.json
new file mode 100644
index 00000000000..3c54667a525
--- /dev/null
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/20_partial_gateway_connection.log-expected.json
@@ -0,0 +1,42 @@
+[
+    {
+        "@timestamp": "2021-03-25T09:20:07.000Z",
+        "cyberarkpas.audit.action": "Partial Gateway Connection",
+        "cyberarkpas.audit.desc": "Partial Gateway Connection",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-25T09:20:07Z",
+        "cyberarkpas.audit.issuer": "PSMGw_COMP01",
+        "cyberarkpas.audit.message": "Partial Gateway Connection",
+        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 25 05:20:07</Timestamp>\n    <IsoTimestamp>2021-03-25T09:20:07Z</IsoTimestamp>\n    <Hostname>VLT01</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>12.0.0000</Version>\n    <MessageID>20</MessageID>\n    <Desc>Partial Gateway Connection</Desc>\n    <Severity>Info</Severity>\n    <Issuer>PSMGw_COMP01</Issuer>\n    <Action>Partial Gateway Connection</Action>\n    <SourceUser>Administrator</SourceUser>\n    <TargetUser></TargetUser>\n    <Safe></Safe>\n    <File></File>\n    <Station>10.0.0.15</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Partial Gateway Connection</Message>\n    <GatewayStation></GatewayStation>\n  </audit_record>\n\n</syslog>",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.source_user": "Administrator",
+        "cyberarkpas.audit.station": "10.0.0.15",
+        "cyberarkpas.audit.timestamp": "Mar 25 05:20:07",
+        "event.action": "partial gateway connection",
+        "event.code": "20",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "fileset.name": "audit",
+        "host.name": "VLT01",
+        "input.type": "log",
+        "log.offset": 0,
+        "log.syslog.priority": "5",
+        "observer.hostname": "VLT01",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "12.0.0000",
+        "related.ip": [
+            "10.0.0.15"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "10.0.0.15",
+        "source.ip": "10.0.0.15",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ]
+    }
+]
\ No newline at end of file
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/22_cpm_verify_password.log b/x-pack/filebeat/module/cyberarkpas/audit/test/22_cpm_verify_password.log
new file mode 100644
index 00000000000..f3949f536de
--- /dev/null
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/22_cpm_verify_password.log
@@ -0,0 +1,2 @@
+Apr 07 09:51:42 VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n  <audit_record>\n    <Rfc5424>no</Rfc5424>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.6.0000</Version>\n    <MessageID>22</MessageID>\n    <Desc>CPM Verify Password</Desc>\n    <Severity>Info</Severity>\n    <Issuer>PasswordManager</Issuer>\n    <Action>CPM Verify Password</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>Linux</Safe>\n    <File>Root\\Operating System-LINUX-SSH-radiussrv.cyberark.local-test12</File>\n    <Station>10.2.0.4</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason>ImmediateTask</Reason>\n    <ExtraDetails>address=radiussrv.cyberark.local;username=test12;</ExtraDetails>\n    <Message>CPM Verify Password</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"LINUX-SSH\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"test12\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"radiussrv.cyberark.local\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"-1\"></CAProperty>\n      <CAProperty Name=\"LastSuccessVerification\" Value=\"1604943844\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"VerifyTask\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"success\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n</syslog>","syslog":{"audit_record":{"Rfc5424":"no","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.6.0000","MessageID":"22","Desc":"CPM Verify Password","Severity":"Info","Issuer":"PasswordManager","Action":"CPM Verify Password","SourceUser":"","TargetUser":"","IsoTimestamp":"2021-03-16T15:01:00Z","Safe":"Linux","File":"Root\\Operating System-LINUX-SSH-radiussrv.cyberark.local-test12","Station":"10.2.0.4","Location":"","Category":"","RequestId":"","Reason":"ImmediateTask","ExtraDetails":"address=radiussrv.cyberark.local;username=test12;","Message":"CPM Verify Password","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"LINUX-SSH"},{"Name":"UserName","Value":"test12"},{"Name":"Address","Value":"radiussrv.cyberark.local"},{"Name":"DeviceType","Value":"Operating System"},{"Name":"RetriesCount","Value":"-1"},{"Name":"LastSuccessVerification","Value":"1604943844"},{"Name":"LastTask","Value":"VerifyTask"},{"Name":"CPMStatus","Value":"success"},{"Name":"CreationMethod","Value":"PVWA"}]}}}}
+<5>1 2021-03-15T10:22:44Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 15 03:22:44</Timestamp>\n    <IsoTimestamp>2021-03-15T10:22:44Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>22</MessageID>\n    <Desc>CPM Verify Password</Desc>\n    <Severity>Info</Severity>\n    <Issuer>PasswordManager</Issuer>\n    <Action>CPM Verify Password</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Operating System-UnixSSH-34.123.103.115-testark</File>\n    <Station>10.0.1.20</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason>ImmediateTask</Reason>\n    <ExtraDetails>address=34.123.103.115;username=testark;</ExtraDetails>\n    <Message>CPM Verify Password</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSH\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"testark\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"success\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"-1\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"VerifyTask\"></CAProperty>\n      <CAProperty Name=\"LastSuccessVerification\" Value=\"1615803764\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 03:22:44","IsoTimestamp":"2021-03-15T10:22:44Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"22","Desc":"CPM Verify Password","Severity":"Info","Issuer":"PasswordManager","Action":"CPM Verify Password","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-34.123.103.115-testark","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"ImmediateTask","ExtraDetails":"address=34.123.103.115;username=testark;","Message":"CPM Verify Password","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"testark"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"CPMStatus","Value":"success"},{"Name":"RetriesCount","Value":"-1"},{"Name":"LastTask","Value":"VerifyTask"},{"Name":"LastSuccessVerification","Value":"1615803764"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}}
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/22_cpm_verify_password.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/22_cpm_verify_password.log-expected.json
new file mode 100644
index 00000000000..1f63733c63f
--- /dev/null
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/22_cpm_verify_password.log-expected.json
@@ -0,0 +1,152 @@
+[
+    {
+        "@timestamp": "2021-03-16T15:01:00.000Z",
+        "cyberarkpas.audit.action": "CPM Verify Password",
+        "cyberarkpas.audit.ca_properties.address": "radiussrv.cyberark.local",
+        "cyberarkpas.audit.ca_properties.cpm_status": "success",
+        "cyberarkpas.audit.ca_properties.creation_method": "PVWA",
+        "cyberarkpas.audit.ca_properties.device_type": "Operating System",
+        "cyberarkpas.audit.ca_properties.last_success_verification": "1604943844",
+        "cyberarkpas.audit.ca_properties.last_task": "VerifyTask",
+        "cyberarkpas.audit.ca_properties.policy_id": "LINUX-SSH",
+        "cyberarkpas.audit.ca_properties.retries_count": "-1",
+        "cyberarkpas.audit.ca_properties.user_name": "test12",
+        "cyberarkpas.audit.desc": "CPM Verify Password",
+        "cyberarkpas.audit.extra_details.address": "radiussrv.cyberark.local",
+        "cyberarkpas.audit.extra_details.username": "test12",
+        "cyberarkpas.audit.file": "Root\\Operating System-LINUX-SSH-radiussrv.cyberark.local-test12",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-16T15:01:00Z",
+        "cyberarkpas.audit.issuer": "PasswordManager",
+        "cyberarkpas.audit.message": "CPM Verify Password",
+        "cyberarkpas.audit.raw": "<syslog>\n  <audit_record>\n    <Rfc5424>no</Rfc5424>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.6.0000</Version>\n    <MessageID>22</MessageID>\n    <Desc>CPM Verify Password</Desc>\n    <Severity>Info</Severity>\n    <Issuer>PasswordManager</Issuer>\n    <Action>CPM Verify Password</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>Linux</Safe>\n    <File>Root\\Operating System-LINUX-SSH-radiussrv.cyberark.local-test12</File>\n    <Station>10.2.0.4</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason>ImmediateTask</Reason>\n    <ExtraDetails>address=radiussrv.cyberark.local;username=test12;</ExtraDetails>\n    <Message>CPM Verify Password</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"LINUX-SSH\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"test12\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"radiussrv.cyberark.local\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"-1\"></CAProperty>\n      <CAProperty Name=\"LastSuccessVerification\" Value=\"1604943844\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"VerifyTask\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"success\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n</syslog>",
+        "cyberarkpas.audit.reason": "ImmediateTask",
+        "cyberarkpas.audit.rfc5424": false,
+        "cyberarkpas.audit.safe": "Linux",
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.station": "10.2.0.4",
+        "destination.address": "radiussrv.cyberark.local",
+        "destination.domain": "radiussrv.cyberark.local",
+        "destination.user.name": "test12",
+        "event.action": "cpm verify password",
+        "event.category": [
+            "iam"
+        ],
+        "event.code": "22",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.outcome": "success",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "event.type": [
+            "admin",
+            "info"
+        ],
+        "file.path": "Root\\Operating System-LINUX-SSH-radiussrv.cyberark.local-test12",
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 0,
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.6.0000",
+        "related.ip": [
+            "10.2.0.4"
+        ],
+        "related.user": [
+            "PasswordManager",
+            "test12"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "10.2.0.4",
+        "source.ip": "10.2.0.4",
+        "source.user.name": "PasswordManager",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ],
+        "user.name": "PasswordManager"
+    },
+    {
+        "@timestamp": "2021-03-15T10:22:44.000Z",
+        "cyberarkpas.audit.action": "CPM Verify Password",
+        "cyberarkpas.audit.ca_properties.address": "34.123.103.115",
+        "cyberarkpas.audit.ca_properties.cpm_status": "success",
+        "cyberarkpas.audit.ca_properties.creation_method": "PVWA",
+        "cyberarkpas.audit.ca_properties.device_type": "Operating System",
+        "cyberarkpas.audit.ca_properties.last_success_verification": "1615803764",
+        "cyberarkpas.audit.ca_properties.last_task": "VerifyTask",
+        "cyberarkpas.audit.ca_properties.policy_id": "UnixSSH",
+        "cyberarkpas.audit.ca_properties.retries_count": "-1",
+        "cyberarkpas.audit.ca_properties.user_name": "testark",
+        "cyberarkpas.audit.desc": "CPM Verify Password",
+        "cyberarkpas.audit.extra_details.address": "34.123.103.115",
+        "cyberarkpas.audit.extra_details.username": "testark",
+        "cyberarkpas.audit.file": "Root\\Operating System-UnixSSH-34.123.103.115-testark",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-15T10:22:44Z",
+        "cyberarkpas.audit.issuer": "PasswordManager",
+        "cyberarkpas.audit.message": "CPM Verify Password",
+        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 15 03:22:44</Timestamp>\n    <IsoTimestamp>2021-03-15T10:22:44Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>22</MessageID>\n    <Desc>CPM Verify Password</Desc>\n    <Severity>Info</Severity>\n    <Issuer>PasswordManager</Issuer>\n    <Action>CPM Verify Password</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Operating System-UnixSSH-34.123.103.115-testark</File>\n    <Station>10.0.1.20</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason>ImmediateTask</Reason>\n    <ExtraDetails>address=34.123.103.115;username=testark;</ExtraDetails>\n    <Message>CPM Verify Password</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSH\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"testark\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"success\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"-1\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"VerifyTask\"></CAProperty>\n      <CAProperty Name=\"LastSuccessVerification\" Value=\"1615803764\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>",
+        "cyberarkpas.audit.reason": "ImmediateTask",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.safe": "partner",
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.station": "10.0.1.20",
+        "cyberarkpas.audit.timestamp": "Mar 15 03:22:44",
+        "destination.address": "34.123.103.115",
+        "destination.geo.city_name": "Council Bluffs",
+        "destination.geo.continent_name": "North America",
+        "destination.geo.country_iso_code": "US",
+        "destination.geo.country_name": "United States",
+        "destination.geo.location.lat": 41.2591,
+        "destination.geo.location.lon": -95.8517,
+        "destination.geo.region_iso_code": "US-IA",
+        "destination.geo.region_name": "Iowa",
+        "destination.ip": "34.123.103.115",
+        "destination.user.name": "testark",
+        "event.action": "cpm verify password",
+        "event.category": [
+            "iam"
+        ],
+        "event.code": "22",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.outcome": "success",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "event.type": [
+            "admin",
+            "info"
+        ],
+        "file.path": "Root\\Operating System-UnixSSH-34.123.103.115-testark",
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 2648,
+        "log.syslog.priority": "5",
+        "network.direction": "outbound",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "10.0.1.20",
+            "34.123.103.115"
+        ],
+        "related.user": [
+            "PasswordManager",
+            "testark"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "10.0.1.20",
+        "source.ip": "10.0.1.20",
+        "source.user.name": "PasswordManager",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ],
+        "user.name": "PasswordManager"
+    }
+]
\ No newline at end of file
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/23_action_on_closed_safe.log b/x-pack/filebeat/module/cyberarkpas/audit/test/23_action_on_closed_safe.log
new file mode 100644
index 00000000000..51629665b2b
--- /dev/null
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/23_action_on_closed_safe.log
@@ -0,0 +1,3 @@
+<7>1 2021-03-10T09:11:20Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:20","IsoTimestamp":"2021-03-10T09:11:20Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"23","Desc":"Action On Closed Safe","Severity":"Error","Issuer":"Administrator","Action":"Action On Closed Safe","SourceUser":"","TargetUser":"","Safe":"PSMPConf","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Action On Closed Safe","GatewayStation":""}}}
+<7>1 2021-03-14T12:07:27Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 14 05:07:27</Timestamp>\n    <IsoTimestamp>2021-03-14T12:07:27Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>23</MessageID>\n    <Desc>Action On Closed Safe</Desc>\n    <Severity>Error</Severity>\n    <Issuer>PasswordManager</Issuer>\n    <Action>Action On Closed Safe</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>AccountsFeedADAccounts</Safe>\n    <File></File>\n    <Station>10.0.1.20</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Action On Closed Safe</Message>\n    <GatewayStation></GatewayStation>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 05:07:27","IsoTimestamp":"2021-03-14T12:07:27Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"23","Desc":"Action On Closed Safe","Severity":"Error","Issuer":"PasswordManager","Action":"Action On Closed Safe","SourceUser":"","TargetUser":"","Safe":"AccountsFeedADAccounts","File":"","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Action On Closed Safe","GatewayStation":""}}}
+<7>1 2021-03-14T12:57:16Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 14 05:57:16</Timestamp>\n    <IsoTimestamp>2021-03-14T12:57:16Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>23</MessageID>\n    <Desc>Action On Closed Safe</Desc>\n    <Severity>Error</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Action On Closed Safe</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>PSMPConf</Safe>\n    <File></File>\n    <Station>34.71.250.247</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Action On Closed Safe</Message>\n    <GatewayStation></GatewayStation>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 05:57:16","IsoTimestamp":"2021-03-14T12:57:16Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"23","Desc":"Action On Closed Safe","Severity":"Error","Issuer":"Administrator","Action":"Action On Closed Safe","SourceUser":"","TargetUser":"","Safe":"PSMPConf","File":"","Station":"34.71.250.247","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Action On Closed Safe","GatewayStation":""}}}
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/23_action_on_closed_safe.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/23_action_on_closed_safe.log-expected.json
new file mode 100644
index 00000000000..db7c77b19f9
--- /dev/null
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/23_action_on_closed_safe.log-expected.json
@@ -0,0 +1,140 @@
+[
+    {
+        "@timestamp": "2021-03-10T09:11:20.000Z",
+        "cyberarkpas.audit.action": "Action On Closed Safe",
+        "cyberarkpas.audit.desc": "Action On Closed Safe",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-10T09:11:20Z",
+        "cyberarkpas.audit.issuer": "Administrator",
+        "cyberarkpas.audit.message": "Action On Closed Safe",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.safe": "PSMPConf",
+        "cyberarkpas.audit.severity": "Error",
+        "cyberarkpas.audit.station": "81.32.170.205",
+        "cyberarkpas.audit.timestamp": "Mar 10 01:11:20",
+        "event.action": "action on closed safe",
+        "event.code": "23",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.severity": 7,
+        "event.timezone": "-02:00",
+        "event.type": "error",
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 0,
+        "log.syslog.priority": "7",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "81.32.170.205"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "81.32.170.205",
+        "source.geo.city_name": "Barcelona",
+        "source.geo.continent_name": "Europe",
+        "source.geo.country_iso_code": "ES",
+        "source.geo.country_name": "Spain",
+        "source.geo.location.lat": 41.387,
+        "source.geo.location.lon": 2.1701,
+        "source.geo.region_iso_code": "ES-B",
+        "source.geo.region_name": "Barcelona",
+        "source.ip": "81.32.170.205",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ]
+    },
+    {
+        "@timestamp": "2021-03-14T12:07:27.000Z",
+        "cyberarkpas.audit.action": "Action On Closed Safe",
+        "cyberarkpas.audit.desc": "Action On Closed Safe",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-14T12:07:27Z",
+        "cyberarkpas.audit.issuer": "PasswordManager",
+        "cyberarkpas.audit.message": "Action On Closed Safe",
+        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 14 05:07:27</Timestamp>\n    <IsoTimestamp>2021-03-14T12:07:27Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>23</MessageID>\n    <Desc>Action On Closed Safe</Desc>\n    <Severity>Error</Severity>\n    <Issuer>PasswordManager</Issuer>\n    <Action>Action On Closed Safe</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>AccountsFeedADAccounts</Safe>\n    <File></File>\n    <Station>10.0.1.20</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Action On Closed Safe</Message>\n    <GatewayStation></GatewayStation>\n  </audit_record>\n\n</syslog>",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.safe": "AccountsFeedADAccounts",
+        "cyberarkpas.audit.severity": "Error",
+        "cyberarkpas.audit.station": "10.0.1.20",
+        "cyberarkpas.audit.timestamp": "Mar 14 05:07:27",
+        "event.action": "action on closed safe",
+        "event.code": "23",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.severity": 7,
+        "event.timezone": "-02:00",
+        "event.type": "error",
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 599,
+        "log.syslog.priority": "7",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "10.0.1.20"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "10.0.1.20",
+        "source.ip": "10.0.1.20",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ]
+    },
+    {
+        "@timestamp": "2021-03-14T12:57:16.000Z",
+        "cyberarkpas.audit.action": "Action On Closed Safe",
+        "cyberarkpas.audit.desc": "Action On Closed Safe",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-14T12:57:16Z",
+        "cyberarkpas.audit.issuer": "Administrator",
+        "cyberarkpas.audit.message": "Action On Closed Safe",
+        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 14 05:57:16</Timestamp>\n    <IsoTimestamp>2021-03-14T12:57:16Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>23</MessageID>\n    <Desc>Action On Closed Safe</Desc>\n    <Severity>Error</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Action On Closed Safe</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>PSMPConf</Safe>\n    <File></File>\n    <Station>34.71.250.247</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Action On Closed Safe</Message>\n    <GatewayStation></GatewayStation>\n  </audit_record>\n\n</syslog>",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.safe": "PSMPConf",
+        "cyberarkpas.audit.severity": "Error",
+        "cyberarkpas.audit.station": "34.71.250.247",
+        "cyberarkpas.audit.timestamp": "Mar 14 05:57:16",
+        "event.action": "action on closed safe",
+        "event.code": "23",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.severity": 7,
+        "event.timezone": "-02:00",
+        "event.type": "error",
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 2101,
+        "log.syslog.priority": "7",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "34.71.250.247"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "34.71.250.247",
+        "source.geo.city_name": "Council Bluffs",
+        "source.geo.continent_name": "North America",
+        "source.geo.country_iso_code": "US",
+        "source.geo.country_name": "United States",
+        "source.geo.location.lat": 41.2591,
+        "source.geo.location.lon": -95.8517,
+        "source.geo.region_iso_code": "US-IA",
+        "source.geo.region_name": "Iowa",
+        "source.ip": "34.71.250.247",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ]
+    }
+]
\ No newline at end of file
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/24_cpm_change_password.log b/x-pack/filebeat/module/cyberarkpas/audit/test/24_cpm_change_password.log
new file mode 100644
index 00000000000..f50102d48f7
--- /dev/null
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/24_cpm_change_password.log
@@ -0,0 +1,4 @@
+{"format":"elastic","version":"1.0","raw":"<syslog>\n  <audit_record>\n    <Rfc5424>no</Rfc5424>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.6.0000</Version>\n    <MessageID>24</MessageID>\n    <Desc>CPM Change Password</Desc>\n    <Severity>Info</Severity>\n    <Issuer>PasswordManager</Issuer>\n    <Action>CPM Change Password</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>Linux</Safe>\n    <File>Root\\Operating System-LINUX-SSH-radiussrv.cyberark.local-test12</File>\n    <Station>10.2.0.4</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason>ImmediateTask</Reason>\n    <ExtraDetails>address=radiussrv.cyberark.local;username=test12;</ExtraDetails>\n    <Message>CPM Change Password</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"LINUX-SSH\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"test12\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"radiussrv.cyberark.local\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"-1\"></CAProperty>\n      <CAProperty Name=\"LastSuccessVerification\" Value=\"1604943844\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"ChangeTask\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"success\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"LastSuccessChange\" Value=\"1604944158\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n</syslog>","syslog":{"audit_record":{"Rfc5424":"no","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.6.0000","MessageID":"24","Desc":"CPM Change Password","Severity":"Info","IsoTimestamp":"2021-03-16T15:01:00Z","Issuer":"PasswordManager","Action":"CPM Change Password","SourceUser":"","TargetUser":"","Safe":"Linux","File":"Root\\Operating System-LINUX-SSH-radiussrv.cyberark.local-test12","Station":"10.2.0.4","Location":"","Category":"","RequestId":"","Reason":"ImmediateTask","ExtraDetails":"address=radiussrv.cyberark.local;username=test12;","Message":"CPM Change Password","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"LINUX-SSH"},{"Name":"UserName","Value":"test12"},{"Name":"Address","Value":"radiussrv.cyberark.local"},{"Name":"DeviceType","Value":"Operating System"},{"Name":"RetriesCount","Value":"-1"},{"Name":"LastSuccessVerification","Value":"1604943844"},{"Name":"LastTask","Value":"ChangeTask"},{"Name":"CPMStatus","Value":"success"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"LastSuccessChange","Value":"1604944158"}]}}}}
+<5>1 2021-03-08T19:20:05Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 08 11:20:05","IsoTimestamp":"2021-03-08T19:20:05Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"24","Desc":"CPM Change Password","Severity":"Info","Issuer":"PasswordManager","Action":"CPM Change Password","SourceUser":"","TargetUser":"","Safe":"Test","File":"Root\\Operating System-WindowsDesktopLocalAccountsRotationalPolicy-10.0.1.20-x_accountA","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"ImmediateTask","ExtraDetails":"address=components;username=x_accountA;","Message":"CPM Change Password","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"WinDesktopLocal"},{"Name":"UserName","Value":"x_accountA"},{"Name":"Address","Value":"components"},{"Name":"SequenceID","Value":"27"},{"Name":"CPMStatus","Value":"success"},{"Name":"RetriesCount","Value":"-1"},{"Name":"LastTask","Value":"ChangeTask"},{"Name":"GroupName","Value":"WindowsGroup"},{"Name":"LastSuccessChange","Value":"1615231204"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"},{"Name":"Index","Value":"1"},{"Name":"DualAccountStatus","Value":"Inactive"},{"Name":"VirtualUsername","Value":"virtual"}]}}}}
+<5>1 2021-03-10T23:39:28Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 15:39:28","IsoTimestamp":"2021-03-10T23:39:28Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"24","Desc":"CPM Change Password","Severity":"Info","Issuer":"PasswordManager","Action":"CPM Change Password","SourceUser":"","TargetUser":"","Safe":"Test","File":"Root\\Operating System-WindowsDesktopLocalAccountsRotationalPolicy-10.0.1.20-x_accountB","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"ImmediateTask","ExtraDetails":"address=components;username=x_accountB;","Message":"CPM Change Password","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"WinDesktopLocal"},{"Name":"UserName","Value":"x_accountB"},{"Name":"Address","Value":"components"},{"Name":"SequenceID","Value":"25"},{"Name":"CPMStatus","Value":"success"},{"Name":"RetriesCount","Value":"-1"},{"Name":"LastTask","Value":"ChangeTask"},{"Name":"GroupName","Value":"WindowsGroup"},{"Name":"LastSuccessChange","Value":"1615419568"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"},{"Name":"Index","Value":"2"},{"Name":"DualAccountStatus","Value":"Inactive"},{"Name":"VirtualUsername","Value":"virtual"}]}}}}
+<5>1 2021-03-15T10:12:24Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 15 03:12:24</Timestamp>\n    <IsoTimestamp>2021-03-15T10:12:24Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>24</MessageID>\n    <Desc>CPM Change Password</Desc>\n    <Severity>Info</Severity>\n    <Issuer>PasswordManager</Issuer>\n    <Action>CPM Change Password</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>Test</Safe>\n    <File>Root\\Operating System-WindowsDesktopLocalAccountsRotationalPolicy-10.0.1.20-x_accountA</File>\n    <Station>10.0.1.20</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason>ImmediateTask</Reason>\n    <ExtraDetails>address=components;username=x_accountA;</ExtraDetails>\n    <Message>CPM Change Password</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"WinDesktopLocal\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"x_accountA\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"components\"></CAProperty>\n      <CAProperty Name=\"SequenceID\" Value=\"28\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"success\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"-1\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"ChangeTask\"></CAProperty>\n      <CAProperty Name=\"GroupName\" Value=\"WindowsGroup\"></CAProperty>\n      <CAProperty Name=\"LastSuccessChange\" Value=\"1615803143\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n      <CAProperty Name=\"Index\" Value=\"1\"></CAProperty>\n      <CAProperty Name=\"DualAccountStatus\" Value=\"Inactive\"></CAProperty>\n      <CAProperty Name=\"VirtualUsername\" Value=\"virtual\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 03:12:24","IsoTimestamp":"2021-03-15T10:12:24Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"24","Desc":"CPM Change Password","Severity":"Info","Issuer":"PasswordManager","Action":"CPM Change Password","SourceUser":"","TargetUser":"","Safe":"Test","File":"Root\\Operating System-WindowsDesktopLocalAccountsRotationalPolicy-10.0.1.20-x_accountA","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"ImmediateTask","ExtraDetails":"address=components;username=x_accountA;","Message":"CPM Change Password","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"WinDesktopLocal"},{"Name":"UserName","Value":"x_accountA"},{"Name":"Address","Value":"components"},{"Name":"SequenceID","Value":"28"},{"Name":"CPMStatus","Value":"success"},{"Name":"RetriesCount","Value":"-1"},{"Name":"LastTask","Value":"ChangeTask"},{"Name":"GroupName","Value":"WindowsGroup"},{"Name":"LastSuccessChange","Value":"1615803143"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"},{"Name":"Index","Value":"1"},{"Name":"DualAccountStatus","Value":"Inactive"},{"Name":"VirtualUsername","Value":"virtual"}]}}}}
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/24_cpm_change_password.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/24_cpm_change_password.log-expected.json
new file mode 100644
index 00000000000..3cf879a9996
--- /dev/null
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/24_cpm_change_password.log-expected.json
@@ -0,0 +1,292 @@
+[
+    {
+        "@timestamp": "2021-03-16T15:01:00.000Z",
+        "cyberarkpas.audit.action": "CPM Change Password",
+        "cyberarkpas.audit.ca_properties.address": "radiussrv.cyberark.local",
+        "cyberarkpas.audit.ca_properties.cpm_status": "success",
+        "cyberarkpas.audit.ca_properties.creation_method": "PVWA",
+        "cyberarkpas.audit.ca_properties.device_type": "Operating System",
+        "cyberarkpas.audit.ca_properties.last_success_change": "1604944158",
+        "cyberarkpas.audit.ca_properties.last_success_verification": "1604943844",
+        "cyberarkpas.audit.ca_properties.last_task": "ChangeTask",
+        "cyberarkpas.audit.ca_properties.policy_id": "LINUX-SSH",
+        "cyberarkpas.audit.ca_properties.retries_count": "-1",
+        "cyberarkpas.audit.ca_properties.user_name": "test12",
+        "cyberarkpas.audit.desc": "CPM Change Password",
+        "cyberarkpas.audit.extra_details.address": "radiussrv.cyberark.local",
+        "cyberarkpas.audit.extra_details.username": "test12",
+        "cyberarkpas.audit.file": "Root\\Operating System-LINUX-SSH-radiussrv.cyberark.local-test12",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-16T15:01:00Z",
+        "cyberarkpas.audit.issuer": "PasswordManager",
+        "cyberarkpas.audit.message": "CPM Change Password",
+        "cyberarkpas.audit.raw": "<syslog>\n  <audit_record>\n    <Rfc5424>no</Rfc5424>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.6.0000</Version>\n    <MessageID>24</MessageID>\n    <Desc>CPM Change Password</Desc>\n    <Severity>Info</Severity>\n    <Issuer>PasswordManager</Issuer>\n    <Action>CPM Change Password</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>Linux</Safe>\n    <File>Root\\Operating System-LINUX-SSH-radiussrv.cyberark.local-test12</File>\n    <Station>10.2.0.4</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason>ImmediateTask</Reason>\n    <ExtraDetails>address=radiussrv.cyberark.local;username=test12;</ExtraDetails>\n    <Message>CPM Change Password</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"LINUX-SSH\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"test12\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"radiussrv.cyberark.local\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"-1\"></CAProperty>\n      <CAProperty Name=\"LastSuccessVerification\" Value=\"1604943844\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"ChangeTask\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"success\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"LastSuccessChange\" Value=\"1604944158\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n</syslog>",
+        "cyberarkpas.audit.reason": "ImmediateTask",
+        "cyberarkpas.audit.rfc5424": false,
+        "cyberarkpas.audit.safe": "Linux",
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.station": "10.2.0.4",
+        "destination.address": "radiussrv.cyberark.local",
+        "destination.domain": "radiussrv.cyberark.local",
+        "event.action": "cpm change password",
+        "event.category": [
+            "iam"
+        ],
+        "event.code": "24",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.outcome": "success",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "event.type": [
+            "user",
+            "change"
+        ],
+        "file.path": "Root\\Operating System-LINUX-SSH-radiussrv.cyberark.local-test12",
+        "fileset.name": "audit",
+        "input.type": "log",
+        "log.offset": 0,
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.6.0000",
+        "related.ip": [
+            "10.2.0.4"
+        ],
+        "related.user": [
+            "PasswordManager",
+            "test12"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "10.2.0.4",
+        "source.ip": "10.2.0.4",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ],
+        "user.name": "PasswordManager",
+        "user.target.name": "test12"
+    },
+    {
+        "@timestamp": "2021-03-08T19:20:05.000Z",
+        "cyberarkpas.audit.action": "CPM Change Password",
+        "cyberarkpas.audit.ca_properties.address": "components",
+        "cyberarkpas.audit.ca_properties.cpm_status": "success",
+        "cyberarkpas.audit.ca_properties.creation_method": "PVWA",
+        "cyberarkpas.audit.ca_properties.device_type": "Operating System",
+        "cyberarkpas.audit.ca_properties.dual_account_status": "Inactive",
+        "cyberarkpas.audit.ca_properties.group_name": "WindowsGroup",
+        "cyberarkpas.audit.ca_properties.index": "1",
+        "cyberarkpas.audit.ca_properties.last_success_change": "1615231204",
+        "cyberarkpas.audit.ca_properties.last_task": "ChangeTask",
+        "cyberarkpas.audit.ca_properties.policy_id": "WinDesktopLocal",
+        "cyberarkpas.audit.ca_properties.retries_count": "-1",
+        "cyberarkpas.audit.ca_properties.sequence_id": "27",
+        "cyberarkpas.audit.ca_properties.user_name": "x_accountA",
+        "cyberarkpas.audit.ca_properties.virtual_username": "virtual",
+        "cyberarkpas.audit.desc": "CPM Change Password",
+        "cyberarkpas.audit.extra_details.address": "components",
+        "cyberarkpas.audit.extra_details.username": "x_accountA",
+        "cyberarkpas.audit.file": "Root\\Operating System-WindowsDesktopLocalAccountsRotationalPolicy-10.0.1.20-x_accountA",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-08T19:20:05Z",
+        "cyberarkpas.audit.issuer": "PasswordManager",
+        "cyberarkpas.audit.message": "CPM Change Password",
+        "cyberarkpas.audit.reason": "ImmediateTask",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.safe": "Test",
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.station": "10.0.1.20",
+        "cyberarkpas.audit.timestamp": "Mar 08 11:20:05",
+        "destination.address": "components",
+        "destination.domain": "components",
+        "event.action": "cpm change password",
+        "event.category": [
+            "iam"
+        ],
+        "event.code": "24",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.outcome": "success",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "event.type": [
+            "user",
+            "change"
+        ],
+        "file.path": "Root\\Operating System-WindowsDesktopLocalAccountsRotationalPolicy-10.0.1.20-x_accountA",
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 2757,
+        "log.syslog.priority": "5",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "10.0.1.20"
+        ],
+        "related.user": [
+            "PasswordManager",
+            "x_accountA"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "10.0.1.20",
+        "source.ip": "10.0.1.20",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ],
+        "user.name": "PasswordManager",
+        "user.target.name": "x_accountA"
+    },
+    {
+        "@timestamp": "2021-03-10T23:39:28.000Z",
+        "cyberarkpas.audit.action": "CPM Change Password",
+        "cyberarkpas.audit.ca_properties.address": "components",
+        "cyberarkpas.audit.ca_properties.cpm_status": "success",
+        "cyberarkpas.audit.ca_properties.creation_method": "PVWA",
+        "cyberarkpas.audit.ca_properties.device_type": "Operating System",
+        "cyberarkpas.audit.ca_properties.dual_account_status": "Inactive",
+        "cyberarkpas.audit.ca_properties.group_name": "WindowsGroup",
+        "cyberarkpas.audit.ca_properties.index": "2",
+        "cyberarkpas.audit.ca_properties.last_success_change": "1615419568",
+        "cyberarkpas.audit.ca_properties.last_task": "ChangeTask",
+        "cyberarkpas.audit.ca_properties.policy_id": "WinDesktopLocal",
+        "cyberarkpas.audit.ca_properties.retries_count": "-1",
+        "cyberarkpas.audit.ca_properties.sequence_id": "25",
+        "cyberarkpas.audit.ca_properties.user_name": "x_accountB",
+        "cyberarkpas.audit.ca_properties.virtual_username": "virtual",
+        "cyberarkpas.audit.desc": "CPM Change Password",
+        "cyberarkpas.audit.extra_details.address": "components",
+        "cyberarkpas.audit.extra_details.username": "x_accountB",
+        "cyberarkpas.audit.file": "Root\\Operating System-WindowsDesktopLocalAccountsRotationalPolicy-10.0.1.20-x_accountB",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-10T23:39:28Z",
+        "cyberarkpas.audit.issuer": "PasswordManager",
+        "cyberarkpas.audit.message": "CPM Change Password",
+        "cyberarkpas.audit.reason": "ImmediateTask",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.safe": "Test",
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.station": "10.0.1.20",
+        "cyberarkpas.audit.timestamp": "Mar 10 15:39:28",
+        "destination.address": "components",
+        "destination.domain": "components",
+        "event.action": "cpm change password",
+        "event.category": [
+            "iam"
+        ],
+        "event.code": "24",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.outcome": "success",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "event.type": [
+            "user",
+            "change"
+        ],
+        "file.path": "Root\\Operating System-WindowsDesktopLocalAccountsRotationalPolicy-10.0.1.20-x_accountB",
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 4099,
+        "log.syslog.priority": "5",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "10.0.1.20"
+        ],
+        "related.user": [
+            "PasswordManager",
+            "x_accountB"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "10.0.1.20",
+        "source.ip": "10.0.1.20",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ],
+        "user.name": "PasswordManager",
+        "user.target.name": "x_accountB"
+    },
+    {
+        "@timestamp": "2021-03-15T10:12:24.000Z",
+        "cyberarkpas.audit.action": "CPM Change Password",
+        "cyberarkpas.audit.ca_properties.address": "components",
+        "cyberarkpas.audit.ca_properties.cpm_status": "success",
+        "cyberarkpas.audit.ca_properties.creation_method": "PVWA",
+        "cyberarkpas.audit.ca_properties.device_type": "Operating System",
+        "cyberarkpas.audit.ca_properties.dual_account_status": "Inactive",
+        "cyberarkpas.audit.ca_properties.group_name": "WindowsGroup",
+        "cyberarkpas.audit.ca_properties.index": "1",
+        "cyberarkpas.audit.ca_properties.last_success_change": "1615803143",
+        "cyberarkpas.audit.ca_properties.last_task": "ChangeTask",
+        "cyberarkpas.audit.ca_properties.policy_id": "WinDesktopLocal",
+        "cyberarkpas.audit.ca_properties.retries_count": "-1",
+        "cyberarkpas.audit.ca_properties.sequence_id": "28",
+        "cyberarkpas.audit.ca_properties.user_name": "x_accountA",
+        "cyberarkpas.audit.ca_properties.virtual_username": "virtual",
+        "cyberarkpas.audit.desc": "CPM Change Password",
+        "cyberarkpas.audit.extra_details.address": "components",
+        "cyberarkpas.audit.extra_details.username": "x_accountA",
+        "cyberarkpas.audit.file": "Root\\Operating System-WindowsDesktopLocalAccountsRotationalPolicy-10.0.1.20-x_accountA",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-15T10:12:24Z",
+        "cyberarkpas.audit.issuer": "PasswordManager",
+        "cyberarkpas.audit.message": "CPM Change Password",
+        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 15 03:12:24</Timestamp>\n    <IsoTimestamp>2021-03-15T10:12:24Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>24</MessageID>\n    <Desc>CPM Change Password</Desc>\n    <Severity>Info</Severity>\n    <Issuer>PasswordManager</Issuer>\n    <Action>CPM Change Password</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>Test</Safe>\n    <File>Root\\Operating System-WindowsDesktopLocalAccountsRotationalPolicy-10.0.1.20-x_accountA</File>\n    <Station>10.0.1.20</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason>ImmediateTask</Reason>\n    <ExtraDetails>address=components;username=x_accountA;</ExtraDetails>\n    <Message>CPM Change Password</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"WinDesktopLocal\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"x_accountA\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"components\"></CAProperty>\n      <CAProperty Name=\"SequenceID\" Value=\"28\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"success\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"-1\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"ChangeTask\"></CAProperty>\n      <CAProperty Name=\"GroupName\" Value=\"WindowsGroup\"></CAProperty>\n      <CAProperty Name=\"LastSuccessChange\" Value=\"1615803143\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n      <CAProperty Name=\"Index\" Value=\"1\"></CAProperty>\n      <CAProperty Name=\"DualAccountStatus\" Value=\"Inactive\"></CAProperty>\n      <CAProperty Name=\"VirtualUsername\" Value=\"virtual\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>",
+        "cyberarkpas.audit.reason": "ImmediateTask",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.safe": "Test",
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.station": "10.0.1.20",
+        "cyberarkpas.audit.timestamp": "Mar 15 03:12:24",
+        "destination.address": "components",
+        "destination.domain": "components",
+        "event.action": "cpm change password",
+        "event.category": [
+            "iam"
+        ],
+        "event.code": "24",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.outcome": "success",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "event.type": [
+            "user",
+            "change"
+        ],
+        "file.path": "Root\\Operating System-WindowsDesktopLocalAccountsRotationalPolicy-10.0.1.20-x_accountA",
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 5441,
+        "log.syslog.priority": "5",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "10.0.1.20"
+        ],
+        "related.user": [
+            "PasswordManager",
+            "x_accountA"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "10.0.1.20",
+        "source.ip": "10.0.1.20",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ],
+        "user.name": "PasswordManager",
+        "user.target.name": "x_accountA"
+    }
+]
\ No newline at end of file
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/259_add_update_group.log b/x-pack/filebeat/module/cyberarkpas/audit/test/259_add_update_group.log
new file mode 100644
index 00000000000..7284820d8e4
--- /dev/null
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/259_add_update_group.log
@@ -0,0 +1,4 @@
+<5>1 2021-03-10T09:11:21Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:21","IsoTimestamp":"2021-03-10T09:11:21Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"259","Desc":"Add/Update Group","Severity":"Info","Issuer":"Administrator","Action":"Add/Update Group","SourceUser":"PSMMaster","TargetUser":"","Safe":"","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add/Update Group","GatewayStation":""}}}
+<5>1 2021-03-10T09:11:21Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:21","IsoTimestamp":"2021-03-10T09:11:21Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"259","Desc":"Add/Update Group","Severity":"Info","Issuer":"Administrator","Action":"Add/Update Group","SourceUser":"PSMAppUsers","TargetUser":"","Safe":"","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add/Update Group","GatewayStation":""}}}
+<5>1 2021-03-10T09:11:35Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:35","IsoTimestamp":"2021-03-10T09:11:35Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"259","Desc":"Add/Update Group","Severity":"Info","Issuer":"Administrator","Action":"Add/Update Group","SourceUser":"PSMP_ADB_AppUsers","TargetUser":"","Safe":"","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add/Update Group","GatewayStation":""}}}
+<5>1 2021-03-10T17:59:29Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 09:59:29","IsoTimestamp":"2021-03-10T17:59:29Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"259","Desc":"Add/Update Group","Severity":"Info","Issuer":"Administrator","Action":"Add/Update Group","SourceUser":"PSMLiveSessionTerminators","TargetUser":"","Safe":"","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add/Update Group","GatewayStation":""}}}
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/259_add_update_group.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/259_add_update_group.log-expected.json
new file mode 100644
index 00000000000..7cdae291f0c
--- /dev/null
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/259_add_update_group.log-expected.json
@@ -0,0 +1,190 @@
+[
+    {
+        "@timestamp": "2021-03-10T09:11:21.000Z",
+        "cyberarkpas.audit.action": "Add/Update Group",
+        "cyberarkpas.audit.desc": "Add/Update Group",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-10T09:11:21Z",
+        "cyberarkpas.audit.issuer": "Administrator",
+        "cyberarkpas.audit.message": "Add/Update Group",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.source_user": "PSMMaster",
+        "cyberarkpas.audit.station": "81.32.170.205",
+        "cyberarkpas.audit.timestamp": "Mar 10 01:11:21",
+        "event.action": "add/update group",
+        "event.code": "259",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 0,
+        "log.syslog.priority": "5",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "81.32.170.205"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "81.32.170.205",
+        "source.geo.city_name": "Barcelona",
+        "source.geo.continent_name": "Europe",
+        "source.geo.country_iso_code": "ES",
+        "source.geo.country_name": "Spain",
+        "source.geo.location.lat": 41.387,
+        "source.geo.location.lon": 2.1701,
+        "source.geo.region_iso_code": "ES-B",
+        "source.geo.region_name": "Barcelona",
+        "source.ip": "81.32.170.205",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ]
+    },
+    {
+        "@timestamp": "2021-03-10T09:11:21.000Z",
+        "cyberarkpas.audit.action": "Add/Update Group",
+        "cyberarkpas.audit.desc": "Add/Update Group",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-10T09:11:21Z",
+        "cyberarkpas.audit.issuer": "Administrator",
+        "cyberarkpas.audit.message": "Add/Update Group",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.source_user": "PSMAppUsers",
+        "cyberarkpas.audit.station": "81.32.170.205",
+        "cyberarkpas.audit.timestamp": "Mar 10 01:11:21",
+        "event.action": "add/update group",
+        "event.code": "259",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 585,
+        "log.syslog.priority": "5",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "81.32.170.205"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "81.32.170.205",
+        "source.geo.city_name": "Barcelona",
+        "source.geo.continent_name": "Europe",
+        "source.geo.country_iso_code": "ES",
+        "source.geo.country_name": "Spain",
+        "source.geo.location.lat": 41.387,
+        "source.geo.location.lon": 2.1701,
+        "source.geo.region_iso_code": "ES-B",
+        "source.geo.region_name": "Barcelona",
+        "source.ip": "81.32.170.205",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ]
+    },
+    {
+        "@timestamp": "2021-03-10T09:11:35.000Z",
+        "cyberarkpas.audit.action": "Add/Update Group",
+        "cyberarkpas.audit.desc": "Add/Update Group",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-10T09:11:35Z",
+        "cyberarkpas.audit.issuer": "Administrator",
+        "cyberarkpas.audit.message": "Add/Update Group",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.source_user": "PSMP_ADB_AppUsers",
+        "cyberarkpas.audit.station": "81.32.170.205",
+        "cyberarkpas.audit.timestamp": "Mar 10 01:11:35",
+        "event.action": "add/update group",
+        "event.code": "259",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 1172,
+        "log.syslog.priority": "5",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "81.32.170.205"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "81.32.170.205",
+        "source.geo.city_name": "Barcelona",
+        "source.geo.continent_name": "Europe",
+        "source.geo.country_iso_code": "ES",
+        "source.geo.country_name": "Spain",
+        "source.geo.location.lat": 41.387,
+        "source.geo.location.lon": 2.1701,
+        "source.geo.region_iso_code": "ES-B",
+        "source.geo.region_name": "Barcelona",
+        "source.ip": "81.32.170.205",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ]
+    },
+    {
+        "@timestamp": "2021-03-10T17:59:29.000Z",
+        "cyberarkpas.audit.action": "Add/Update Group",
+        "cyberarkpas.audit.desc": "Add/Update Group",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-10T17:59:29Z",
+        "cyberarkpas.audit.issuer": "Administrator",
+        "cyberarkpas.audit.message": "Add/Update Group",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.source_user": "PSMLiveSessionTerminators",
+        "cyberarkpas.audit.station": "81.32.170.205",
+        "cyberarkpas.audit.timestamp": "Mar 10 09:59:29",
+        "event.action": "add/update group",
+        "event.code": "259",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 1765,
+        "log.syslog.priority": "5",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "81.32.170.205"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "81.32.170.205",
+        "source.geo.city_name": "Barcelona",
+        "source.geo.continent_name": "Europe",
+        "source.geo.country_iso_code": "ES",
+        "source.geo.country_name": "Spain",
+        "source.geo.location.lat": 41.387,
+        "source.geo.location.lon": 2.1701,
+        "source.geo.region_iso_code": "ES-B",
+        "source.geo.region_name": "Barcelona",
+        "source.ip": "81.32.170.205",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ]
+    }
+]
\ No newline at end of file
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/265_add_group_member.log b/x-pack/filebeat/module/cyberarkpas/audit/test/265_add_group_member.log
new file mode 100644
index 00000000000..bff61c277da
--- /dev/null
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/265_add_group_member.log
@@ -0,0 +1,14 @@
+<5>1 2021-03-10T09:11:22Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:22","IsoTimestamp":"2021-03-10T09:11:22Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"265","Desc":"Add Group Member","Severity":"Info","Issuer":"Administrator","Action":"Add Group Member","SourceUser":"PSMAppUsers","TargetUser":"PSMPApp_localhost.localdomain","Safe":"","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Group Member","GatewayStation":""}}}
+<5>1 2021-03-10T09:11:22Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:22","IsoTimestamp":"2021-03-10T09:11:22Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"265","Desc":"Add Group Member","Severity":"Info","Issuer":"Administrator","Action":"Add Group Member","SourceUser":"PVWAGWAccounts","TargetUser":"PSMPGW_localhost.localdomain","Safe":"","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Group Member","GatewayStation":""}}}
+<5>1 2021-03-10T09:11:35Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:35","IsoTimestamp":"2021-03-10T09:11:35Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"265","Desc":"Add Group Member","Severity":"Info","Issuer":"Administrator","Action":"Add Group Member","SourceUser":"PSMP_ADB_AppUsers","TargetUser":"PSMP_ADB_localhost.localdomain","Safe":"","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Group Member","GatewayStation":""}}}
+<5>1 2021-03-10T17:58:01Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 09:58:01","IsoTimestamp":"2021-03-10T17:58:01Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"265","Desc":"Add Group Member","Severity":"Info","Issuer":"Administrator","Action":"Add Group Member","SourceUser":"PSMMaster","TargetUser":"Administrator","Safe":"","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Group Member","GatewayStation":""}}}
+<5>1 2021-03-10T17:59:29Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 09:59:29","IsoTimestamp":"2021-03-10T17:59:29Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"265","Desc":"Add Group Member","Severity":"Info","Issuer":"Administrator","Action":"Add Group Member","SourceUser":"PSMAppUsers","TargetUser":"PSMApp_VAGRANT","Safe":"","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Group Member","GatewayStation":""}}}
+<5>1 2021-03-10T17:59:30Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 09:59:30","IsoTimestamp":"2021-03-10T17:59:30Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"265","Desc":"Add Group Member","Severity":"Info","Issuer":"Administrator","Action":"Add Group Member","SourceUser":"PVWAGWAccounts","TargetUser":"PSMGw_VAGRANT","Safe":"","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Group Member","GatewayStation":""}}}
+<5>1 2021-03-10T22:17:15Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 14:17:15","IsoTimestamp":"2021-03-10T22:17:15Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"265","Desc":"Add Group Member","Severity":"Info","Issuer":"Administrator","Action":"Add Group Member","SourceUser":"PSMMaster","TargetUser":"Administrator","Safe":"","File":"","Station":"35.192.121.42","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Group Member","GatewayStation":""}}}
+<5>1 2021-03-10T22:19:16Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 14:19:16","IsoTimestamp":"2021-03-10T22:19:16Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"265","Desc":"Add Group Member","Severity":"Info","Issuer":"Administrator","Action":"Add Group Member","SourceUser":"PSMAppUsers","TargetUser":"PSMApp_ASR-WIN","Safe":"","File":"","Station":"35.192.121.42","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Group Member","GatewayStation":""}}}
+<5>1 2021-03-10T22:19:16Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 14:19:16","IsoTimestamp":"2021-03-10T22:19:16Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"265","Desc":"Add Group Member","Severity":"Info","Issuer":"Administrator","Action":"Add Group Member","SourceUser":"PVWAGWAccounts","TargetUser":"PSMGw_ASR-WIN","Safe":"","File":"","Station":"35.192.121.42","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Group Member","GatewayStation":""}}}
+<5>1 2021-03-11T16:59:38Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 08:59:38</Timestamp>\n    <IsoTimestamp>2021-03-11T16:59:38Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>265</MessageID>\n    <Desc>Add Group Member</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Add Group Member</Action>\n    <SourceUser>PSMAppUsers</SourceUser>\n    <TargetUser>PSMPApp_VAGRANT</TargetUser>\n    <Safe></Safe>\n    <File></File>\n    <Station>81.32.170.205</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Add Group Member</Message>\n    <GatewayStation></GatewayStation>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 08:59:38","IsoTimestamp":"2021-03-11T16:59:38Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"265","Desc":"Add Group Member","Severity":"Info","Issuer":"Administrator","Action":"Add Group Member","SourceUser":"PSMAppUsers","TargetUser":"PSMPApp_VAGRANT","Safe":"","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Group Member","GatewayStation":""}}}
+<5>1 2021-03-11T16:59:38Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 08:59:38</Timestamp>\n    <IsoTimestamp>2021-03-11T16:59:38Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>265</MessageID>\n    <Desc>Add Group Member</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Add Group Member</Action>\n    <SourceUser>PVWAGWAccounts</SourceUser>\n    <TargetUser>PSMPGW_VAGRANT</TargetUser>\n    <Safe></Safe>\n    <File></File>\n    <Station>81.32.170.205</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Add Group Member</Message>\n    <GatewayStation></GatewayStation>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 08:59:38","IsoTimestamp":"2021-03-11T16:59:38Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"265","Desc":"Add Group Member","Severity":"Info","Issuer":"Administrator","Action":"Add Group Member","SourceUser":"PVWAGWAccounts","TargetUser":"PSMPGW_VAGRANT","Safe":"","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Group Member","GatewayStation":""}}}
+<5>1 2021-03-14T12:57:17Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 14 05:57:17</Timestamp>\n    <IsoTimestamp>2021-03-14T12:57:17Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>265</MessageID>\n    <Desc>Add Group Member</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Add Group Member</Action>\n    <SourceUser>PVWAGWAccounts</SourceUser>\n    <TargetUser>PSMPGW_SSH</TargetUser>\n    <Safe></Safe>\n    <File></File>\n    <Station>34.71.250.247</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Add Group Member</Message>\n    <GatewayStation></GatewayStation>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 05:57:17","IsoTimestamp":"2021-03-14T12:57:17Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"265","Desc":"Add Group Member","Severity":"Info","Issuer":"Administrator","Action":"Add Group Member","SourceUser":"PVWAGWAccounts","TargetUser":"PSMPGW_SSH","Safe":"","File":"","Station":"34.71.250.247","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Group Member","GatewayStation":""}}}
+<5>1 2021-03-14T12:57:17Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 14 05:57:17</Timestamp>\n    <IsoTimestamp>2021-03-14T12:57:17Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>265</MessageID>\n    <Desc>Add Group Member</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Add Group Member</Action>\n    <SourceUser>PSMAppUsers</SourceUser>\n    <TargetUser>PSMPApp_SSH</TargetUser>\n    <Safe></Safe>\n    <File></File>\n    <Station>34.71.250.247</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Add Group Member</Message>\n    <GatewayStation></GatewayStation>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 05:57:17","IsoTimestamp":"2021-03-14T12:57:17Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"265","Desc":"Add Group Member","Severity":"Info","Issuer":"Administrator","Action":"Add Group Member","SourceUser":"PSMAppUsers","TargetUser":"PSMPApp_SSH","Safe":"","File":"","Station":"34.71.250.247","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Group Member","GatewayStation":""}}}
+<5>1 2021-03-14T12:57:21Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 14 05:57:21</Timestamp>\n    <IsoTimestamp>2021-03-14T12:57:21Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>265</MessageID>\n    <Desc>Add Group Member</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Add Group Member</Action>\n    <SourceUser>PSMP_ADB_AppUsers</SourceUser>\n    <TargetUser>PSMP_ADB_asr-cyberark-psm-ssh</TargetUser>\n    <Safe></Safe>\n    <File></File>\n    <Station>34.71.250.247</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Add Group Member</Message>\n    <GatewayStation></GatewayStation>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 05:57:21","IsoTimestamp":"2021-03-14T12:57:21Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"265","Desc":"Add Group Member","Severity":"Info","Issuer":"Administrator","Action":"Add Group Member","SourceUser":"PSMP_ADB_AppUsers","TargetUser":"PSMP_ADB_asr-cyberark-psm-ssh","Safe":"","File":"","Station":"34.71.250.247","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Group Member","GatewayStation":""}}}
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/265_add_group_member.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/265_add_group_member.log-expected.json
new file mode 100644
index 00000000000..60a962e4971
--- /dev/null
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/265_add_group_member.log-expected.json
@@ -0,0 +1,679 @@
+[
+    {
+        "@timestamp": "2021-03-10T09:11:22.000Z",
+        "cyberarkpas.audit.action": "Add Group Member",
+        "cyberarkpas.audit.desc": "Add Group Member",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-10T09:11:22Z",
+        "cyberarkpas.audit.issuer": "Administrator",
+        "cyberarkpas.audit.message": "Add Group Member",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.source_user": "PSMAppUsers",
+        "cyberarkpas.audit.station": "81.32.170.205",
+        "cyberarkpas.audit.target_user": "PSMPApp_localhost.localdomain",
+        "cyberarkpas.audit.timestamp": "Mar 10 01:11:22",
+        "event.action": "add group member",
+        "event.code": "265",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 0,
+        "log.syslog.priority": "5",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "81.32.170.205"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "81.32.170.205",
+        "source.geo.city_name": "Barcelona",
+        "source.geo.continent_name": "Europe",
+        "source.geo.country_iso_code": "ES",
+        "source.geo.country_name": "Spain",
+        "source.geo.location.lat": 41.387,
+        "source.geo.location.lon": 2.1701,
+        "source.geo.region_iso_code": "ES-B",
+        "source.geo.region_name": "Barcelona",
+        "source.ip": "81.32.170.205",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ]
+    },
+    {
+        "@timestamp": "2021-03-10T09:11:22.000Z",
+        "cyberarkpas.audit.action": "Add Group Member",
+        "cyberarkpas.audit.desc": "Add Group Member",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-10T09:11:22Z",
+        "cyberarkpas.audit.issuer": "Administrator",
+        "cyberarkpas.audit.message": "Add Group Member",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.source_user": "PVWAGWAccounts",
+        "cyberarkpas.audit.station": "81.32.170.205",
+        "cyberarkpas.audit.target_user": "PSMPGW_localhost.localdomain",
+        "cyberarkpas.audit.timestamp": "Mar 10 01:11:22",
+        "event.action": "add group member",
+        "event.code": "265",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 616,
+        "log.syslog.priority": "5",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "81.32.170.205"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "81.32.170.205",
+        "source.geo.city_name": "Barcelona",
+        "source.geo.continent_name": "Europe",
+        "source.geo.country_iso_code": "ES",
+        "source.geo.country_name": "Spain",
+        "source.geo.location.lat": 41.387,
+        "source.geo.location.lon": 2.1701,
+        "source.geo.region_iso_code": "ES-B",
+        "source.geo.region_name": "Barcelona",
+        "source.ip": "81.32.170.205",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ]
+    },
+    {
+        "@timestamp": "2021-03-10T09:11:35.000Z",
+        "cyberarkpas.audit.action": "Add Group Member",
+        "cyberarkpas.audit.desc": "Add Group Member",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-10T09:11:35Z",
+        "cyberarkpas.audit.issuer": "Administrator",
+        "cyberarkpas.audit.message": "Add Group Member",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.source_user": "PSMP_ADB_AppUsers",
+        "cyberarkpas.audit.station": "81.32.170.205",
+        "cyberarkpas.audit.target_user": "PSMP_ADB_localhost.localdomain",
+        "cyberarkpas.audit.timestamp": "Mar 10 01:11:35",
+        "event.action": "add group member",
+        "event.code": "265",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 1234,
+        "log.syslog.priority": "5",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "81.32.170.205"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "81.32.170.205",
+        "source.geo.city_name": "Barcelona",
+        "source.geo.continent_name": "Europe",
+        "source.geo.country_iso_code": "ES",
+        "source.geo.country_name": "Spain",
+        "source.geo.location.lat": 41.387,
+        "source.geo.location.lon": 2.1701,
+        "source.geo.region_iso_code": "ES-B",
+        "source.geo.region_name": "Barcelona",
+        "source.ip": "81.32.170.205",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ]
+    },
+    {
+        "@timestamp": "2021-03-10T17:58:01.000Z",
+        "cyberarkpas.audit.action": "Add Group Member",
+        "cyberarkpas.audit.desc": "Add Group Member",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-10T17:58:01Z",
+        "cyberarkpas.audit.issuer": "Administrator",
+        "cyberarkpas.audit.message": "Add Group Member",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.source_user": "PSMMaster",
+        "cyberarkpas.audit.station": "81.32.170.205",
+        "cyberarkpas.audit.target_user": "Administrator",
+        "cyberarkpas.audit.timestamp": "Mar 10 09:58:01",
+        "event.action": "add group member",
+        "event.code": "265",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 1857,
+        "log.syslog.priority": "5",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "81.32.170.205"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "81.32.170.205",
+        "source.geo.city_name": "Barcelona",
+        "source.geo.continent_name": "Europe",
+        "source.geo.country_iso_code": "ES",
+        "source.geo.country_name": "Spain",
+        "source.geo.location.lat": 41.387,
+        "source.geo.location.lon": 2.1701,
+        "source.geo.region_iso_code": "ES-B",
+        "source.geo.region_name": "Barcelona",
+        "source.ip": "81.32.170.205",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ]
+    },
+    {
+        "@timestamp": "2021-03-10T17:59:29.000Z",
+        "cyberarkpas.audit.action": "Add Group Member",
+        "cyberarkpas.audit.desc": "Add Group Member",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-10T17:59:29Z",
+        "cyberarkpas.audit.issuer": "Administrator",
+        "cyberarkpas.audit.message": "Add Group Member",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.source_user": "PSMAppUsers",
+        "cyberarkpas.audit.station": "81.32.170.205",
+        "cyberarkpas.audit.target_user": "PSMApp_VAGRANT",
+        "cyberarkpas.audit.timestamp": "Mar 10 09:59:29",
+        "event.action": "add group member",
+        "event.code": "265",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 2455,
+        "log.syslog.priority": "5",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "81.32.170.205"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "81.32.170.205",
+        "source.geo.city_name": "Barcelona",
+        "source.geo.continent_name": "Europe",
+        "source.geo.country_iso_code": "ES",
+        "source.geo.country_name": "Spain",
+        "source.geo.location.lat": 41.387,
+        "source.geo.location.lon": 2.1701,
+        "source.geo.region_iso_code": "ES-B",
+        "source.geo.region_name": "Barcelona",
+        "source.ip": "81.32.170.205",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ]
+    },
+    {
+        "@timestamp": "2021-03-10T17:59:30.000Z",
+        "cyberarkpas.audit.action": "Add Group Member",
+        "cyberarkpas.audit.desc": "Add Group Member",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-10T17:59:30Z",
+        "cyberarkpas.audit.issuer": "Administrator",
+        "cyberarkpas.audit.message": "Add Group Member",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.source_user": "PVWAGWAccounts",
+        "cyberarkpas.audit.station": "81.32.170.205",
+        "cyberarkpas.audit.target_user": "PSMGw_VAGRANT",
+        "cyberarkpas.audit.timestamp": "Mar 10 09:59:30",
+        "event.action": "add group member",
+        "event.code": "265",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 3056,
+        "log.syslog.priority": "5",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "81.32.170.205"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "81.32.170.205",
+        "source.geo.city_name": "Barcelona",
+        "source.geo.continent_name": "Europe",
+        "source.geo.country_iso_code": "ES",
+        "source.geo.country_name": "Spain",
+        "source.geo.location.lat": 41.387,
+        "source.geo.location.lon": 2.1701,
+        "source.geo.region_iso_code": "ES-B",
+        "source.geo.region_name": "Barcelona",
+        "source.ip": "81.32.170.205",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ]
+    },
+    {
+        "@timestamp": "2021-03-10T22:17:15.000Z",
+        "cyberarkpas.audit.action": "Add Group Member",
+        "cyberarkpas.audit.desc": "Add Group Member",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-10T22:17:15Z",
+        "cyberarkpas.audit.issuer": "Administrator",
+        "cyberarkpas.audit.message": "Add Group Member",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.source_user": "PSMMaster",
+        "cyberarkpas.audit.station": "35.192.121.42",
+        "cyberarkpas.audit.target_user": "Administrator",
+        "cyberarkpas.audit.timestamp": "Mar 10 14:17:15",
+        "event.action": "add group member",
+        "event.code": "265",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 3659,
+        "log.syslog.priority": "5",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "35.192.121.42"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "35.192.121.42",
+        "source.geo.city_name": "Council Bluffs",
+        "source.geo.continent_name": "North America",
+        "source.geo.country_iso_code": "US",
+        "source.geo.country_name": "United States",
+        "source.geo.location.lat": 41.2591,
+        "source.geo.location.lon": -95.8517,
+        "source.geo.region_iso_code": "US-IA",
+        "source.geo.region_name": "Iowa",
+        "source.ip": "35.192.121.42",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ]
+    },
+    {
+        "@timestamp": "2021-03-10T22:19:16.000Z",
+        "cyberarkpas.audit.action": "Add Group Member",
+        "cyberarkpas.audit.desc": "Add Group Member",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-10T22:19:16Z",
+        "cyberarkpas.audit.issuer": "Administrator",
+        "cyberarkpas.audit.message": "Add Group Member",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.source_user": "PSMAppUsers",
+        "cyberarkpas.audit.station": "35.192.121.42",
+        "cyberarkpas.audit.target_user": "PSMApp_ASR-WIN",
+        "cyberarkpas.audit.timestamp": "Mar 10 14:19:16",
+        "event.action": "add group member",
+        "event.code": "265",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 4257,
+        "log.syslog.priority": "5",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "35.192.121.42"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "35.192.121.42",
+        "source.geo.city_name": "Council Bluffs",
+        "source.geo.continent_name": "North America",
+        "source.geo.country_iso_code": "US",
+        "source.geo.country_name": "United States",
+        "source.geo.location.lat": 41.2591,
+        "source.geo.location.lon": -95.8517,
+        "source.geo.region_iso_code": "US-IA",
+        "source.geo.region_name": "Iowa",
+        "source.ip": "35.192.121.42",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ]
+    },
+    {
+        "@timestamp": "2021-03-10T22:19:16.000Z",
+        "cyberarkpas.audit.action": "Add Group Member",
+        "cyberarkpas.audit.desc": "Add Group Member",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-10T22:19:16Z",
+        "cyberarkpas.audit.issuer": "Administrator",
+        "cyberarkpas.audit.message": "Add Group Member",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.source_user": "PVWAGWAccounts",
+        "cyberarkpas.audit.station": "35.192.121.42",
+        "cyberarkpas.audit.target_user": "PSMGw_ASR-WIN",
+        "cyberarkpas.audit.timestamp": "Mar 10 14:19:16",
+        "event.action": "add group member",
+        "event.code": "265",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 4858,
+        "log.syslog.priority": "5",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "35.192.121.42"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "35.192.121.42",
+        "source.geo.city_name": "Council Bluffs",
+        "source.geo.continent_name": "North America",
+        "source.geo.country_iso_code": "US",
+        "source.geo.country_name": "United States",
+        "source.geo.location.lat": 41.2591,
+        "source.geo.location.lon": -95.8517,
+        "source.geo.region_iso_code": "US-IA",
+        "source.geo.region_name": "Iowa",
+        "source.ip": "35.192.121.42",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ]
+    },
+    {
+        "@timestamp": "2021-03-11T16:59:38.000Z",
+        "cyberarkpas.audit.action": "Add Group Member",
+        "cyberarkpas.audit.desc": "Add Group Member",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-11T16:59:38Z",
+        "cyberarkpas.audit.issuer": "Administrator",
+        "cyberarkpas.audit.message": "Add Group Member",
+        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 08:59:38</Timestamp>\n    <IsoTimestamp>2021-03-11T16:59:38Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>265</MessageID>\n    <Desc>Add Group Member</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Add Group Member</Action>\n    <SourceUser>PSMAppUsers</SourceUser>\n    <TargetUser>PSMPApp_VAGRANT</TargetUser>\n    <Safe></Safe>\n    <File></File>\n    <Station>81.32.170.205</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Add Group Member</Message>\n    <GatewayStation></GatewayStation>\n  </audit_record>\n\n</syslog>",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.source_user": "PSMAppUsers",
+        "cyberarkpas.audit.station": "81.32.170.205",
+        "cyberarkpas.audit.target_user": "PSMPApp_VAGRANT",
+        "cyberarkpas.audit.timestamp": "Mar 11 08:59:38",
+        "event.action": "add group member",
+        "event.code": "265",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 5461,
+        "log.syslog.priority": "5",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "81.32.170.205"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "81.32.170.205",
+        "source.geo.city_name": "Barcelona",
+        "source.geo.continent_name": "Europe",
+        "source.geo.country_iso_code": "ES",
+        "source.geo.country_name": "Spain",
+        "source.geo.location.lat": 41.387,
+        "source.geo.location.lon": 2.1701,
+        "source.geo.region_iso_code": "ES-B",
+        "source.geo.region_name": "Barcelona",
+        "source.ip": "81.32.170.205",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ]
+    },
+    {
+        "@timestamp": "2021-03-11T16:59:38.000Z",
+        "cyberarkpas.audit.action": "Add Group Member",
+        "cyberarkpas.audit.desc": "Add Group Member",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-11T16:59:38Z",
+        "cyberarkpas.audit.issuer": "Administrator",
+        "cyberarkpas.audit.message": "Add Group Member",
+        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 08:59:38</Timestamp>\n    <IsoTimestamp>2021-03-11T16:59:38Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>265</MessageID>\n    <Desc>Add Group Member</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Add Group Member</Action>\n    <SourceUser>PVWAGWAccounts</SourceUser>\n    <TargetUser>PSMPGW_VAGRANT</TargetUser>\n    <Safe></Safe>\n    <File></File>\n    <Station>81.32.170.205</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Add Group Member</Message>\n    <GatewayStation></GatewayStation>\n  </audit_record>\n\n</syslog>",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.source_user": "PVWAGWAccounts",
+        "cyberarkpas.audit.station": "81.32.170.205",
+        "cyberarkpas.audit.target_user": "PSMPGW_VAGRANT",
+        "cyberarkpas.audit.timestamp": "Mar 11 08:59:38",
+        "event.action": "add group member",
+        "event.code": "265",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 6945,
+        "log.syslog.priority": "5",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "81.32.170.205"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "81.32.170.205",
+        "source.geo.city_name": "Barcelona",
+        "source.geo.continent_name": "Europe",
+        "source.geo.country_iso_code": "ES",
+        "source.geo.country_name": "Spain",
+        "source.geo.location.lat": 41.387,
+        "source.geo.location.lon": 2.1701,
+        "source.geo.region_iso_code": "ES-B",
+        "source.geo.region_name": "Barcelona",
+        "source.ip": "81.32.170.205",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ]
+    },
+    {
+        "@timestamp": "2021-03-14T12:57:17.000Z",
+        "cyberarkpas.audit.action": "Add Group Member",
+        "cyberarkpas.audit.desc": "Add Group Member",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-14T12:57:17Z",
+        "cyberarkpas.audit.issuer": "Administrator",
+        "cyberarkpas.audit.message": "Add Group Member",
+        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 14 05:57:17</Timestamp>\n    <IsoTimestamp>2021-03-14T12:57:17Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>265</MessageID>\n    <Desc>Add Group Member</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Add Group Member</Action>\n    <SourceUser>PVWAGWAccounts</SourceUser>\n    <TargetUser>PSMPGW_SSH</TargetUser>\n    <Safe></Safe>\n    <File></File>\n    <Station>34.71.250.247</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Add Group Member</Message>\n    <GatewayStation></GatewayStation>\n  </audit_record>\n\n</syslog>",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.source_user": "PVWAGWAccounts",
+        "cyberarkpas.audit.station": "34.71.250.247",
+        "cyberarkpas.audit.target_user": "PSMPGW_SSH",
+        "cyberarkpas.audit.timestamp": "Mar 14 05:57:17",
+        "event.action": "add group member",
+        "event.code": "265",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 8433,
+        "log.syslog.priority": "5",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "34.71.250.247"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "34.71.250.247",
+        "source.geo.city_name": "Council Bluffs",
+        "source.geo.continent_name": "North America",
+        "source.geo.country_iso_code": "US",
+        "source.geo.country_name": "United States",
+        "source.geo.location.lat": 41.2591,
+        "source.geo.location.lon": -95.8517,
+        "source.geo.region_iso_code": "US-IA",
+        "source.geo.region_name": "Iowa",
+        "source.ip": "34.71.250.247",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ]
+    },
+    {
+        "@timestamp": "2021-03-14T12:57:17.000Z",
+        "cyberarkpas.audit.action": "Add Group Member",
+        "cyberarkpas.audit.desc": "Add Group Member",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-14T12:57:17Z",
+        "cyberarkpas.audit.issuer": "Administrator",
+        "cyberarkpas.audit.message": "Add Group Member",
+        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 14 05:57:17</Timestamp>\n    <IsoTimestamp>2021-03-14T12:57:17Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>265</MessageID>\n    <Desc>Add Group Member</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Add Group Member</Action>\n    <SourceUser>PSMAppUsers</SourceUser>\n    <TargetUser>PSMPApp_SSH</TargetUser>\n    <Safe></Safe>\n    <File></File>\n    <Station>34.71.250.247</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Add Group Member</Message>\n    <GatewayStation></GatewayStation>\n  </audit_record>\n\n</syslog>",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.source_user": "PSMAppUsers",
+        "cyberarkpas.audit.station": "34.71.250.247",
+        "cyberarkpas.audit.target_user": "PSMPApp_SSH",
+        "cyberarkpas.audit.timestamp": "Mar 14 05:57:17",
+        "event.action": "add group member",
+        "event.code": "265",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 9913,
+        "log.syslog.priority": "5",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "34.71.250.247"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "34.71.250.247",
+        "source.geo.city_name": "Council Bluffs",
+        "source.geo.continent_name": "North America",
+        "source.geo.country_iso_code": "US",
+        "source.geo.country_name": "United States",
+        "source.geo.location.lat": 41.2591,
+        "source.geo.location.lon": -95.8517,
+        "source.geo.region_iso_code": "US-IA",
+        "source.geo.region_name": "Iowa",
+        "source.ip": "34.71.250.247",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ]
+    },
+    {
+        "@timestamp": "2021-03-14T12:57:21.000Z",
+        "cyberarkpas.audit.action": "Add Group Member",
+        "cyberarkpas.audit.desc": "Add Group Member",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-14T12:57:21Z",
+        "cyberarkpas.audit.issuer": "Administrator",
+        "cyberarkpas.audit.message": "Add Group Member",
+        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 14 05:57:21</Timestamp>\n    <IsoTimestamp>2021-03-14T12:57:21Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>265</MessageID>\n    <Desc>Add Group Member</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Add Group Member</Action>\n    <SourceUser>PSMP_ADB_AppUsers</SourceUser>\n    <TargetUser>PSMP_ADB_asr-cyberark-psm-ssh</TargetUser>\n    <Safe></Safe>\n    <File></File>\n    <Station>34.71.250.247</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Add Group Member</Message>\n    <GatewayStation></GatewayStation>\n  </audit_record>\n\n</syslog>",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.source_user": "PSMP_ADB_AppUsers",
+        "cyberarkpas.audit.station": "34.71.250.247",
+        "cyberarkpas.audit.target_user": "PSMP_ADB_asr-cyberark-psm-ssh",
+        "cyberarkpas.audit.timestamp": "Mar 14 05:57:21",
+        "event.action": "add group member",
+        "event.code": "265",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 11389,
+        "log.syslog.priority": "5",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "34.71.250.247"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "34.71.250.247",
+        "source.geo.city_name": "Council Bluffs",
+        "source.geo.continent_name": "North America",
+        "source.geo.country_iso_code": "US",
+        "source.geo.country_name": "United States",
+        "source.geo.location.lat": 41.2591,
+        "source.geo.location.lon": -95.8517,
+        "source.geo.region_iso_code": "US-IA",
+        "source.geo.region_name": "Iowa",
+        "source.ip": "34.71.250.247",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ]
+    }
+]
\ No newline at end of file
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/266_remove_group_member.log b/x-pack/filebeat/module/cyberarkpas/audit/test/266_remove_group_member.log
new file mode 100644
index 00000000000..7b0f9be88a0
--- /dev/null
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/266_remove_group_member.log
@@ -0,0 +1,2 @@
+<5>1 2021-03-10T17:59:48Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 09:59:48","IsoTimestamp":"2021-03-10T17:59:48Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"266","Desc":"Remove Group Member","Severity":"Info","Issuer":"Administrator","Action":"Remove Group Member","SourceUser":"PSMMaster","TargetUser":"Administrator","Safe":"","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Remove Group Member","GatewayStation":""}}}
+<5>1 2021-03-10T22:19:23Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 14:19:23","IsoTimestamp":"2021-03-10T22:19:23Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"266","Desc":"Remove Group Member","Severity":"Info","Issuer":"Administrator","Action":"Remove Group Member","SourceUser":"PSMMaster","TargetUser":"Administrator","Safe":"","File":"","Station":"35.192.121.42","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Remove Group Member","GatewayStation":""}}}
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/266_remove_group_member.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/266_remove_group_member.log-expected.json
new file mode 100644
index 00000000000..169410b786e
--- /dev/null
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/266_remove_group_member.log-expected.json
@@ -0,0 +1,98 @@
+[
+    {
+        "@timestamp": "2021-03-10T17:59:48.000Z",
+        "cyberarkpas.audit.action": "Remove Group Member",
+        "cyberarkpas.audit.desc": "Remove Group Member",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-10T17:59:48Z",
+        "cyberarkpas.audit.issuer": "Administrator",
+        "cyberarkpas.audit.message": "Remove Group Member",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.source_user": "PSMMaster",
+        "cyberarkpas.audit.station": "81.32.170.205",
+        "cyberarkpas.audit.target_user": "Administrator",
+        "cyberarkpas.audit.timestamp": "Mar 10 09:59:48",
+        "event.action": "remove group member",
+        "event.code": "266",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 0,
+        "log.syslog.priority": "5",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "81.32.170.205"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "81.32.170.205",
+        "source.geo.city_name": "Barcelona",
+        "source.geo.continent_name": "Europe",
+        "source.geo.country_iso_code": "ES",
+        "source.geo.country_name": "Spain",
+        "source.geo.location.lat": 41.387,
+        "source.geo.location.lon": 2.1701,
+        "source.geo.region_iso_code": "ES-B",
+        "source.geo.region_name": "Barcelona",
+        "source.ip": "81.32.170.205",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ]
+    },
+    {
+        "@timestamp": "2021-03-10T22:19:23.000Z",
+        "cyberarkpas.audit.action": "Remove Group Member",
+        "cyberarkpas.audit.desc": "Remove Group Member",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-10T22:19:23Z",
+        "cyberarkpas.audit.issuer": "Administrator",
+        "cyberarkpas.audit.message": "Remove Group Member",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.source_user": "PSMMaster",
+        "cyberarkpas.audit.station": "35.192.121.42",
+        "cyberarkpas.audit.target_user": "Administrator",
+        "cyberarkpas.audit.timestamp": "Mar 10 14:19:23",
+        "event.action": "remove group member",
+        "event.code": "266",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 607,
+        "log.syslog.priority": "5",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "35.192.121.42"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "35.192.121.42",
+        "source.geo.city_name": "Council Bluffs",
+        "source.geo.continent_name": "North America",
+        "source.geo.country_iso_code": "US",
+        "source.geo.country_name": "United States",
+        "source.geo.location.lat": 41.2591,
+        "source.geo.location.lon": -95.8517,
+        "source.geo.region_iso_code": "US-IA",
+        "source.geo.region_name": "Iowa",
+        "source.ip": "35.192.121.42",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ]
+    }
+]
\ No newline at end of file
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/273_remove_owner.log b/x-pack/filebeat/module/cyberarkpas/audit/test/273_remove_owner.log
new file mode 100644
index 00000000000..ea1458e5874
--- /dev/null
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/273_remove_owner.log
@@ -0,0 +1 @@
+<5>1 2021-03-10T17:59:33Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 09:59:33","IsoTimestamp":"2021-03-10T17:59:33Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"273","Desc":"Remove Owner","Severity":"Info","Issuer":"Administrator","Action":"Remove Owner","SourceUser":"Administrator","TargetUser":"","Safe":"PSMSessions","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Remove Owner","GatewayStation":""}}}
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/273_remove_owner.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/273_remove_owner.log-expected.json
new file mode 100644
index 00000000000..96b6c9cd87c
--- /dev/null
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/273_remove_owner.log-expected.json
@@ -0,0 +1,50 @@
+[
+    {
+        "@timestamp": "2021-03-10T17:59:33.000Z",
+        "cyberarkpas.audit.action": "Remove Owner",
+        "cyberarkpas.audit.desc": "Remove Owner",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-10T17:59:33Z",
+        "cyberarkpas.audit.issuer": "Administrator",
+        "cyberarkpas.audit.message": "Remove Owner",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.safe": "PSMSessions",
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.source_user": "Administrator",
+        "cyberarkpas.audit.station": "81.32.170.205",
+        "cyberarkpas.audit.timestamp": "Mar 10 09:59:33",
+        "event.action": "remove owner",
+        "event.code": "273",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 0,
+        "log.syslog.priority": "5",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "81.32.170.205"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "81.32.170.205",
+        "source.geo.city_name": "Barcelona",
+        "source.geo.continent_name": "Europe",
+        "source.geo.country_iso_code": "ES",
+        "source.geo.country_name": "Spain",
+        "source.geo.location.lat": 41.387,
+        "source.geo.location.lon": 2.1701,
+        "source.geo.region_iso_code": "ES-B",
+        "source.geo.region_name": "Barcelona",
+        "source.ip": "81.32.170.205",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ]
+    }
+]
\ No newline at end of file
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/278_add_rule.log b/x-pack/filebeat/module/cyberarkpas/audit/test/278_add_rule.log
new file mode 100644
index 00000000000..b4e7a9ada36
--- /dev/null
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/278_add_rule.log
@@ -0,0 +1 @@
+<5>1 2021-03-11T18:01:14Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 10:01:14</Timestamp>\n    <IsoTimestamp>2021-03-11T18:01:14Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>278</MessageID>\n    <Desc>Add Rule</Desc>\n    <Severity>Info</Severity>\n    <Issuer>PVWAAppUser</Issuer>\n    <Action>Add Rule</Action>\n    <SourceUser>Administrator</SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>PSMUnmanagedSessionAccounts</Safe>\n    <File>Root\\2</File>\n    <Station>10.0.1.20</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason>Allow</Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Add Rule</Message>\n    <GatewayStation></GatewayStation>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 10:01:14","IsoTimestamp":"2021-03-11T18:01:14Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"278","Desc":"Add Rule","Severity":"Info","Issuer":"PVWAAppUser","Action":"Add Rule","SourceUser":"Administrator","TargetUser":"","Safe":"PSMUnmanagedSessionAccounts","File":"Root\\2","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"Allow","ExtraDetails":"","Message":"Add Rule","GatewayStation":""}}}
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/278_add_rule.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/278_add_rule.log-expected.json
new file mode 100644
index 00000000000..4cfd55c4722
--- /dev/null
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/278_add_rule.log-expected.json
@@ -0,0 +1,46 @@
+[
+    {
+        "@timestamp": "2021-03-11T18:01:14.000Z",
+        "cyberarkpas.audit.action": "Add Rule",
+        "cyberarkpas.audit.desc": "Add Rule",
+        "cyberarkpas.audit.file": "Root\\2",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-11T18:01:14Z",
+        "cyberarkpas.audit.issuer": "PVWAAppUser",
+        "cyberarkpas.audit.message": "Add Rule",
+        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 10:01:14</Timestamp>\n    <IsoTimestamp>2021-03-11T18:01:14Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>278</MessageID>\n    <Desc>Add Rule</Desc>\n    <Severity>Info</Severity>\n    <Issuer>PVWAAppUser</Issuer>\n    <Action>Add Rule</Action>\n    <SourceUser>Administrator</SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>PSMUnmanagedSessionAccounts</Safe>\n    <File>Root\\2</File>\n    <Station>10.0.1.20</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason>Allow</Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Add Rule</Message>\n    <GatewayStation></GatewayStation>\n  </audit_record>\n\n</syslog>",
+        "cyberarkpas.audit.reason": "Allow",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.safe": "PSMUnmanagedSessionAccounts",
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.source_user": "Administrator",
+        "cyberarkpas.audit.station": "10.0.1.20",
+        "cyberarkpas.audit.timestamp": "Mar 11 10:01:14",
+        "event.action": "add rule",
+        "event.code": "278",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "file.path": "Root\\2",
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 0,
+        "log.syslog.priority": "5",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "10.0.1.20"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "10.0.1.20",
+        "source.ip": "10.0.1.20",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ]
+    }
+]
\ No newline at end of file
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/288_auto_clear_users_history_start.log b/x-pack/filebeat/module/cyberarkpas/audit/test/288_auto_clear_users_history_start.log
new file mode 100644
index 00000000000..8a37e23616a
--- /dev/null
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/288_auto_clear_users_history_start.log
@@ -0,0 +1,2 @@
+<5>1 2021-03-05T11:00:06Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 05 03:00:06","IsoTimestamp":"2021-03-05T11:00:06Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"288","Desc":"Auto Clear Users History start","Severity":"Info","Issuer":"Batch","Action":"Auto Clear Users History start","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"0.0.0.0","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Auto Clear Users History start","GatewayStation":""}}}
+Mar 08 03:00:20 VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"no","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"288","Desc":"Auto Clear Users History start","Severity":"Info","Issuer":"Batch","Action":"Auto Clear Users History start","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"0.0.0.0","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Auto Clear Users History start","GatewayStation":""}}}
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/288_auto_clear_users_history_start.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/288_auto_clear_users_history_start.log-expected.json
new file mode 100644
index 00000000000..0ed48dfb9c0
--- /dev/null
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/288_auto_clear_users_history_start.log-expected.json
@@ -0,0 +1,75 @@
+[
+    {
+        "@timestamp": "2021-03-05T11:00:06.000Z",
+        "cyberarkpas.audit.action": "Auto Clear Users History start",
+        "cyberarkpas.audit.desc": "Auto Clear Users History start",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-05T11:00:06Z",
+        "cyberarkpas.audit.issuer": "Batch",
+        "cyberarkpas.audit.message": "Auto Clear Users History start",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.station": "0.0.0.0",
+        "cyberarkpas.audit.timestamp": "Mar 05 03:00:06",
+        "event.action": "auto clear users history start",
+        "event.code": "288",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 0,
+        "log.syslog.priority": "5",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "0.0.0.0"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "0.0.0.0",
+        "source.ip": "0.0.0.0",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ]
+    },
+    {
+        "@timestamp": "2021-03-08T03:00:20.000-02:00",
+        "cyberarkpas.audit.action": "Auto Clear Users History start",
+        "cyberarkpas.audit.desc": "Auto Clear Users History start",
+        "cyberarkpas.audit.issuer": "Batch",
+        "cyberarkpas.audit.message": "Auto Clear Users History start",
+        "cyberarkpas.audit.rfc5424": false,
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.station": "0.0.0.0",
+        "event.action": "auto clear users history start",
+        "event.code": "288",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 604,
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "0.0.0.0"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "0.0.0.0",
+        "source.ip": "0.0.0.0",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ]
+    }
+]
\ No newline at end of file
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/289_auto_clear_users_history_end.log b/x-pack/filebeat/module/cyberarkpas/audit/test/289_auto_clear_users_history_end.log
new file mode 100644
index 00000000000..8d873525e41
--- /dev/null
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/289_auto_clear_users_history_end.log
@@ -0,0 +1,2 @@
+<5>1 2021-03-05T11:00:06Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 05 03:00:06","IsoTimestamp":"2021-03-05T11:00:06Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"289","Desc":"Auto Clear Users History end","Severity":"Info","Issuer":"Batch","Action":"Auto Clear Users History end","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"0.0.0.0","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Auto Clear Users History end","GatewayStation":""}}}
+Mar 08 03:00:20 VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"no","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"289","Desc":"Auto Clear Users History end","Severity":"Info","Issuer":"Batch","Action":"Auto Clear Users History end","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"0.0.0.0","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Auto Clear Users History end","GatewayStation":""}}}
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/289_auto_clear_users_history_end.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/289_auto_clear_users_history_end.log-expected.json
new file mode 100644
index 00000000000..4476ba0f803
--- /dev/null
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/289_auto_clear_users_history_end.log-expected.json
@@ -0,0 +1,75 @@
+[
+    {
+        "@timestamp": "2021-03-05T11:00:06.000Z",
+        "cyberarkpas.audit.action": "Auto Clear Users History end",
+        "cyberarkpas.audit.desc": "Auto Clear Users History end",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-05T11:00:06Z",
+        "cyberarkpas.audit.issuer": "Batch",
+        "cyberarkpas.audit.message": "Auto Clear Users History end",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.station": "0.0.0.0",
+        "cyberarkpas.audit.timestamp": "Mar 05 03:00:06",
+        "event.action": "auto clear users history end",
+        "event.code": "289",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 0,
+        "log.syslog.priority": "5",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "0.0.0.0"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "0.0.0.0",
+        "source.ip": "0.0.0.0",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ]
+    },
+    {
+        "@timestamp": "2021-03-08T03:00:20.000-02:00",
+        "cyberarkpas.audit.action": "Auto Clear Users History end",
+        "cyberarkpas.audit.desc": "Auto Clear Users History end",
+        "cyberarkpas.audit.issuer": "Batch",
+        "cyberarkpas.audit.message": "Auto Clear Users History end",
+        "cyberarkpas.audit.rfc5424": false,
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.station": "0.0.0.0",
+        "event.action": "auto clear users history end",
+        "event.code": "289",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 598,
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "0.0.0.0"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "0.0.0.0",
+        "source.ip": "0.0.0.0",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ]
+    }
+]
\ No newline at end of file
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/290_auto_clear_safes_history_start.log b/x-pack/filebeat/module/cyberarkpas/audit/test/290_auto_clear_safes_history_start.log
new file mode 100644
index 00000000000..2c7336ea820
--- /dev/null
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/290_auto_clear_safes_history_start.log
@@ -0,0 +1 @@
+<5>1 2021-03-09T09:00:47Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 09 01:00:47","IsoTimestamp":"2021-03-09T09:00:47Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"290","Desc":"Auto Clear Safes History start","Severity":"Info","Issuer":"Batch","Action":"Auto Clear Safes History start","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"0.0.0.0","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Auto Clear Safes History start","GatewayStation":""}}}
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/290_auto_clear_safes_history_start.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/290_auto_clear_safes_history_start.log-expected.json
new file mode 100644
index 00000000000..0feb0516dab
--- /dev/null
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/290_auto_clear_safes_history_start.log-expected.json
@@ -0,0 +1,40 @@
+[
+    {
+        "@timestamp": "2021-03-09T09:00:47.000Z",
+        "cyberarkpas.audit.action": "Auto Clear Safes History start",
+        "cyberarkpas.audit.desc": "Auto Clear Safes History start",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-09T09:00:47Z",
+        "cyberarkpas.audit.issuer": "Batch",
+        "cyberarkpas.audit.message": "Auto Clear Safes History start",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.station": "0.0.0.0",
+        "cyberarkpas.audit.timestamp": "Mar 09 01:00:47",
+        "event.action": "auto clear safes history start",
+        "event.code": "290",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 0,
+        "log.syslog.priority": "5",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "0.0.0.0"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "0.0.0.0",
+        "source.ip": "0.0.0.0",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ]
+    }
+]
\ No newline at end of file
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/291_auto_clear_safes_history_end.log b/x-pack/filebeat/module/cyberarkpas/audit/test/291_auto_clear_safes_history_end.log
new file mode 100644
index 00000000000..8731e1e4ed9
--- /dev/null
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/291_auto_clear_safes_history_end.log
@@ -0,0 +1 @@
+<5>1 2021-03-09T09:00:47Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 09 01:00:47","IsoTimestamp":"2021-03-09T09:00:47Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"291","Desc":"Auto Clear Safes History end","Severity":"Info","Issuer":"Batch","Action":"Auto Clear Safes History end","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"0.0.0.0","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Auto Clear Safes History end","GatewayStation":""}}}
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/291_auto_clear_safes_history_end.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/291_auto_clear_safes_history_end.log-expected.json
new file mode 100644
index 00000000000..0e37b256a45
--- /dev/null
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/291_auto_clear_safes_history_end.log-expected.json
@@ -0,0 +1,40 @@
+[
+    {
+        "@timestamp": "2021-03-09T09:00:47.000Z",
+        "cyberarkpas.audit.action": "Auto Clear Safes History end",
+        "cyberarkpas.audit.desc": "Auto Clear Safes History end",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-09T09:00:47Z",
+        "cyberarkpas.audit.issuer": "Batch",
+        "cyberarkpas.audit.message": "Auto Clear Safes History end",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.station": "0.0.0.0",
+        "cyberarkpas.audit.timestamp": "Mar 09 01:00:47",
+        "event.action": "auto clear safes history end",
+        "event.code": "291",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 0,
+        "log.syslog.priority": "5",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "0.0.0.0"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "0.0.0.0",
+        "source.ip": "0.0.0.0",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ]
+    }
+]
\ No newline at end of file
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/294_store_password.log b/x-pack/filebeat/module/cyberarkpas/audit/test/294_store_password.log
new file mode 100644
index 00000000000..2ea7c7cf132
--- /dev/null
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/294_store_password.log
@@ -0,0 +1,10 @@
+<5>1 2021-03-08T10:19:42Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 08 02:19:42","IsoTimestamp":"2021-03-08T10:19:42Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"294","Desc":"Store password","Severity":"Info","Issuer":"PasswordManager","Action":"Store password","SourceUser":"","TargetUser":"","Safe":"Test","File":"Root\\Groups\\WindowsGroup","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Store password","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"WindowsDesktopLocalAccountsRotationalPolicy"},{"Name":"InProcess","Value":"ChangeTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"LastTask","Value":"ChangeTask"},{"Name":"LastSuccessChange","Value":"1615198782"},{"Name":"CurrInd","Value":"2"}]}}}}
+<5>1 2021-03-08T18:24:49Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 08 10:24:49","IsoTimestamp":"2021-03-08T18:24:49Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"294","Desc":"Store password","Severity":"Info","Issuer":"Administrator","Action":"Store password","SourceUser":"","TargetUser":"","Safe":"Test","File":"Root\\Operating System-WinDesktopLocal-Address-adriansr","Station":"127.0.0.1","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Store password","GatewayStation":"10.0.1.20"}}}
+<5>1 2021-03-08T19:20:02Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 08 11:20:02","IsoTimestamp":"2021-03-08T19:20:02Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"294","Desc":"Store password","Severity":"Info","Issuer":"PasswordManager","Action":"Store password","SourceUser":"","TargetUser":"","Safe":"Test","File":"Root\\Operating System-WindowsDesktopLocalAccountsRotationalPolicy-10.0.1.20-x_accountA","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Store password","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"WinDesktopLocal"},{"Name":"UserName","Value":"x_accountA"},{"Name":"Address","Value":"components"},{"Name":"ResetImmediately","Value":"ChangeTask"},{"Name":"InProcess","Value":"ChangeTask"},{"Name":"SequenceID","Value":"26"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"0"},{"Name":"LastTask","Value":"ChangeTask"},{"Name":"StartChangeNotBefore","Value":"1615231182"},{"Name":"GroupName","Value":"WindowsGroup"},{"Name":"LastSuccessChange","Value":"1614785704"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"},{"Name":"Index","Value":"1"},{"Name":"DualAccountStatus","Value":"Inactive"},{"Name":"VirtualUsername","Value":"virtual"}]}}}}
+<5>1 2021-03-10T14:38:57Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 06:38:57","IsoTimestamp":"2021-03-10T14:38:57Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"294","Desc":"Store password","Severity":"Info","Issuer":"PasswordManager","Action":"Store password","SourceUser":"","TargetUser":"","Safe":"Test","File":"Root\\Groups\\WindowsGroup","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Store password","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"WindowsDesktopLocalAccountsRotationalPolicy"},{"Name":"InProcess","Value":"ChangeTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"LastTask","Value":"ChangeTask"},{"Name":"LastSuccessChange","Value":"1615387136"},{"Name":"CurrInd","Value":"1"}]}}}}
+<5>1 2021-03-10T17:58:06Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 09:58:06","IsoTimestamp":"2021-03-10T17:58:06Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"294","Desc":"Store password","Severity":"Info","Issuer":"Administrator","Action":"Store password","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\PSMServer","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Store password","GatewayStation":""}}}
+<5>1 2021-03-10T22:17:26Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 14:17:26","IsoTimestamp":"2021-03-10T22:17:26Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"294","Desc":"Store password","Severity":"Info","Issuer":"Administrator","Action":"Store password","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\PSM-ASR-CYBERARK-WI","Station":"35.192.121.42","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Store password","GatewayStation":""}}}
+<5>1 2021-03-10T23:39:25Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 15:39:25","IsoTimestamp":"2021-03-10T23:39:25Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"294","Desc":"Store password","Severity":"Info","Issuer":"PasswordManager","Action":"Store password","SourceUser":"","TargetUser":"","Safe":"Test","File":"Root\\Operating System-WindowsDesktopLocalAccountsRotationalPolicy-10.0.1.20-x_accountB","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Store password","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"WinDesktopLocal"},{"Name":"UserName","Value":"x_accountB"},{"Name":"Address","Value":"components"},{"Name":"ResetImmediately","Value":"ChangeTask"},{"Name":"InProcess","Value":"ChangeTask"},{"Name":"SequenceID","Value":"24"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"0"},{"Name":"LastTask","Value":"ChangeTask"},{"Name":"StartChangeNotBefore","Value":"1615419536"},{"Name":"GroupName","Value":"WindowsGroup"},{"Name":"LastSuccessChange","Value":"1614868762"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"},{"Name":"Index","Value":"2"},{"Name":"DualAccountStatus","Value":"Inactive"},{"Name":"VirtualUsername","Value":"virtual"}]}}}}
+<5>1 2021-03-14T11:48:26Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 14 04:48:26</Timestamp>\n    <IsoTimestamp>2021-03-14T11:48:26Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>294</MessageID>\n    <Desc>Store password</Desc>\n    <Severity>Info</Severity>\n    <Issuer>PasswordManager</Issuer>\n    <Action>Store password</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>Test</Safe>\n    <File>Root\\Groups\\WindowsGroup</File>\n    <Station>10.0.1.20</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Store password</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"WindowsDesktopLocalAccountsRotationalPolicy\"></CAProperty>\n      <CAProperty Name=\"InProcess\" Value=\"ChangeTask\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"failure\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"ChangeTask\"></CAProperty>\n      <CAProperty Name=\"LastSuccessChange\" Value=\"1615722505\"></CAProperty>\n      <CAProperty Name=\"CurrInd\" Value=\"2\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 04:48:26","IsoTimestamp":"2021-03-14T11:48:26Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"294","Desc":"Store password","Severity":"Info","Issuer":"PasswordManager","Action":"Store password","SourceUser":"","TargetUser":"","Safe":"Test","File":"Root\\Groups\\WindowsGroup","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Store password","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"WindowsDesktopLocalAccountsRotationalPolicy"},{"Name":"InProcess","Value":"ChangeTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"LastTask","Value":"ChangeTask"},{"Name":"LastSuccessChange","Value":"1615722505"},{"Name":"CurrInd","Value":"2"}]}}}}
+<5>1 2021-03-15T10:12:21Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 15 03:12:21</Timestamp>\n    <IsoTimestamp>2021-03-15T10:12:21Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>294</MessageID>\n    <Desc>Store password</Desc>\n    <Severity>Info</Severity>\n    <Issuer>PasswordManager</Issuer>\n    <Action>Store password</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>Test</Safe>\n    <File>Root\\Operating System-WindowsDesktopLocalAccountsRotationalPolicy-10.0.1.20-x_accountA</File>\n    <Station>10.0.1.20</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Store password</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"WinDesktopLocal\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"x_accountA\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"components\"></CAProperty>\n      <CAProperty Name=\"ResetImmediately\" Value=\"ChangeTask\"></CAProperty>\n      <CAProperty Name=\"InProcess\" Value=\"ChangeTask\"></CAProperty>\n      <CAProperty Name=\"SequenceID\" Value=\"27\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"failure\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"0\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"ChangeTask\"></CAProperty>\n      <CAProperty Name=\"StartChangeNotBefore\" Value=\"1615754905\"></CAProperty>\n      <CAProperty Name=\"GroupName\" Value=\"WindowsGroup\"></CAProperty>\n      <CAProperty Name=\"LastSuccessChange\" Value=\"1615231204\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n      <CAProperty Name=\"Index\" Value=\"1\"></CAProperty>\n      <CAProperty Name=\"DualAccountStatus\" Value=\"Inactive\"></CAProperty>\n      <CAProperty Name=\"VirtualUsername\" Value=\"virtual\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 03:12:21","IsoTimestamp":"2021-03-15T10:12:21Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"294","Desc":"Store password","Severity":"Info","Issuer":"PasswordManager","Action":"Store password","SourceUser":"","TargetUser":"","Safe":"Test","File":"Root\\Operating System-WindowsDesktopLocalAccountsRotationalPolicy-10.0.1.20-x_accountA","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Store password","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"WinDesktopLocal"},{"Name":"UserName","Value":"x_accountA"},{"Name":"Address","Value":"components"},{"Name":"ResetImmediately","Value":"ChangeTask"},{"Name":"InProcess","Value":"ChangeTask"},{"Name":"SequenceID","Value":"27"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"0"},{"Name":"LastTask","Value":"ChangeTask"},{"Name":"StartChangeNotBefore","Value":"1615754905"},{"Name":"GroupName","Value":"WindowsGroup"},{"Name":"LastSuccessChange","Value":"1615231204"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"},{"Name":"Index","Value":"1"},{"Name":"DualAccountStatus","Value":"Inactive"},{"Name":"VirtualUsername","Value":"virtual"}]}}}}
+<5>1 2021-03-15T13:13:01Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 15 06:13:01</Timestamp>\n    <IsoTimestamp>2021-03-15T13:13:01Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>294</MessageID>\n    <Desc>Store password</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Store password</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Operating System-UnixSSH-34.123.103.115-testark</File>\n    <Station>127.0.0.1</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Store password</Message>\n    <GatewayStation>10.0.1.20</GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSH\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"testark\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"ResetImmediately\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"failure\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"0\"></CAProperty>\n      <CAProperty Name=\"LastFailDate\" Value=\"1615813465\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"LastSuccessVerification\" Value=\"1615803764\"></CAProperty>\n      <CAProperty Name=\"CPMErrorDetails\" Value=\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 06:13:01","IsoTimestamp":"2021-03-15T13:13:01Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"294","Desc":"Store password","Severity":"Info","Issuer":"Administrator","Action":"Store password","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-34.123.103.115-testark","Station":"127.0.0.1","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Store password","GatewayStation":"10.0.1.20","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"testark"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"ResetImmediately","Value":"ReconcileTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"0"},{"Name":"LastFailDate","Value":"1615813465"},{"Name":"LastTask","Value":"ReconcileTask"},{"Name":"LastSuccessVerification","Value":"1615803764"},{"Name":"CPMErrorDetails","Value":"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}}
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/294_store_password.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/294_store_password.log-expected.json
new file mode 100644
index 00000000000..753a431e5e6
--- /dev/null
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/294_store_password.log-expected.json
@@ -0,0 +1,522 @@
+[
+    {
+        "@timestamp": "2021-03-08T10:19:42.000Z",
+        "cyberarkpas.audit.action": "Store password",
+        "cyberarkpas.audit.ca_properties.cpm_status": "failure",
+        "cyberarkpas.audit.ca_properties.curr_ind": "2",
+        "cyberarkpas.audit.ca_properties.in_process": "ChangeTask",
+        "cyberarkpas.audit.ca_properties.last_success_change": "1615198782",
+        "cyberarkpas.audit.ca_properties.last_task": "ChangeTask",
+        "cyberarkpas.audit.ca_properties.policy_id": "WindowsDesktopLocalAccountsRotationalPolicy",
+        "cyberarkpas.audit.desc": "Store password",
+        "cyberarkpas.audit.file": "Root\\Groups\\WindowsGroup",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-08T10:19:42Z",
+        "cyberarkpas.audit.issuer": "PasswordManager",
+        "cyberarkpas.audit.message": "Store password",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.safe": "Test",
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.station": "10.0.1.20",
+        "cyberarkpas.audit.timestamp": "Mar 08 02:19:42",
+        "event.action": "store password",
+        "event.code": "294",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "file.path": "Root\\Groups\\WindowsGroup",
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 0,
+        "log.syslog.priority": "5",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "10.0.1.20"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "10.0.1.20",
+        "source.ip": "10.0.1.20",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ]
+    },
+    {
+        "@timestamp": "2021-03-08T18:24:49.000Z",
+        "cyberarkpas.audit.action": "Store password",
+        "cyberarkpas.audit.desc": "Store password",
+        "cyberarkpas.audit.file": "Root\\Operating System-WinDesktopLocal-Address-adriansr",
+        "cyberarkpas.audit.gateway_station": "10.0.1.20",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-08T18:24:49Z",
+        "cyberarkpas.audit.issuer": "Administrator",
+        "cyberarkpas.audit.message": "Store password",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.safe": "Test",
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.station": "127.0.0.1",
+        "cyberarkpas.audit.timestamp": "Mar 08 10:24:49",
+        "destination.address": "10.0.1.20",
+        "destination.ip": "10.0.1.20",
+        "event.action": "store password",
+        "event.code": "294",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "file.path": "Root\\Operating System-WinDesktopLocal-Address-adriansr",
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 907,
+        "log.syslog.priority": "5",
+        "network.direction": "internal",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "127.0.0.1",
+            "10.0.1.20"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "127.0.0.1",
+        "source.ip": "127.0.0.1",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ]
+    },
+    {
+        "@timestamp": "2021-03-08T19:20:02.000Z",
+        "cyberarkpas.audit.action": "Store password",
+        "cyberarkpas.audit.ca_properties.address": "components",
+        "cyberarkpas.audit.ca_properties.cpm_status": "failure",
+        "cyberarkpas.audit.ca_properties.creation_method": "PVWA",
+        "cyberarkpas.audit.ca_properties.device_type": "Operating System",
+        "cyberarkpas.audit.ca_properties.dual_account_status": "Inactive",
+        "cyberarkpas.audit.ca_properties.group_name": "WindowsGroup",
+        "cyberarkpas.audit.ca_properties.in_process": "ChangeTask",
+        "cyberarkpas.audit.ca_properties.index": "1",
+        "cyberarkpas.audit.ca_properties.last_success_change": "1614785704",
+        "cyberarkpas.audit.ca_properties.last_task": "ChangeTask",
+        "cyberarkpas.audit.ca_properties.policy_id": "WinDesktopLocal",
+        "cyberarkpas.audit.ca_properties.reset_immediately": "ChangeTask",
+        "cyberarkpas.audit.ca_properties.retries_count": "0",
+        "cyberarkpas.audit.ca_properties.sequence_id": "26",
+        "cyberarkpas.audit.ca_properties.start_change_not_before": "1615231182",
+        "cyberarkpas.audit.ca_properties.user_name": "x_accountA",
+        "cyberarkpas.audit.ca_properties.virtual_username": "virtual",
+        "cyberarkpas.audit.desc": "Store password",
+        "cyberarkpas.audit.file": "Root\\Operating System-WindowsDesktopLocalAccountsRotationalPolicy-10.0.1.20-x_accountA",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-08T19:20:02Z",
+        "cyberarkpas.audit.issuer": "PasswordManager",
+        "cyberarkpas.audit.message": "Store password",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.safe": "Test",
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.station": "10.0.1.20",
+        "cyberarkpas.audit.timestamp": "Mar 08 11:20:02",
+        "event.action": "store password",
+        "event.code": "294",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "file.path": "Root\\Operating System-WindowsDesktopLocalAccountsRotationalPolicy-10.0.1.20-x_accountA",
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 1541,
+        "log.syslog.priority": "5",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "10.0.1.20"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "10.0.1.20",
+        "source.ip": "10.0.1.20",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ]
+    },
+    {
+        "@timestamp": "2021-03-10T14:38:57.000Z",
+        "cyberarkpas.audit.action": "Store password",
+        "cyberarkpas.audit.ca_properties.cpm_status": "failure",
+        "cyberarkpas.audit.ca_properties.curr_ind": "1",
+        "cyberarkpas.audit.ca_properties.in_process": "ChangeTask",
+        "cyberarkpas.audit.ca_properties.last_success_change": "1615387136",
+        "cyberarkpas.audit.ca_properties.last_task": "ChangeTask",
+        "cyberarkpas.audit.ca_properties.policy_id": "WindowsDesktopLocalAccountsRotationalPolicy",
+        "cyberarkpas.audit.desc": "Store password",
+        "cyberarkpas.audit.file": "Root\\Groups\\WindowsGroup",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-10T14:38:57Z",
+        "cyberarkpas.audit.issuer": "PasswordManager",
+        "cyberarkpas.audit.message": "Store password",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.safe": "Test",
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.station": "10.0.1.20",
+        "cyberarkpas.audit.timestamp": "Mar 10 06:38:57",
+        "event.action": "store password",
+        "event.code": "294",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "file.path": "Root\\Groups\\WindowsGroup",
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 2960,
+        "log.syslog.priority": "5",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "10.0.1.20"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "10.0.1.20",
+        "source.ip": "10.0.1.20",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ]
+    },
+    {
+        "@timestamp": "2021-03-10T17:58:06.000Z",
+        "cyberarkpas.audit.action": "Store password",
+        "cyberarkpas.audit.desc": "Store password",
+        "cyberarkpas.audit.file": "Root\\PSMServer",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-10T17:58:06Z",
+        "cyberarkpas.audit.issuer": "Administrator",
+        "cyberarkpas.audit.message": "Store password",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.safe": "PSM",
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.station": "81.32.170.205",
+        "cyberarkpas.audit.timestamp": "Mar 10 09:58:06",
+        "event.action": "store password",
+        "event.code": "294",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "file.path": "Root\\PSMServer",
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 3867,
+        "log.syslog.priority": "5",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "81.32.170.205"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "81.32.170.205",
+        "source.geo.city_name": "Barcelona",
+        "source.geo.continent_name": "Europe",
+        "source.geo.country_iso_code": "ES",
+        "source.geo.country_name": "Spain",
+        "source.geo.location.lat": 41.387,
+        "source.geo.location.lon": 2.1701,
+        "source.geo.region_iso_code": "ES-B",
+        "source.geo.region_name": "Barcelona",
+        "source.ip": "81.32.170.205",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ]
+    },
+    {
+        "@timestamp": "2021-03-10T22:17:26.000Z",
+        "cyberarkpas.audit.action": "Store password",
+        "cyberarkpas.audit.desc": "Store password",
+        "cyberarkpas.audit.file": "Root\\PSM-ASR-CYBERARK-WI",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-10T22:17:26Z",
+        "cyberarkpas.audit.issuer": "Administrator",
+        "cyberarkpas.audit.message": "Store password",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.safe": "PSM",
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.station": "35.192.121.42",
+        "cyberarkpas.audit.timestamp": "Mar 10 14:17:26",
+        "event.action": "store password",
+        "event.code": "294",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "file.path": "Root\\PSM-ASR-CYBERARK-WI",
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 4455,
+        "log.syslog.priority": "5",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "35.192.121.42"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "35.192.121.42",
+        "source.geo.city_name": "Council Bluffs",
+        "source.geo.continent_name": "North America",
+        "source.geo.country_iso_code": "US",
+        "source.geo.country_name": "United States",
+        "source.geo.location.lat": 41.2591,
+        "source.geo.location.lon": -95.8517,
+        "source.geo.region_iso_code": "US-IA",
+        "source.geo.region_name": "Iowa",
+        "source.ip": "35.192.121.42",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ]
+    },
+    {
+        "@timestamp": "2021-03-10T23:39:25.000Z",
+        "cyberarkpas.audit.action": "Store password",
+        "cyberarkpas.audit.ca_properties.address": "components",
+        "cyberarkpas.audit.ca_properties.cpm_status": "failure",
+        "cyberarkpas.audit.ca_properties.creation_method": "PVWA",
+        "cyberarkpas.audit.ca_properties.device_type": "Operating System",
+        "cyberarkpas.audit.ca_properties.dual_account_status": "Inactive",
+        "cyberarkpas.audit.ca_properties.group_name": "WindowsGroup",
+        "cyberarkpas.audit.ca_properties.in_process": "ChangeTask",
+        "cyberarkpas.audit.ca_properties.index": "2",
+        "cyberarkpas.audit.ca_properties.last_success_change": "1614868762",
+        "cyberarkpas.audit.ca_properties.last_task": "ChangeTask",
+        "cyberarkpas.audit.ca_properties.policy_id": "WinDesktopLocal",
+        "cyberarkpas.audit.ca_properties.reset_immediately": "ChangeTask",
+        "cyberarkpas.audit.ca_properties.retries_count": "0",
+        "cyberarkpas.audit.ca_properties.sequence_id": "24",
+        "cyberarkpas.audit.ca_properties.start_change_not_before": "1615419536",
+        "cyberarkpas.audit.ca_properties.user_name": "x_accountB",
+        "cyberarkpas.audit.ca_properties.virtual_username": "virtual",
+        "cyberarkpas.audit.desc": "Store password",
+        "cyberarkpas.audit.file": "Root\\Operating System-WindowsDesktopLocalAccountsRotationalPolicy-10.0.1.20-x_accountB",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-10T23:39:25Z",
+        "cyberarkpas.audit.issuer": "PasswordManager",
+        "cyberarkpas.audit.message": "Store password",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.safe": "Test",
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.station": "10.0.1.20",
+        "cyberarkpas.audit.timestamp": "Mar 10 15:39:25",
+        "event.action": "store password",
+        "event.code": "294",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "file.path": "Root\\Operating System-WindowsDesktopLocalAccountsRotationalPolicy-10.0.1.20-x_accountB",
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 5053,
+        "log.syslog.priority": "5",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "10.0.1.20"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "10.0.1.20",
+        "source.ip": "10.0.1.20",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ]
+    },
+    {
+        "@timestamp": "2021-03-14T11:48:26.000Z",
+        "cyberarkpas.audit.action": "Store password",
+        "cyberarkpas.audit.ca_properties.cpm_status": "failure",
+        "cyberarkpas.audit.ca_properties.curr_ind": "2",
+        "cyberarkpas.audit.ca_properties.in_process": "ChangeTask",
+        "cyberarkpas.audit.ca_properties.last_success_change": "1615722505",
+        "cyberarkpas.audit.ca_properties.last_task": "ChangeTask",
+        "cyberarkpas.audit.ca_properties.policy_id": "WindowsDesktopLocalAccountsRotationalPolicy",
+        "cyberarkpas.audit.desc": "Store password",
+        "cyberarkpas.audit.file": "Root\\Groups\\WindowsGroup",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-14T11:48:26Z",
+        "cyberarkpas.audit.issuer": "PasswordManager",
+        "cyberarkpas.audit.message": "Store password",
+        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 14 04:48:26</Timestamp>\n    <IsoTimestamp>2021-03-14T11:48:26Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>294</MessageID>\n    <Desc>Store password</Desc>\n    <Severity>Info</Severity>\n    <Issuer>PasswordManager</Issuer>\n    <Action>Store password</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>Test</Safe>\n    <File>Root\\Groups\\WindowsGroup</File>\n    <Station>10.0.1.20</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Store password</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"WindowsDesktopLocalAccountsRotationalPolicy\"></CAProperty>\n      <CAProperty Name=\"InProcess\" Value=\"ChangeTask\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"failure\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"ChangeTask\"></CAProperty>\n      <CAProperty Name=\"LastSuccessChange\" Value=\"1615722505\"></CAProperty>\n      <CAProperty Name=\"CurrInd\" Value=\"2\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.safe": "Test",
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.station": "10.0.1.20",
+        "cyberarkpas.audit.timestamp": "Mar 14 04:48:26",
+        "event.action": "store password",
+        "event.code": "294",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "file.path": "Root\\Groups\\WindowsGroup",
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 6472,
+        "log.syslog.priority": "5",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "10.0.1.20"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "10.0.1.20",
+        "source.ip": "10.0.1.20",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ]
+    },
+    {
+        "@timestamp": "2021-03-15T10:12:21.000Z",
+        "cyberarkpas.audit.action": "Store password",
+        "cyberarkpas.audit.ca_properties.address": "components",
+        "cyberarkpas.audit.ca_properties.cpm_status": "failure",
+        "cyberarkpas.audit.ca_properties.creation_method": "PVWA",
+        "cyberarkpas.audit.ca_properties.device_type": "Operating System",
+        "cyberarkpas.audit.ca_properties.dual_account_status": "Inactive",
+        "cyberarkpas.audit.ca_properties.group_name": "WindowsGroup",
+        "cyberarkpas.audit.ca_properties.in_process": "ChangeTask",
+        "cyberarkpas.audit.ca_properties.index": "1",
+        "cyberarkpas.audit.ca_properties.last_success_change": "1615231204",
+        "cyberarkpas.audit.ca_properties.last_task": "ChangeTask",
+        "cyberarkpas.audit.ca_properties.policy_id": "WinDesktopLocal",
+        "cyberarkpas.audit.ca_properties.reset_immediately": "ChangeTask",
+        "cyberarkpas.audit.ca_properties.retries_count": "0",
+        "cyberarkpas.audit.ca_properties.sequence_id": "27",
+        "cyberarkpas.audit.ca_properties.start_change_not_before": "1615754905",
+        "cyberarkpas.audit.ca_properties.user_name": "x_accountA",
+        "cyberarkpas.audit.ca_properties.virtual_username": "virtual",
+        "cyberarkpas.audit.desc": "Store password",
+        "cyberarkpas.audit.file": "Root\\Operating System-WindowsDesktopLocalAccountsRotationalPolicy-10.0.1.20-x_accountA",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-15T10:12:21Z",
+        "cyberarkpas.audit.issuer": "PasswordManager",
+        "cyberarkpas.audit.message": "Store password",
+        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 15 03:12:21</Timestamp>\n    <IsoTimestamp>2021-03-15T10:12:21Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>294</MessageID>\n    <Desc>Store password</Desc>\n    <Severity>Info</Severity>\n    <Issuer>PasswordManager</Issuer>\n    <Action>Store password</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>Test</Safe>\n    <File>Root\\Operating System-WindowsDesktopLocalAccountsRotationalPolicy-10.0.1.20-x_accountA</File>\n    <Station>10.0.1.20</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Store password</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"WinDesktopLocal\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"x_accountA\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"components\"></CAProperty>\n      <CAProperty Name=\"ResetImmediately\" Value=\"ChangeTask\"></CAProperty>\n      <CAProperty Name=\"InProcess\" Value=\"ChangeTask\"></CAProperty>\n      <CAProperty Name=\"SequenceID\" Value=\"27\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"failure\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"0\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"ChangeTask\"></CAProperty>\n      <CAProperty Name=\"StartChangeNotBefore\" Value=\"1615754905\"></CAProperty>\n      <CAProperty Name=\"GroupName\" Value=\"WindowsGroup\"></CAProperty>\n      <CAProperty Name=\"LastSuccessChange\" Value=\"1615231204\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n      <CAProperty Name=\"Index\" Value=\"1\"></CAProperty>\n      <CAProperty Name=\"DualAccountStatus\" Value=\"Inactive\"></CAProperty>\n      <CAProperty Name=\"VirtualUsername\" Value=\"virtual\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.safe": "Test",
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.station": "10.0.1.20",
+        "cyberarkpas.audit.timestamp": "Mar 15 03:12:21",
+        "event.action": "store password",
+        "event.code": "294",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "file.path": "Root\\Operating System-WindowsDesktopLocalAccountsRotationalPolicy-10.0.1.20-x_accountA",
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 8761,
+        "log.syslog.priority": "5",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "10.0.1.20"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "10.0.1.20",
+        "source.ip": "10.0.1.20",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ]
+    },
+    {
+        "@timestamp": "2021-03-15T13:13:01.000Z",
+        "cyberarkpas.audit.action": "Store password",
+        "cyberarkpas.audit.ca_properties.address": "34.123.103.115",
+        "cyberarkpas.audit.ca_properties.cpm_error_details": "First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031",
+        "cyberarkpas.audit.ca_properties.cpm_status": "failure",
+        "cyberarkpas.audit.ca_properties.creation_method": "PVWA",
+        "cyberarkpas.audit.ca_properties.device_type": "Operating System",
+        "cyberarkpas.audit.ca_properties.last_fail_date": "1615813465",
+        "cyberarkpas.audit.ca_properties.last_success_verification": "1615803764",
+        "cyberarkpas.audit.ca_properties.last_task": "ReconcileTask",
+        "cyberarkpas.audit.ca_properties.policy_id": "UnixSSH",
+        "cyberarkpas.audit.ca_properties.reset_immediately": "ReconcileTask",
+        "cyberarkpas.audit.ca_properties.retries_count": "0",
+        "cyberarkpas.audit.ca_properties.user_name": "testark",
+        "cyberarkpas.audit.desc": "Store password",
+        "cyberarkpas.audit.file": "Root\\Operating System-UnixSSH-34.123.103.115-testark",
+        "cyberarkpas.audit.gateway_station": "10.0.1.20",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-15T13:13:01Z",
+        "cyberarkpas.audit.issuer": "Administrator",
+        "cyberarkpas.audit.message": "Store password",
+        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 15 06:13:01</Timestamp>\n    <IsoTimestamp>2021-03-15T13:13:01Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>294</MessageID>\n    <Desc>Store password</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Store password</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Operating System-UnixSSH-34.123.103.115-testark</File>\n    <Station>127.0.0.1</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Store password</Message>\n    <GatewayStation>10.0.1.20</GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSH\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"testark\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"ResetImmediately\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"failure\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"0\"></CAProperty>\n      <CAProperty Name=\"LastFailDate\" Value=\"1615813465\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"LastSuccessVerification\" Value=\"1615803764\"></CAProperty>\n      <CAProperty Name=\"CPMErrorDetails\" Value=\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.safe": "partner",
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.station": "127.0.0.1",
+        "cyberarkpas.audit.timestamp": "Mar 15 06:13:01",
+        "destination.address": "10.0.1.20",
+        "destination.ip": "10.0.1.20",
+        "event.action": "store password",
+        "event.code": "294",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "file.path": "Root\\Operating System-UnixSSH-34.123.103.115-testark",
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 12415,
+        "log.syslog.priority": "5",
+        "network.direction": "internal",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "127.0.0.1",
+            "10.0.1.20"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "127.0.0.1",
+        "source.ip": "127.0.0.1",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ]
+    }
+]
\ No newline at end of file
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/295_retrieve_password.log b/x-pack/filebeat/module/cyberarkpas/audit/test/295_retrieve_password.log
new file mode 100644
index 00000000000..b7413a20012
--- /dev/null
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/295_retrieve_password.log
@@ -0,0 +1,13 @@
+{"format":"elastic","version":"1.0","raw":"<syslog>\n  <audit_record>\n    <Rfc5424>no</Rfc5424>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.6.0000</Version>\n    <MessageID>295</MessageID>\n    <Desc>Retrieve password</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Prov_PVWA</Issuer>\n    <Action>Retrieve password</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>Linux</Safe>\n    <File>Root\\Operating System-LINUX-SSH-radiussrv.cyberark.local-admin2</File>\n    <Station>10.2.0.3</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason>AIM password request</Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Retrieve password</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"LINUX-SSH\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"admin2\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"radiussrv.cyberark.local\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n      <CAProperty Name=\"CPMDisabled\" Value=\"No Reason\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"Customer\" Value=\"Nobody\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n</syslog>","syslog":{"audit_record":{"Rfc5424":"no","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.6.0000","MessageID":"295","IsoTimestamp":"2021-03-16T15:01:00Z","Desc":"Retrieve password","Severity":"Info","Issuer":"Prov_PVWA","Action":"Retrieve password","SourceUser":"","TargetUser":"","Safe":"Linux","File":"Root\\Operating System-LINUX-SSH-radiussrv.cyberark.local-admin2","Station":"10.2.0.3","Location":"","Category":"","RequestId":"","Reason":"AIM password request","ExtraDetails":"","Message":"Retrieve password","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"LINUX-SSH"},{"Name":"UserName","Value":"admin2"},{"Name":"Address","Value":"radiussrv.cyberark.local"},{"Name":"DeviceType","Value":"Operating System"},{"Name":"CPMDisabled","Value":"No Reason"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"Customer","Value":"Nobody"}]}}}}
+{"format":"elastic","version":"1.0","raw":"<syslog>\n  <audit_record>\n    <Rfc5424>no</Rfc5424>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.6.0000</Version>\n    <MessageID>295</MessageID>\n    <Desc>Retrieve password</Desc>\n    <Severity>Info</Severity>\n    <Issuer>adm2</Issuer>\n    <Action>Retrieve password</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>Windows</Safe>\n    <File>Root\\Operating System-WIN-SERVER-LOCAL-dbserver.cyberark.local-Administrator2</File>\n    <Station>10.2.0.6</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason>(Action: Show Password)</Reason>\n    <PvwaDetails><RetrieveReason>\n  <General>\n    <RetrieveAction>Show Password</RetrieveAction>\n  </General>\n</RetrieveReason></PvwaDetails>\n    <ExtraDetails></ExtraDetails>\n    <Message>Retrieve password</Message>\n    <GatewayStation>10.2.0.3</GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"WIN-SERVER-LOCAL\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"Administrator2\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"dbserver.cyberark.local\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n      <CAProperty Name=\"LogonDomain\" Value=\"DBServer\"></CAProperty>\n      <CAProperty Name=\"SequenceID\" Value=\"1\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"-1\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"success\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"LastSuccessReconciliation\" Value=\"1604944215\"></CAProperty>\n      <CAProperty Name=\"Customer\" Value=\"EvilCorp\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n</syslog>","syslog":{"audit_record":{"Rfc5424":"no","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.6.0000","MessageID":"295","IsoTimestamp":"2021-03-16T15:01:00Z","Desc":"Retrieve password","Severity":"Info","Issuer":"adm2","Action":"Retrieve password","SourceUser":"","TargetUser":"","Safe":"Windows","File":"Root\\Operating System-WIN-SERVER-LOCAL-dbserver.cyberark.local-Administrator2","Station":"10.2.0.6","Location":"","Category":"","RequestId":"","Reason":"(Action: Show Password)","PvwaDetails":{"RetrieveReason":{"General":{"RetrieveAction":"Show Password"}}},"ExtraDetails":"","Message":"Retrieve password","GatewayStation":"10.2.0.3","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"WIN-SERVER-LOCAL"},{"Name":"UserName","Value":"Administrator2"},{"Name":"Address","Value":"dbserver.cyberark.local"},{"Name":"DeviceType","Value":"Operating System"},{"Name":"LogonDomain","Value":"DBServer"},{"Name":"SequenceID","Value":"1"},{"Name":"RetriesCount","Value":"-1"},{"Name":"LastTask","Value":"ReconcileTask"},{"Name":"CPMStatus","Value":"success"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"LastSuccessReconciliation","Value":"1604944215"},{"Name":"Customer","Value":"EvilCorp"}]}}}}
+<5>1 2021-03-08T18:16:51Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 08 10:16:51","IsoTimestamp":"2021-03-08T18:16:51Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"295","Desc":"Retrieve password","Severity":"Info","Issuer":"Administrator","Action":"Retrieve password","SourceUser":"","TargetUser":"","Safe":"Test","File":"Root\\testobject","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"testing","ExtraDetails":"","Message":"Retrieve password","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"WinDesktopLocal"},{"Name":"UserName","Value":"test"},{"Name":"Address","Value":"test"},{"Name":"CPMDisabled","Value":"testing"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}}
+<5>1 2021-03-08T19:19:59Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 08 11:19:59","IsoTimestamp":"2021-03-08T19:19:59Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"295","Desc":"Retrieve password","Severity":"Info","Issuer":"PasswordManager","Action":"Retrieve password","SourceUser":"","TargetUser":"","Safe":"Test","File":"Root\\Operating System-WindowsDesktopLocalAccountsRotationalPolicy-10.0.1.20-x_accountA","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"CPM","ExtraDetails":"","Message":"Retrieve password","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"WinDesktopLocal"},{"Name":"UserName","Value":"x_accountA"},{"Name":"Address","Value":"components"},{"Name":"ResetImmediately","Value":"ChangeTask"},{"Name":"InProcess","Value":"ChangeTask"},{"Name":"SequenceID","Value":"26"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"0"},{"Name":"LastTask","Value":"ChangeTask"},{"Name":"StartChangeNotBefore","Value":"1615231182"},{"Name":"GroupName","Value":"WindowsGroup"},{"Name":"LastSuccessChange","Value":"1614785704"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"},{"Name":"Index","Value":"1"},{"Name":"DualAccountStatus","Value":"Inactive"},{"Name":"VirtualUsername","Value":"virtual"}]}}}}
+<5>1 2021-03-08T19:20:02Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 08 11:20:02","IsoTimestamp":"2021-03-08T19:20:02Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"295","Desc":"Retrieve password","Severity":"Info","Issuer":"PasswordManager","Action":"Retrieve password","SourceUser":"","TargetUser":"","Safe":"Test","File":"Root\\Groups\\WindowsGroup","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"CPM","ExtraDetails":"","Message":"Retrieve password","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"WindowsDesktopLocalAccountsRotationalPolicy"},{"Name":"CPMStatus","Value":"success"},{"Name":"LastTask","Value":"ChangeTask"},{"Name":"LastSuccessChange","Value":"1615198782"},{"Name":"CurrInd","Value":"2"}]}}}}
+<5>1 2021-03-10T14:40:37Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 06:40:37","IsoTimestamp":"2021-03-10T14:40:37Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"295","Desc":"Retrieve password","Severity":"Info","Issuer":"Prov_COMPONENTS","Action":"Retrieve password","SourceUser":"","TargetUser":"","Safe":"Test","File":"Root\\Operating System-WindowsDesktopLocalAccountsRotationalPolicy-10.0.1.20-x_accountA","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"Application provider background refresh job","ExtraDetails":"","Message":"Retrieve password","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"WinDesktopLocal"},{"Name":"UserName","Value":"x_accountA"},{"Name":"Address","Value":"components"},{"Name":"SequenceID","Value":"27"},{"Name":"CPMStatus","Value":"success"},{"Name":"RetriesCount","Value":"-1"},{"Name":"LastTask","Value":"ChangeTask"},{"Name":"GroupName","Value":"WindowsGroup"},{"Name":"LastSuccessChange","Value":"1615231204"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"},{"Name":"Index","Value":"1"},{"Name":"DualAccountStatus","Value":"Active"},{"Name":"VirtualUsername","Value":"virtual"}]}}}}
+<5>1 2021-03-10T18:27:57Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 10:27:57","IsoTimestamp":"2021-03-10T18:27:57Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"295","Desc":"Retrieve password","Severity":"Info","Issuer":"Administrator","Action":"Retrieve password","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\PSMAdmin","Station":"127.0.0.1","Location":"","Category":"","RequestId":"","Reason":"test","ExtraDetails":"","Message":"Retrieve password","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"UserName","Value":"PSMAdminConnect"},{"Name":"Address","Value":"169.254.180.25"},{"Name":"LogonDomain","Value":"VAGRANT-2012-R2"}]}}}}
+<5>1 2021-03-10T18:28:07Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 10:28:07","IsoTimestamp":"2021-03-10T18:28:07Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"295","Desc":"Retrieve password","Severity":"Info","Issuer":"Administrator","Action":"Retrieve password","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\PSMServer","Station":"127.0.0.1","Location":"","Category":"","RequestId":"","Reason":"test","ExtraDetails":"","Message":"Retrieve password","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"UserName","Value":"PSMConnect"},{"Name":"Address","Value":"169.254.180.25"},{"Name":"LogonDomain","Value":"VAGRANT-2012-R2"}]}}}}
+<5>1 2021-03-10T23:39:22Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 15:39:22","IsoTimestamp":"2021-03-10T23:39:22Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"295","Desc":"Retrieve password","Severity":"Info","Issuer":"PasswordManager","Action":"Retrieve password","SourceUser":"","TargetUser":"","Safe":"Test","File":"Root\\Operating System-WindowsDesktopLocalAccountsRotationalPolicy-10.0.1.20-x_accountB","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"CPM","ExtraDetails":"","Message":"Retrieve password","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"WinDesktopLocal"},{"Name":"UserName","Value":"x_accountB"},{"Name":"Address","Value":"components"},{"Name":"ResetImmediately","Value":"ChangeTask"},{"Name":"InProcess","Value":"ChangeTask"},{"Name":"SequenceID","Value":"24"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"0"},{"Name":"LastTask","Value":"ChangeTask"},{"Name":"StartChangeNotBefore","Value":"1615419536"},{"Name":"GroupName","Value":"WindowsGroup"},{"Name":"LastSuccessChange","Value":"1614868762"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"},{"Name":"Index","Value":"2"},{"Name":"DualAccountStatus","Value":"Inactive"},{"Name":"VirtualUsername","Value":"virtual"}]}}}}
+<5>1 2021-03-10T23:39:25Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 15:39:25","IsoTimestamp":"2021-03-10T23:39:25Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"295","Desc":"Retrieve password","Severity":"Info","Issuer":"PasswordManager","Action":"Retrieve password","SourceUser":"","TargetUser":"","Safe":"Test","File":"Root\\Groups\\WindowsGroup","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"CPM","ExtraDetails":"","Message":"Retrieve password","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"WindowsDesktopLocalAccountsRotationalPolicy"},{"Name":"CPMStatus","Value":"success"},{"Name":"LastTask","Value":"ChangeTask"},{"Name":"LastSuccessChange","Value":"1615387136"},{"Name":"CurrInd","Value":"1"}]}}}}
+<5>1 2021-03-11T16:41:21Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 08:41:21</Timestamp>\n    <IsoTimestamp>2021-03-11T16:41:21Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>295</MessageID>\n    <Desc>Retrieve password</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Retrieve password</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>PSM</Safe>\n    <File>Root\\PSMAdmin</File>\n    <Station>127.0.0.1</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason>lksajdflkasdf</Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Retrieve password</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"UserName\" Value=\"PSMAdminConnect\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"169.254.180.25\"></CAProperty>\n      <CAProperty Name=\"LogonDomain\" Value=\"VAGRANT-2012-R2\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 08:41:21","IsoTimestamp":"2021-03-11T16:41:21Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"295","Desc":"Retrieve password","Severity":"Info","Issuer":"Administrator","Action":"Retrieve password","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\PSMAdmin","Station":"127.0.0.1","Location":"","Category":"","RequestId":"","Reason":"lksajdflkasdf","ExtraDetails":"","Message":"Retrieve password","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"UserName","Value":"PSMAdminConnect"},{"Name":"Address","Value":"169.254.180.25"},{"Name":"LogonDomain","Value":"VAGRANT-2012-R2"}]}}}}
+<5>1 2021-03-11T16:50:28Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 08:50:28</Timestamp>\n    <IsoTimestamp>2021-03-11T16:50:28Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>295</MessageID>\n    <Desc>Retrieve password</Desc>\n    <Severity>Info</Severity>\n    <Issuer>PVWAAppUser</Issuer>\n    <Action>Retrieve password</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>PSM</Safe>\n    <File>Root\\PSMServer</File>\n    <Station>10.0.1.20</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Retrieve password</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"UserName\" Value=\"PSMConnect\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"169.254.180.25\"></CAProperty>\n      <CAProperty Name=\"LogonDomain\" Value=\"VAGRANT-2012-R2\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 08:50:28","IsoTimestamp":"2021-03-11T16:50:28Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"295","Desc":"Retrieve password","Severity":"Info","Issuer":"PVWAAppUser","Action":"Retrieve password","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\PSMServer","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Retrieve password","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"UserName","Value":"PSMConnect"},{"Name":"Address","Value":"169.254.180.25"},{"Name":"LogonDomain","Value":"VAGRANT-2012-R2"}]}}}}
+<5>1 2021-03-11T16:54:20Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 08:54:20</Timestamp>\n    <IsoTimestamp>2021-03-11T16:54:20Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>295</MessageID>\n    <Desc>Retrieve password</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Retrieve password</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>PSM</Safe>\n    <File>Root\\Operating System-UnixSSH-centos8-PSMApp_VAGRANT</File>\n    <Station>127.0.0.1</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason>sdfsdf</Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Retrieve password</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSH\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"PSMApp_VAGRANT\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"centos8\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 08:54:20","IsoTimestamp":"2021-03-11T16:54:20Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"295","Desc":"Retrieve password","Severity":"Info","Issuer":"Administrator","Action":"Retrieve password","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\Operating System-UnixSSH-centos8-PSMApp_VAGRANT","Station":"127.0.0.1","Location":"","Category":"","RequestId":"","Reason":"sdfsdf","ExtraDetails":"","Message":"Retrieve password","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"PSMApp_VAGRANT"},{"Name":"Address","Value":"centos8"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}}
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/295_retrieve_password.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/295_retrieve_password.log-expected.json
new file mode 100644
index 00000000000..e3afb5cf05a
--- /dev/null
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/295_retrieve_password.log-expected.json
@@ -0,0 +1,880 @@
+[
+    {
+        "@timestamp": "2021-03-16T15:01:00.000Z",
+        "cyberarkpas.audit.action": "Retrieve password",
+        "cyberarkpas.audit.ca_properties.address": "radiussrv.cyberark.local",
+        "cyberarkpas.audit.ca_properties.cpm_disabled": "No Reason",
+        "cyberarkpas.audit.ca_properties.creation_method": "PVWA",
+        "cyberarkpas.audit.ca_properties.customer": "Nobody",
+        "cyberarkpas.audit.ca_properties.device_type": "Operating System",
+        "cyberarkpas.audit.ca_properties.policy_id": "LINUX-SSH",
+        "cyberarkpas.audit.ca_properties.user_name": "admin2",
+        "cyberarkpas.audit.desc": "Retrieve password",
+        "cyberarkpas.audit.file": "Root\\Operating System-LINUX-SSH-radiussrv.cyberark.local-admin2",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-16T15:01:00Z",
+        "cyberarkpas.audit.issuer": "Prov_PVWA",
+        "cyberarkpas.audit.message": "Retrieve password",
+        "cyberarkpas.audit.raw": "<syslog>\n  <audit_record>\n    <Rfc5424>no</Rfc5424>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.6.0000</Version>\n    <MessageID>295</MessageID>\n    <Desc>Retrieve password</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Prov_PVWA</Issuer>\n    <Action>Retrieve password</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>Linux</Safe>\n    <File>Root\\Operating System-LINUX-SSH-radiussrv.cyberark.local-admin2</File>\n    <Station>10.2.0.3</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason>AIM password request</Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Retrieve password</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"LINUX-SSH\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"admin2\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"radiussrv.cyberark.local\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n      <CAProperty Name=\"CPMDisabled\" Value=\"No Reason\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"Customer\" Value=\"Nobody\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n</syslog>",
+        "cyberarkpas.audit.reason": "AIM password request",
+        "cyberarkpas.audit.rfc5424": false,
+        "cyberarkpas.audit.safe": "Linux",
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.station": "10.2.0.3",
+        "destination.address": "radiussrv.cyberark.local",
+        "destination.domain": "radiussrv.cyberark.local",
+        "destination.user.name": "admin2",
+        "event.action": "retrieve password",
+        "event.category": [
+            "iam"
+        ],
+        "event.code": "295",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.outcome": "success",
+        "event.reason": "AIM password request",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "event.type": [
+            "admin",
+            "access"
+        ],
+        "file.path": "Root\\Operating System-LINUX-SSH-radiussrv.cyberark.local-admin2",
+        "fileset.name": "audit",
+        "input.type": "log",
+        "log.offset": 0,
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.6.0000",
+        "related.ip": [
+            "10.2.0.3"
+        ],
+        "related.user": [
+            "Prov_PVWA",
+            "admin2"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "10.2.0.3",
+        "source.ip": "10.2.0.3",
+        "source.user.name": "Prov_PVWA",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ],
+        "user.name": "Prov_PVWA"
+    },
+    {
+        "@timestamp": "2021-03-16T15:01:00.000Z",
+        "cyberarkpas.audit.action": "Retrieve password",
+        "cyberarkpas.audit.ca_properties.address": "dbserver.cyberark.local",
+        "cyberarkpas.audit.ca_properties.cpm_status": "success",
+        "cyberarkpas.audit.ca_properties.creation_method": "PVWA",
+        "cyberarkpas.audit.ca_properties.customer": "EvilCorp",
+        "cyberarkpas.audit.ca_properties.device_type": "Operating System",
+        "cyberarkpas.audit.ca_properties.last_success_reconciliation": "1604944215",
+        "cyberarkpas.audit.ca_properties.last_task": "ReconcileTask",
+        "cyberarkpas.audit.ca_properties.logon_domain": "DBServer",
+        "cyberarkpas.audit.ca_properties.policy_id": "WIN-SERVER-LOCAL",
+        "cyberarkpas.audit.ca_properties.retries_count": "-1",
+        "cyberarkpas.audit.ca_properties.sequence_id": "1",
+        "cyberarkpas.audit.ca_properties.user_name": "Administrator2",
+        "cyberarkpas.audit.desc": "Retrieve password",
+        "cyberarkpas.audit.file": "Root\\Operating System-WIN-SERVER-LOCAL-dbserver.cyberark.local-Administrator2",
+        "cyberarkpas.audit.gateway_station": "10.2.0.3",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-16T15:01:00Z",
+        "cyberarkpas.audit.issuer": "adm2",
+        "cyberarkpas.audit.message": "Retrieve password",
+        "cyberarkpas.audit.pvwa_details.retrieve_reason.general.retrieve_action": "Show Password",
+        "cyberarkpas.audit.raw": "<syslog>\n  <audit_record>\n    <Rfc5424>no</Rfc5424>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.6.0000</Version>\n    <MessageID>295</MessageID>\n    <Desc>Retrieve password</Desc>\n    <Severity>Info</Severity>\n    <Issuer>adm2</Issuer>\n    <Action>Retrieve password</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>Windows</Safe>\n    <File>Root\\Operating System-WIN-SERVER-LOCAL-dbserver.cyberark.local-Administrator2</File>\n    <Station>10.2.0.6</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason>(Action: Show Password)</Reason>\n    <PvwaDetails><RetrieveReason>\n  <General>\n    <RetrieveAction>Show Password</RetrieveAction>\n  </General>\n</RetrieveReason></PvwaDetails>\n    <ExtraDetails></ExtraDetails>\n    <Message>Retrieve password</Message>\n    <GatewayStation>10.2.0.3</GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"WIN-SERVER-LOCAL\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"Administrator2\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"dbserver.cyberark.local\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n      <CAProperty Name=\"LogonDomain\" Value=\"DBServer\"></CAProperty>\n      <CAProperty Name=\"SequenceID\" Value=\"1\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"-1\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"success\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"LastSuccessReconciliation\" Value=\"1604944215\"></CAProperty>\n      <CAProperty Name=\"Customer\" Value=\"EvilCorp\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n</syslog>",
+        "cyberarkpas.audit.reason": "(Action: Show Password)",
+        "cyberarkpas.audit.rfc5424": false,
+        "cyberarkpas.audit.safe": "Windows",
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.station": "10.2.0.6",
+        "destination.address": "dbserver.cyberark.local",
+        "destination.domain": "dbserver.cyberark.local",
+        "destination.user.name": "Administrator2",
+        "event.action": "retrieve password",
+        "event.category": [
+            "iam"
+        ],
+        "event.code": "295",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.outcome": "success",
+        "event.reason": "(Action: Show Password)",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "event.type": [
+            "admin",
+            "access"
+        ],
+        "file.path": "Root\\Operating System-WIN-SERVER-LOCAL-dbserver.cyberark.local-Administrator2",
+        "fileset.name": "audit",
+        "input.type": "log",
+        "log.offset": 2272,
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.6.0000",
+        "related.ip": [
+            "10.2.0.6",
+            "10.2.0.3"
+        ],
+        "related.user": [
+            "adm2",
+            "Administrator2"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "10.2.0.6",
+        "source.ip": "10.2.0.6",
+        "source.user.name": "adm2",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ],
+        "user.name": "adm2"
+    },
+    {
+        "@timestamp": "2021-03-08T18:16:51.000Z",
+        "cyberarkpas.audit.action": "Retrieve password",
+        "cyberarkpas.audit.ca_properties.address": "test",
+        "cyberarkpas.audit.ca_properties.cpm_disabled": "testing",
+        "cyberarkpas.audit.ca_properties.creation_method": "PVWA",
+        "cyberarkpas.audit.ca_properties.device_type": "Operating System",
+        "cyberarkpas.audit.ca_properties.policy_id": "WinDesktopLocal",
+        "cyberarkpas.audit.ca_properties.user_name": "test",
+        "cyberarkpas.audit.desc": "Retrieve password",
+        "cyberarkpas.audit.file": "Root\\testobject",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-08T18:16:51Z",
+        "cyberarkpas.audit.issuer": "Administrator",
+        "cyberarkpas.audit.message": "Retrieve password",
+        "cyberarkpas.audit.reason": "testing",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.safe": "Test",
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.station": "10.0.1.20",
+        "cyberarkpas.audit.timestamp": "Mar 08 10:16:51",
+        "destination.address": "test",
+        "destination.domain": "test",
+        "destination.user.name": "test",
+        "event.action": "retrieve password",
+        "event.category": [
+            "iam"
+        ],
+        "event.code": "295",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.outcome": "success",
+        "event.reason": "testing",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "event.type": [
+            "admin",
+            "access"
+        ],
+        "file.path": "Root\\testobject",
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 5424,
+        "log.syslog.priority": "5",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "10.0.1.20"
+        ],
+        "related.user": [
+            "Administrator",
+            "test"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "10.0.1.20",
+        "source.ip": "10.0.1.20",
+        "source.user.name": "Administrator",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ],
+        "user.name": "Administrator"
+    },
+    {
+        "@timestamp": "2021-03-08T19:19:59.000Z",
+        "cyberarkpas.audit.action": "Retrieve password",
+        "cyberarkpas.audit.ca_properties.address": "components",
+        "cyberarkpas.audit.ca_properties.cpm_status": "failure",
+        "cyberarkpas.audit.ca_properties.creation_method": "PVWA",
+        "cyberarkpas.audit.ca_properties.device_type": "Operating System",
+        "cyberarkpas.audit.ca_properties.dual_account_status": "Inactive",
+        "cyberarkpas.audit.ca_properties.group_name": "WindowsGroup",
+        "cyberarkpas.audit.ca_properties.in_process": "ChangeTask",
+        "cyberarkpas.audit.ca_properties.index": "1",
+        "cyberarkpas.audit.ca_properties.last_success_change": "1614785704",
+        "cyberarkpas.audit.ca_properties.last_task": "ChangeTask",
+        "cyberarkpas.audit.ca_properties.policy_id": "WinDesktopLocal",
+        "cyberarkpas.audit.ca_properties.reset_immediately": "ChangeTask",
+        "cyberarkpas.audit.ca_properties.retries_count": "0",
+        "cyberarkpas.audit.ca_properties.sequence_id": "26",
+        "cyberarkpas.audit.ca_properties.start_change_not_before": "1615231182",
+        "cyberarkpas.audit.ca_properties.user_name": "x_accountA",
+        "cyberarkpas.audit.ca_properties.virtual_username": "virtual",
+        "cyberarkpas.audit.desc": "Retrieve password",
+        "cyberarkpas.audit.file": "Root\\Operating System-WindowsDesktopLocalAccountsRotationalPolicy-10.0.1.20-x_accountA",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-08T19:19:59Z",
+        "cyberarkpas.audit.issuer": "PasswordManager",
+        "cyberarkpas.audit.message": "Retrieve password",
+        "cyberarkpas.audit.reason": "CPM",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.safe": "Test",
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.station": "10.0.1.20",
+        "cyberarkpas.audit.timestamp": "Mar 08 11:19:59",
+        "destination.address": "components",
+        "destination.domain": "components",
+        "destination.user.name": "x_accountA",
+        "event.action": "retrieve password",
+        "event.category": [
+            "iam"
+        ],
+        "event.code": "295",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.outcome": "success",
+        "event.reason": "CPM",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "event.type": [
+            "admin",
+            "access"
+        ],
+        "file.path": "Root\\Operating System-WindowsDesktopLocalAccountsRotationalPolicy-10.0.1.20-x_accountA",
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 6304,
+        "log.syslog.priority": "5",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "10.0.1.20"
+        ],
+        "related.user": [
+            "PasswordManager",
+            "x_accountA"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "10.0.1.20",
+        "source.ip": "10.0.1.20",
+        "source.user.name": "PasswordManager",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ],
+        "user.name": "PasswordManager"
+    },
+    {
+        "@timestamp": "2021-03-08T19:20:02.000Z",
+        "cyberarkpas.audit.action": "Retrieve password",
+        "cyberarkpas.audit.ca_properties.cpm_status": "success",
+        "cyberarkpas.audit.ca_properties.curr_ind": "2",
+        "cyberarkpas.audit.ca_properties.last_success_change": "1615198782",
+        "cyberarkpas.audit.ca_properties.last_task": "ChangeTask",
+        "cyberarkpas.audit.ca_properties.policy_id": "WindowsDesktopLocalAccountsRotationalPolicy",
+        "cyberarkpas.audit.desc": "Retrieve password",
+        "cyberarkpas.audit.file": "Root\\Groups\\WindowsGroup",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-08T19:20:02Z",
+        "cyberarkpas.audit.issuer": "PasswordManager",
+        "cyberarkpas.audit.message": "Retrieve password",
+        "cyberarkpas.audit.reason": "CPM",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.safe": "Test",
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.station": "10.0.1.20",
+        "cyberarkpas.audit.timestamp": "Mar 08 11:20:02",
+        "event.action": "retrieve password",
+        "event.category": [
+            "iam"
+        ],
+        "event.code": "295",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.outcome": "success",
+        "event.reason": "CPM",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "event.type": [
+            "admin",
+            "access"
+        ],
+        "file.path": "Root\\Groups\\WindowsGroup",
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 7735,
+        "log.syslog.priority": "5",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "10.0.1.20"
+        ],
+        "related.user": [
+            "PasswordManager"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "10.0.1.20",
+        "source.ip": "10.0.1.20",
+        "source.user.name": "PasswordManager",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ],
+        "user.name": "PasswordManager"
+    },
+    {
+        "@timestamp": "2021-03-10T14:40:37.000Z",
+        "cyberarkpas.audit.action": "Retrieve password",
+        "cyberarkpas.audit.ca_properties.address": "components",
+        "cyberarkpas.audit.ca_properties.cpm_status": "success",
+        "cyberarkpas.audit.ca_properties.creation_method": "PVWA",
+        "cyberarkpas.audit.ca_properties.device_type": "Operating System",
+        "cyberarkpas.audit.ca_properties.dual_account_status": "Active",
+        "cyberarkpas.audit.ca_properties.group_name": "WindowsGroup",
+        "cyberarkpas.audit.ca_properties.index": "1",
+        "cyberarkpas.audit.ca_properties.last_success_change": "1615231204",
+        "cyberarkpas.audit.ca_properties.last_task": "ChangeTask",
+        "cyberarkpas.audit.ca_properties.policy_id": "WinDesktopLocal",
+        "cyberarkpas.audit.ca_properties.retries_count": "-1",
+        "cyberarkpas.audit.ca_properties.sequence_id": "27",
+        "cyberarkpas.audit.ca_properties.user_name": "x_accountA",
+        "cyberarkpas.audit.ca_properties.virtual_username": "virtual",
+        "cyberarkpas.audit.desc": "Retrieve password",
+        "cyberarkpas.audit.file": "Root\\Operating System-WindowsDesktopLocalAccountsRotationalPolicy-10.0.1.20-x_accountA",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-10T14:40:37Z",
+        "cyberarkpas.audit.issuer": "Prov_COMPONENTS",
+        "cyberarkpas.audit.message": "Retrieve password",
+        "cyberarkpas.audit.reason": "Application provider background refresh job",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.safe": "Test",
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.station": "10.0.1.20",
+        "cyberarkpas.audit.timestamp": "Mar 10 06:40:37",
+        "destination.address": "components",
+        "destination.domain": "components",
+        "destination.user.name": "x_accountA",
+        "event.action": "retrieve password",
+        "event.category": [
+            "iam"
+        ],
+        "event.code": "295",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.outcome": "success",
+        "event.reason": "Application provider background refresh job",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "event.type": [
+            "admin",
+            "access"
+        ],
+        "file.path": "Root\\Operating System-WindowsDesktopLocalAccountsRotationalPolicy-10.0.1.20-x_accountA",
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 8612,
+        "log.syslog.priority": "5",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "10.0.1.20"
+        ],
+        "related.user": [
+            "Prov_COMPONENTS",
+            "x_accountA"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "10.0.1.20",
+        "source.ip": "10.0.1.20",
+        "source.user.name": "Prov_COMPONENTS",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ],
+        "user.name": "Prov_COMPONENTS"
+    },
+    {
+        "@timestamp": "2021-03-10T18:27:57.000Z",
+        "cyberarkpas.audit.action": "Retrieve password",
+        "cyberarkpas.audit.ca_properties.address": "169.254.180.25",
+        "cyberarkpas.audit.ca_properties.logon_domain": "VAGRANT-2012-R2",
+        "cyberarkpas.audit.ca_properties.user_name": "PSMAdminConnect",
+        "cyberarkpas.audit.desc": "Retrieve password",
+        "cyberarkpas.audit.file": "Root\\PSMAdmin",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-10T18:27:57Z",
+        "cyberarkpas.audit.issuer": "Administrator",
+        "cyberarkpas.audit.message": "Retrieve password",
+        "cyberarkpas.audit.reason": "test",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.safe": "PSM",
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.station": "127.0.0.1",
+        "cyberarkpas.audit.timestamp": "Mar 10 10:27:57",
+        "destination.address": "169.254.180.25",
+        "destination.ip": "169.254.180.25",
+        "destination.user.name": "PSMAdminConnect",
+        "event.action": "retrieve password",
+        "event.category": [
+            "iam"
+        ],
+        "event.code": "295",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.outcome": "success",
+        "event.reason": "test",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "event.type": [
+            "admin",
+            "access"
+        ],
+        "file.path": "Root\\PSMAdmin",
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 9938,
+        "log.syslog.priority": "5",
+        "network.direction": "outbound",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "127.0.0.1",
+            "169.254.180.25"
+        ],
+        "related.user": [
+            "Administrator",
+            "PSMAdminConnect"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "127.0.0.1",
+        "source.ip": "127.0.0.1",
+        "source.user.name": "Administrator",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ],
+        "user.name": "Administrator"
+    },
+    {
+        "@timestamp": "2021-03-10T18:28:07.000Z",
+        "cyberarkpas.audit.action": "Retrieve password",
+        "cyberarkpas.audit.ca_properties.address": "169.254.180.25",
+        "cyberarkpas.audit.ca_properties.logon_domain": "VAGRANT-2012-R2",
+        "cyberarkpas.audit.ca_properties.user_name": "PSMConnect",
+        "cyberarkpas.audit.desc": "Retrieve password",
+        "cyberarkpas.audit.file": "Root\\PSMServer",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-10T18:28:07Z",
+        "cyberarkpas.audit.issuer": "Administrator",
+        "cyberarkpas.audit.message": "Retrieve password",
+        "cyberarkpas.audit.reason": "test",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.safe": "PSM",
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.station": "127.0.0.1",
+        "cyberarkpas.audit.timestamp": "Mar 10 10:28:07",
+        "destination.address": "169.254.180.25",
+        "destination.ip": "169.254.180.25",
+        "destination.user.name": "PSMConnect",
+        "event.action": "retrieve password",
+        "event.category": [
+            "iam"
+        ],
+        "event.code": "295",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.outcome": "success",
+        "event.reason": "test",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "event.type": [
+            "admin",
+            "access"
+        ],
+        "file.path": "Root\\PSMServer",
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 10705,
+        "log.syslog.priority": "5",
+        "network.direction": "outbound",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "127.0.0.1",
+            "169.254.180.25"
+        ],
+        "related.user": [
+            "Administrator",
+            "PSMConnect"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "127.0.0.1",
+        "source.ip": "127.0.0.1",
+        "source.user.name": "Administrator",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ],
+        "user.name": "Administrator"
+    },
+    {
+        "@timestamp": "2021-03-10T23:39:22.000Z",
+        "cyberarkpas.audit.action": "Retrieve password",
+        "cyberarkpas.audit.ca_properties.address": "components",
+        "cyberarkpas.audit.ca_properties.cpm_status": "failure",
+        "cyberarkpas.audit.ca_properties.creation_method": "PVWA",
+        "cyberarkpas.audit.ca_properties.device_type": "Operating System",
+        "cyberarkpas.audit.ca_properties.dual_account_status": "Inactive",
+        "cyberarkpas.audit.ca_properties.group_name": "WindowsGroup",
+        "cyberarkpas.audit.ca_properties.in_process": "ChangeTask",
+        "cyberarkpas.audit.ca_properties.index": "2",
+        "cyberarkpas.audit.ca_properties.last_success_change": "1614868762",
+        "cyberarkpas.audit.ca_properties.last_task": "ChangeTask",
+        "cyberarkpas.audit.ca_properties.policy_id": "WinDesktopLocal",
+        "cyberarkpas.audit.ca_properties.reset_immediately": "ChangeTask",
+        "cyberarkpas.audit.ca_properties.retries_count": "0",
+        "cyberarkpas.audit.ca_properties.sequence_id": "24",
+        "cyberarkpas.audit.ca_properties.start_change_not_before": "1615419536",
+        "cyberarkpas.audit.ca_properties.user_name": "x_accountB",
+        "cyberarkpas.audit.ca_properties.virtual_username": "virtual",
+        "cyberarkpas.audit.desc": "Retrieve password",
+        "cyberarkpas.audit.file": "Root\\Operating System-WindowsDesktopLocalAccountsRotationalPolicy-10.0.1.20-x_accountB",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-10T23:39:22Z",
+        "cyberarkpas.audit.issuer": "PasswordManager",
+        "cyberarkpas.audit.message": "Retrieve password",
+        "cyberarkpas.audit.reason": "CPM",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.safe": "Test",
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.station": "10.0.1.20",
+        "cyberarkpas.audit.timestamp": "Mar 10 15:39:22",
+        "destination.address": "components",
+        "destination.domain": "components",
+        "destination.user.name": "x_accountB",
+        "event.action": "retrieve password",
+        "event.category": [
+            "iam"
+        ],
+        "event.code": "295",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.outcome": "success",
+        "event.reason": "CPM",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "event.type": [
+            "admin",
+            "access"
+        ],
+        "file.path": "Root\\Operating System-WindowsDesktopLocalAccountsRotationalPolicy-10.0.1.20-x_accountB",
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 11468,
+        "log.syslog.priority": "5",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "10.0.1.20"
+        ],
+        "related.user": [
+            "PasswordManager",
+            "x_accountB"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "10.0.1.20",
+        "source.ip": "10.0.1.20",
+        "source.user.name": "PasswordManager",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ],
+        "user.name": "PasswordManager"
+    },
+    {
+        "@timestamp": "2021-03-10T23:39:25.000Z",
+        "cyberarkpas.audit.action": "Retrieve password",
+        "cyberarkpas.audit.ca_properties.cpm_status": "success",
+        "cyberarkpas.audit.ca_properties.curr_ind": "1",
+        "cyberarkpas.audit.ca_properties.last_success_change": "1615387136",
+        "cyberarkpas.audit.ca_properties.last_task": "ChangeTask",
+        "cyberarkpas.audit.ca_properties.policy_id": "WindowsDesktopLocalAccountsRotationalPolicy",
+        "cyberarkpas.audit.desc": "Retrieve password",
+        "cyberarkpas.audit.file": "Root\\Groups\\WindowsGroup",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-10T23:39:25Z",
+        "cyberarkpas.audit.issuer": "PasswordManager",
+        "cyberarkpas.audit.message": "Retrieve password",
+        "cyberarkpas.audit.reason": "CPM",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.safe": "Test",
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.station": "10.0.1.20",
+        "cyberarkpas.audit.timestamp": "Mar 10 15:39:25",
+        "event.action": "retrieve password",
+        "event.category": [
+            "iam"
+        ],
+        "event.code": "295",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.outcome": "success",
+        "event.reason": "CPM",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "event.type": [
+            "admin",
+            "access"
+        ],
+        "file.path": "Root\\Groups\\WindowsGroup",
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 12899,
+        "log.syslog.priority": "5",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "10.0.1.20"
+        ],
+        "related.user": [
+            "PasswordManager"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "10.0.1.20",
+        "source.ip": "10.0.1.20",
+        "source.user.name": "PasswordManager",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ],
+        "user.name": "PasswordManager"
+    },
+    {
+        "@timestamp": "2021-03-11T16:41:21.000Z",
+        "cyberarkpas.audit.action": "Retrieve password",
+        "cyberarkpas.audit.ca_properties.address": "169.254.180.25",
+        "cyberarkpas.audit.ca_properties.logon_domain": "VAGRANT-2012-R2",
+        "cyberarkpas.audit.ca_properties.user_name": "PSMAdminConnect",
+        "cyberarkpas.audit.desc": "Retrieve password",
+        "cyberarkpas.audit.file": "Root\\PSMAdmin",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-11T16:41:21Z",
+        "cyberarkpas.audit.issuer": "Administrator",
+        "cyberarkpas.audit.message": "Retrieve password",
+        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 08:41:21</Timestamp>\n    <IsoTimestamp>2021-03-11T16:41:21Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>295</MessageID>\n    <Desc>Retrieve password</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Retrieve password</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>PSM</Safe>\n    <File>Root\\PSMAdmin</File>\n    <Station>127.0.0.1</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason>lksajdflkasdf</Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Retrieve password</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"UserName\" Value=\"PSMAdminConnect\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"169.254.180.25\"></CAProperty>\n      <CAProperty Name=\"LogonDomain\" Value=\"VAGRANT-2012-R2\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>",
+        "cyberarkpas.audit.reason": "lksajdflkasdf",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.safe": "PSM",
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.station": "127.0.0.1",
+        "cyberarkpas.audit.timestamp": "Mar 11 08:41:21",
+        "destination.address": "169.254.180.25",
+        "destination.ip": "169.254.180.25",
+        "destination.user.name": "PSMAdminConnect",
+        "event.action": "retrieve password",
+        "event.category": [
+            "iam"
+        ],
+        "event.code": "295",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.outcome": "success",
+        "event.reason": "lksajdflkasdf",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "event.type": [
+            "admin",
+            "access"
+        ],
+        "file.path": "Root\\PSMAdmin",
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 13776,
+        "log.syslog.priority": "5",
+        "network.direction": "outbound",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "127.0.0.1",
+            "169.254.180.25"
+        ],
+        "related.user": [
+            "Administrator",
+            "PSMAdminConnect"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "127.0.0.1",
+        "source.ip": "127.0.0.1",
+        "source.user.name": "Administrator",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ],
+        "user.name": "Administrator"
+    },
+    {
+        "@timestamp": "2021-03-11T16:50:28.000Z",
+        "cyberarkpas.audit.action": "Retrieve password",
+        "cyberarkpas.audit.ca_properties.address": "169.254.180.25",
+        "cyberarkpas.audit.ca_properties.logon_domain": "VAGRANT-2012-R2",
+        "cyberarkpas.audit.ca_properties.user_name": "PSMConnect",
+        "cyberarkpas.audit.desc": "Retrieve password",
+        "cyberarkpas.audit.file": "Root\\PSMServer",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-11T16:50:28Z",
+        "cyberarkpas.audit.issuer": "PVWAAppUser",
+        "cyberarkpas.audit.message": "Retrieve password",
+        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 08:50:28</Timestamp>\n    <IsoTimestamp>2021-03-11T16:50:28Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>295</MessageID>\n    <Desc>Retrieve password</Desc>\n    <Severity>Info</Severity>\n    <Issuer>PVWAAppUser</Issuer>\n    <Action>Retrieve password</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>PSM</Safe>\n    <File>Root\\PSMServer</File>\n    <Station>10.0.1.20</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Retrieve password</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"UserName\" Value=\"PSMConnect\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"169.254.180.25\"></CAProperty>\n      <CAProperty Name=\"LogonDomain\" Value=\"VAGRANT-2012-R2\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.safe": "PSM",
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.station": "10.0.1.20",
+        "cyberarkpas.audit.timestamp": "Mar 11 08:50:28",
+        "destination.address": "169.254.180.25",
+        "destination.ip": "169.254.180.25",
+        "destination.user.name": "PSMConnect",
+        "event.action": "retrieve password",
+        "event.category": [
+            "iam"
+        ],
+        "event.code": "295",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.outcome": "success",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "event.type": [
+            "admin",
+            "access"
+        ],
+        "file.path": "Root\\PSMServer",
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 15710,
+        "log.syslog.priority": "5",
+        "network.direction": "outbound",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "10.0.1.20",
+            "169.254.180.25"
+        ],
+        "related.user": [
+            "PVWAAppUser",
+            "PSMConnect"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "10.0.1.20",
+        "source.ip": "10.0.1.20",
+        "source.user.name": "PVWAAppUser",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ],
+        "user.name": "PVWAAppUser"
+    },
+    {
+        "@timestamp": "2021-03-11T16:54:20.000Z",
+        "cyberarkpas.audit.action": "Retrieve password",
+        "cyberarkpas.audit.ca_properties.address": "centos8",
+        "cyberarkpas.audit.ca_properties.creation_method": "PVWA",
+        "cyberarkpas.audit.ca_properties.device_type": "Operating System",
+        "cyberarkpas.audit.ca_properties.policy_id": "UnixSSH",
+        "cyberarkpas.audit.ca_properties.user_name": "PSMApp_VAGRANT",
+        "cyberarkpas.audit.desc": "Retrieve password",
+        "cyberarkpas.audit.file": "Root\\Operating System-UnixSSH-centos8-PSMApp_VAGRANT",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-11T16:54:20Z",
+        "cyberarkpas.audit.issuer": "Administrator",
+        "cyberarkpas.audit.message": "Retrieve password",
+        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 08:54:20</Timestamp>\n    <IsoTimestamp>2021-03-11T16:54:20Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>295</MessageID>\n    <Desc>Retrieve password</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Retrieve password</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>PSM</Safe>\n    <File>Root\\Operating System-UnixSSH-centos8-PSMApp_VAGRANT</File>\n    <Station>127.0.0.1</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason>sdfsdf</Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Retrieve password</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSH\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"PSMApp_VAGRANT\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"centos8\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>",
+        "cyberarkpas.audit.reason": "sdfsdf",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.safe": "PSM",
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.station": "127.0.0.1",
+        "cyberarkpas.audit.timestamp": "Mar 11 08:54:20",
+        "destination.address": "centos8",
+        "destination.domain": "centos8",
+        "destination.user.name": "PSMApp_VAGRANT",
+        "event.action": "retrieve password",
+        "event.category": [
+            "iam"
+        ],
+        "event.code": "295",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.outcome": "success",
+        "event.reason": "sdfsdf",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "event.type": [
+            "admin",
+            "access"
+        ],
+        "file.path": "Root\\Operating System-UnixSSH-centos8-PSMApp_VAGRANT",
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 17606,
+        "log.syslog.priority": "5",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "127.0.0.1"
+        ],
+        "related.user": [
+            "Administrator",
+            "PSMApp_VAGRANT"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "127.0.0.1",
+        "source.ip": "127.0.0.1",
+        "source.user.name": "Administrator",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ],
+        "user.name": "Administrator"
+    }
+]
\ No newline at end of file
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/300_psm_connect.log b/x-pack/filebeat/module/cyberarkpas/audit/test/300_psm_connect.log
new file mode 100644
index 00000000000..74928df0a23
--- /dev/null
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/300_psm_connect.log
@@ -0,0 +1,17 @@
+{"format":"elastic","version":"1.0","raw":"<syslog>\n  <audit_record>\n    <Rfc5424>no</Rfc5424>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.6.0000</Version>\n    <MessageID>300</MessageID>\n    <Desc>PSM Connect</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>PSM Connect</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>Linux</Safe>\n    <File>Root\\Operating System-LINUX-SSH-radiussrv.cyberark.local-admin2</File>\n    <Station>10.2.0.7</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails>ApplicationType=PSMP-SSH;DstHost=radiussrv.cyberark.local;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=35fac41e-22b5-11eb-83ca-000c297aae88;SrcHost=10.2.0.6;User=admin2;</ExtraDetails>\n    <Message>PSM Connect</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"LINUX-SSH\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"admin2\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"radiussrv.cyberark.local\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n      <CAProperty Name=\"CPMDisabled\" Value=\"No Reason\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"Customer\" Value=\"Tesla\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n</syslog>","syslog":{"audit_record":{"Rfc5424":"no","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.6.0000","MessageID":"300","IsoTimestamp":"2021-03-16T15:01:00Z","Desc":"PSM Connect","Severity":"Info","Issuer":"Administrator","Action":"PSM Connect","SourceUser":"","TargetUser":"","Safe":"Linux","File":"Root\\Operating System-LINUX-SSH-radiussrv.cyberark.local-admin2","Station":"10.2.0.7","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=radiussrv.cyberark.local;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=35fac41e-22b5-11eb-83ca-000c297aae88;SrcHost=10.2.0.6;User=admin2;","Message":"PSM Connect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"LINUX-SSH"},{"Name":"UserName","Value":"admin2"},{"Name":"Address","Value":"radiussrv.cyberark.local"},{"Name":"DeviceType","Value":"Operating System"},{"Name":"CPMDisabled","Value":"No Reason"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"Customer","Value":"Tesla"}]}}}}
+<5>1 2021-03-11T17:38:20Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 09:38:20</Timestamp>\n    <IsoTimestamp>2021-03-11T17:38:20Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>300</MessageID>\n    <Desc>PSM Connect</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>PSM Connect</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>PSM</Safe>\n    <File>Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian</File>\n    <Station>81.32.170.205</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails>ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionID=87012dcc-8290-11eb-949e-080027efd402;SrcHost=127.0.0.1;User=adrian;</ExtraDetails>\n    <Message>PSM Connect</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSHKeys\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"adrian\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 09:38:20","IsoTimestamp":"2021-03-11T17:38:20Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"300","Desc":"PSM Connect","Severity":"Info","Issuer":"Administrator","Action":"PSM Connect","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionID=87012dcc-8290-11eb-949e-080027efd402;SrcHost=127.0.0.1;User=adrian;","Message":"PSM Connect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSHKeys"},{"Name":"UserName","Value":"adrian"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}}
+<5>1 2021-03-11T17:46:56Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 09:46:56</Timestamp>\n    <IsoTimestamp>2021-03-11T17:46:56Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>300</MessageID>\n    <Desc>PSM Connect</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>PSM Connect</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>PSM</Safe>\n    <File>Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian</File>\n    <Station>81.32.170.205</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails>ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionID=ba22b012-8291-11eb-b981-080027efd402;SrcHost=127.0.0.1;User=adrian;</ExtraDetails>\n    <Message>PSM Connect</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSHKeys\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"adrian\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 09:46:56","IsoTimestamp":"2021-03-11T17:46:56Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"300","Desc":"PSM Connect","Severity":"Info","Issuer":"Administrator","Action":"PSM Connect","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionID=ba22b012-8291-11eb-b981-080027efd402;SrcHost=127.0.0.1;User=adrian;","Message":"PSM Connect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSHKeys"},{"Name":"UserName","Value":"adrian"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}}
+<5>1 2021-03-11T17:48:34Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 09:48:34</Timestamp>\n    <IsoTimestamp>2021-03-11T17:48:34Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>300</MessageID>\n    <Desc>PSM Connect</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>PSM Connect</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>PSM</Safe>\n    <File>Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian</File>\n    <Station>81.32.170.205</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails>ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionID=f6acbf00-8291-11eb-b9ba-080027efd402;SrcHost=10.0.2.2;User=adrian;</ExtraDetails>\n    <Message>PSM Connect</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSHKeys\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"adrian\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 09:48:34","IsoTimestamp":"2021-03-11T17:48:34Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"300","Desc":"PSM Connect","Severity":"Info","Issuer":"Administrator","Action":"PSM Connect","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionID=f6acbf00-8291-11eb-b9ba-080027efd402;SrcHost=10.0.2.2;User=adrian;","Message":"PSM Connect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSHKeys"},{"Name":"UserName","Value":"adrian"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}}
+<5>1 2021-03-11T17:54:56Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 09:54:56</Timestamp>\n    <IsoTimestamp>2021-03-11T17:54:56Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>300</MessageID>\n    <Desc>PSM Connect</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>PSM Connect</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>PSM</Safe>\n    <File>Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian</File>\n    <Station>81.32.170.205</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails>ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionID=d8ff4d32-8292-11eb-b962-080027efd402;SrcHost=10.0.2.2;User=adrian;</ExtraDetails>\n    <Message>PSM Connect</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSHKeys\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"adrian\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 09:54:56","IsoTimestamp":"2021-03-11T17:54:56Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"300","Desc":"PSM Connect","Severity":"Info","Issuer":"Administrator","Action":"PSM Connect","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionID=d8ff4d32-8292-11eb-b962-080027efd402;SrcHost=10.0.2.2;User=adrian;","Message":"PSM Connect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSHKeys"},{"Name":"UserName","Value":"adrian"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}}
+<5>1 2021-03-11T17:56:37Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 09:56:37</Timestamp>\n    <IsoTimestamp>2021-03-11T17:56:37Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>300</MessageID>\n    <Desc>PSM Connect</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>PSM Connect</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>PSM</Safe>\n    <File>Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian</File>\n    <Station>81.32.170.205</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails>ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionID=173dd46a-8293-11eb-afcb-080027efd402;SrcHost=10.0.2.2;User=adrian;</ExtraDetails>\n    <Message>PSM Connect</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSHKeys\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"adrian\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 09:56:37","IsoTimestamp":"2021-03-11T17:56:37Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"300","Desc":"PSM Connect","Severity":"Info","Issuer":"Administrator","Action":"PSM Connect","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionID=173dd46a-8293-11eb-afcb-080027efd402;SrcHost=10.0.2.2;User=adrian;","Message":"PSM Connect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSHKeys"},{"Name":"UserName","Value":"adrian"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}}
+<5>1 2021-03-11T20:23:25Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 12:23:25</Timestamp>\n    <IsoTimestamp>2021-03-11T20:23:25Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>300</MessageID>\n    <Desc>PSM Connect</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>PSM Connect</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>PSM</Safe>\n    <File>Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian</File>\n    <Station>81.32.170.205</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails>ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionID=988b22e8-82a7-11eb-83b9-080027efd402;SrcHost=10.0.2.2;User=adrian;</ExtraDetails>\n    <Message>PSM Connect</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSHKeys\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"adrian\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 12:23:25","IsoTimestamp":"2021-03-11T20:23:25Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"300","Desc":"PSM Connect","Severity":"Info","Issuer":"Administrator","Action":"PSM Connect","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionID=988b22e8-82a7-11eb-83b9-080027efd402;SrcHost=10.0.2.2;User=adrian;","Message":"PSM Connect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSHKeys"},{"Name":"UserName","Value":"adrian"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}}
+<5>1 2021-03-14T13:49:37Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 14 06:49:37</Timestamp>\n    <IsoTimestamp>2021-03-14T13:49:37Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>300</MessageID>\n    <Desc>PSM Connect</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>PSM Connect</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Operating System-UnixSSH-34.123.103.115-testark</File>\n    <Station>34.71.250.247</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails>ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=d284c268-2ba0-4366-af52-e33459b073a1;SrcHost=81.32.170.205;User=testark;</ExtraDetails>\n    <Message>PSM Connect</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSH\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"testark\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"ResetImmediately\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"failure\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"0\"></CAProperty>\n      <CAProperty Name=\"LastFailDate\" Value=\"1615729572\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"CPMErrorDetails\" Value=\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 06:49:37","IsoTimestamp":"2021-03-14T13:49:37Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"300","Desc":"PSM Connect","Severity":"Info","Issuer":"Administrator","Action":"PSM Connect","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-34.123.103.115-testark","Station":"34.71.250.247","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=d284c268-2ba0-4366-af52-e33459b073a1;SrcHost=81.32.170.205;User=testark;","Message":"PSM Connect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"testark"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"ResetImmediately","Value":"ReconcileTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"0"},{"Name":"LastFailDate","Value":"1615729572"},{"Name":"LastTask","Value":"ReconcileTask"},{"Name":"CPMErrorDetails","Value":"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}}
+<5>1 2021-03-14T13:50:43Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 14 06:50:43</Timestamp>\n    <IsoTimestamp>2021-03-14T13:50:43Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>300</MessageID>\n    <Desc>PSM Connect</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>PSM Connect</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Operating System-UnixSSH-34.123.103.115-testark</File>\n    <Station>34.71.250.247</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails>ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=47747796-03e1-4a11-af39-ab56c00e7732;SrcHost=81.32.170.205;User=testark;</ExtraDetails>\n    <Message>PSM Connect</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSH\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"testark\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"ResetImmediately\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"failure\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"0\"></CAProperty>\n      <CAProperty Name=\"LastFailDate\" Value=\"1615729572\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"CPMErrorDetails\" Value=\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 06:50:43","IsoTimestamp":"2021-03-14T13:50:43Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"300","Desc":"PSM Connect","Severity":"Info","Issuer":"Administrator","Action":"PSM Connect","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-34.123.103.115-testark","Station":"34.71.250.247","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=47747796-03e1-4a11-af39-ab56c00e7732;SrcHost=81.32.170.205;User=testark;","Message":"PSM Connect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"testark"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"ResetImmediately","Value":"ReconcileTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"0"},{"Name":"LastFailDate","Value":"1615729572"},{"Name":"LastTask","Value":"ReconcileTask"},{"Name":"CPMErrorDetails","Value":"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}}
+<5>1 2021-03-15T10:31:56Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 15 03:31:56</Timestamp>\n    <IsoTimestamp>2021-03-15T10:31:56Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>300</MessageID>\n    <Desc>PSM Connect</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>PSM Connect</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Operating System-UnixSSH-34.123.103.115-testark</File>\n    <Station>34.71.250.247</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails>ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=29f340df-89e9-405a-beae-0216390cda42;SrcHost=81.32.170.205;User=testark;</ExtraDetails>\n    <Message>PSM Connect</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSH\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"testark\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"success\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"-1\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"VerifyTask\"></CAProperty>\n      <CAProperty Name=\"LastSuccessVerification\" Value=\"1615803764\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 03:31:56","IsoTimestamp":"2021-03-15T10:31:56Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"300","Desc":"PSM Connect","Severity":"Info","Issuer":"Administrator","Action":"PSM Connect","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-34.123.103.115-testark","Station":"34.71.250.247","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=29f340df-89e9-405a-beae-0216390cda42;SrcHost=81.32.170.205;User=testark;","Message":"PSM Connect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"testark"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"CPMStatus","Value":"success"},{"Name":"RetriesCount","Value":"-1"},{"Name":"LastTask","Value":"VerifyTask"},{"Name":"LastSuccessVerification","Value":"1615803764"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}}
+<5>1 2021-03-15T10:33:39Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 15 03:33:39</Timestamp>\n    <IsoTimestamp>2021-03-15T10:33:39Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>300</MessageID>\n    <Desc>PSM Connect</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>PSM Connect</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Operating System-UnixSSH-34.123.103.115-testark</File>\n    <Station>34.71.250.247</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails>ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=f1654cf8-8ce5-472a-8205-ba731b0fab46;SrcHost=81.32.170.205;User=testark;</ExtraDetails>\n    <Message>PSM Connect</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSH\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"testark\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"success\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"-1\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"VerifyTask\"></CAProperty>\n      <CAProperty Name=\"LastSuccessVerification\" Value=\"1615803764\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 03:33:39","IsoTimestamp":"2021-03-15T10:33:39Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"300","Desc":"PSM Connect","Severity":"Info","Issuer":"Administrator","Action":"PSM Connect","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-34.123.103.115-testark","Station":"34.71.250.247","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=f1654cf8-8ce5-472a-8205-ba731b0fab46;SrcHost=81.32.170.205;User=testark;","Message":"PSM Connect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"testark"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"CPMStatus","Value":"success"},{"Name":"RetriesCount","Value":"-1"},{"Name":"LastTask","Value":"VerifyTask"},{"Name":"LastSuccessVerification","Value":"1615803764"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}}
+<5>1 2021-03-15T10:35:00Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 15 03:35:00</Timestamp>\n    <IsoTimestamp>2021-03-15T10:35:00Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>300</MessageID>\n    <Desc>PSM Connect</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>PSM Connect</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Operating System-UnixSSH-34.123.103.115-testark</File>\n    <Station>34.71.250.247</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails>ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=8b3d0b38-aef5-49d9-bdd7-d57706887d8b;SrcHost=81.32.170.205;User=testark;</ExtraDetails>\n    <Message>PSM Connect</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSH\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"testark\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"success\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"-1\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"VerifyTask\"></CAProperty>\n      <CAProperty Name=\"LastSuccessVerification\" Value=\"1615803764\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 03:35:00","IsoTimestamp":"2021-03-15T10:35:00Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"300","Desc":"PSM Connect","Severity":"Info","Issuer":"Administrator","Action":"PSM Connect","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-34.123.103.115-testark","Station":"34.71.250.247","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=8b3d0b38-aef5-49d9-bdd7-d57706887d8b;SrcHost=81.32.170.205;User=testark;","Message":"PSM Connect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"testark"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"CPMStatus","Value":"success"},{"Name":"RetriesCount","Value":"-1"},{"Name":"LastTask","Value":"VerifyTask"},{"Name":"LastSuccessVerification","Value":"1615803764"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}}
+<5>1 2021-03-15T13:18:31Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 15 06:18:31</Timestamp>\n    <IsoTimestamp>2021-03-15T13:18:31Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>300</MessageID>\n    <Desc>PSM Connect</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>PSM Connect</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>PSM</Safe>\n    <File>Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian</File>\n    <Station>34.71.250.247</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails>ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=692fe25f-f940-4170-8ea4-5241b35173f0;SrcHost=81.32.170.205;User=adrian;</ExtraDetails>\n    <Message>PSM Connect</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSHKeys\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"adrian\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 06:18:31","IsoTimestamp":"2021-03-15T13:18:31Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"300","Desc":"PSM Connect","Severity":"Info","Issuer":"Administrator","Action":"PSM Connect","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian","Station":"34.71.250.247","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=692fe25f-f940-4170-8ea4-5241b35173f0;SrcHost=81.32.170.205;User=adrian;","Message":"PSM Connect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSHKeys"},{"Name":"UserName","Value":"adrian"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}}
+<5>1 2021-03-15T14:08:06Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 15 07:08:06</Timestamp>\n    <IsoTimestamp>2021-03-15T14:08:06Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>300</MessageID>\n    <Desc>PSM Connect</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>PSM Connect</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>PSM</Safe>\n    <File>Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian</File>\n    <Station>34.71.250.247</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails>ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=f5725611-ca57-4a2a-a089-f45b3174a358;SrcHost=81.32.170.205;User=adrian;</ExtraDetails>\n    <Message>PSM Connect</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSHKeys\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"adrian\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 07:08:06","IsoTimestamp":"2021-03-15T14:08:06Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"300","Desc":"PSM Connect","Severity":"Info","Issuer":"Administrator","Action":"PSM Connect","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian","Station":"34.71.250.247","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=f5725611-ca57-4a2a-a089-f45b3174a358;SrcHost=81.32.170.205;User=adrian;","Message":"PSM Connect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSHKeys"},{"Name":"UserName","Value":"adrian"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}}
+<5>1 2021-03-15T14:08:28Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 15 07:08:28</Timestamp>\n    <IsoTimestamp>2021-03-15T14:08:28Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>300</MessageID>\n    <Desc>PSM Connect</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>PSM Connect</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Operating System-UnixSSH-34.123.103.115-testark</File>\n    <Station>34.71.250.247</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails>ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=7db90436-8a1a-4203-9a96-65137625ab2d;SrcHost=81.32.170.205;User=testark;</ExtraDetails>\n    <Message>PSM Connect</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSH\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"testark\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"ResetImmediately\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"failure\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"0\"></CAProperty>\n      <CAProperty Name=\"LastFailDate\" Value=\"1615814025\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"LastSuccessVerification\" Value=\"1615803764\"></CAProperty>\n      <CAProperty Name=\"CPMErrorDetails\" Value=\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n      <CAProperty Name=\"UseSudoOnReconcile\" Value=\"Yes\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 07:08:28","IsoTimestamp":"2021-03-15T14:08:28Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"300","Desc":"PSM Connect","Severity":"Info","Issuer":"Administrator","Action":"PSM Connect","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-34.123.103.115-testark","Station":"34.71.250.247","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=7db90436-8a1a-4203-9a96-65137625ab2d;SrcHost=81.32.170.205;User=testark;","Message":"PSM Connect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"testark"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"ResetImmediately","Value":"ReconcileTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"0"},{"Name":"LastFailDate","Value":"1615814025"},{"Name":"LastTask","Value":"ReconcileTask"},{"Name":"LastSuccessVerification","Value":"1615803764"},{"Name":"CPMErrorDetails","Value":"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"},{"Name":"UseSudoOnReconcile","Value":"Yes"}]}}}}
+<5>1 2021-03-15T14:11:09Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 15 07:11:09</Timestamp>\n    <IsoTimestamp>2021-03-15T14:11:09Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>300</MessageID>\n    <Desc>PSM Connect</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>PSM Connect</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Operating System-UnixSSH-34.123.103.115-testark</File>\n    <Station>34.71.250.247</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails>ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=27f74dce-f5d5-4c94-bf99-ca6aafe2c518;SrcHost=81.32.170.205;User=testark;</ExtraDetails>\n    <Message>PSM Connect</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSH\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"testark\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"ResetImmediately\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"failure\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"0\"></CAProperty>\n      <CAProperty Name=\"LastFailDate\" Value=\"1615814025\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"LastSuccessVerification\" Value=\"1615803764\"></CAProperty>\n      <CAProperty Name=\"CPMErrorDetails\" Value=\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n      <CAProperty Name=\"UseSudoOnReconcile\" Value=\"Yes\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 07:11:09","IsoTimestamp":"2021-03-15T14:11:09Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"300","Desc":"PSM Connect","Severity":"Info","Issuer":"Administrator","Action":"PSM Connect","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-34.123.103.115-testark","Station":"34.71.250.247","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=27f74dce-f5d5-4c94-bf99-ca6aafe2c518;SrcHost=81.32.170.205;User=testark;","Message":"PSM Connect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"testark"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"ResetImmediately","Value":"ReconcileTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"0"},{"Name":"LastFailDate","Value":"1615814025"},{"Name":"LastTask","Value":"ReconcileTask"},{"Name":"LastSuccessVerification","Value":"1615803764"},{"Name":"CPMErrorDetails","Value":"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"},{"Name":"UseSudoOnReconcile","Value":"Yes"}]}}}}
+<5>1 2021-03-16T10:04:51Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 16 03:04:51</Timestamp>\n    <IsoTimestamp>2021-03-16T10:04:51Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>300</MessageID>\n    <Desc>PSM Connect</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>PSM Connect</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Operating System-UnixSSH-34.123.103.115-testark</File>\n    <Station>34.71.250.247</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails>ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=8b222ac9-c2ad-49ea-9c4e-6829940f58d4;SrcHost=81.32.170.205;User=testark;</ExtraDetails>\n    <Message>PSM Connect</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSH\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"testark\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"ResetImmediately\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"failure\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"4\"></CAProperty>\n      <CAProperty Name=\"LastFailDate\" Value=\"1615888216\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"LastSuccessVerification\" Value=\"1615803764\"></CAProperty>\n      <CAProperty Name=\"CPMErrorDetails\" Value=\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n      <CAProperty Name=\"UseSudoOnReconcile\" Value=\"Yes\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 16 03:04:51","IsoTimestamp":"2021-03-16T10:04:51Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"300","Desc":"PSM Connect","Severity":"Info","Issuer":"Administrator","Action":"PSM Connect","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-34.123.103.115-testark","Station":"34.71.250.247","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=8b222ac9-c2ad-49ea-9c4e-6829940f58d4;SrcHost=81.32.170.205;User=testark;","Message":"PSM Connect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"testark"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"ResetImmediately","Value":"ReconcileTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"4"},{"Name":"LastFailDate","Value":"1615888216"},{"Name":"LastTask","Value":"ReconcileTask"},{"Name":"LastSuccessVerification","Value":"1615803764"},{"Name":"CPMErrorDetails","Value":"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"},{"Name":"UseSudoOnReconcile","Value":"Yes"}]}}}}
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/300_psm_connect.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/300_psm_connect.log-expected.json
new file mode 100644
index 00000000000..28962b3bcb7
--- /dev/null
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/300_psm_connect.log-expected.json
@@ -0,0 +1,1529 @@
+[
+    {
+        "@timestamp": "2021-03-16T15:01:00.000Z",
+        "cyberarkpas.audit.action": "PSM Connect",
+        "cyberarkpas.audit.ca_properties.address": "radiussrv.cyberark.local",
+        "cyberarkpas.audit.ca_properties.cpm_disabled": "No Reason",
+        "cyberarkpas.audit.ca_properties.creation_method": "PVWA",
+        "cyberarkpas.audit.ca_properties.customer": "Tesla",
+        "cyberarkpas.audit.ca_properties.device_type": "Operating System",
+        "cyberarkpas.audit.ca_properties.policy_id": "LINUX-SSH",
+        "cyberarkpas.audit.ca_properties.user_name": "admin2",
+        "cyberarkpas.audit.desc": "PSM Connect",
+        "cyberarkpas.audit.extra_details.application_type": "PSMP-SSH",
+        "cyberarkpas.audit.extra_details.dst_host": "radiussrv.cyberark.local",
+        "cyberarkpas.audit.extra_details.managed_account": "Yes",
+        "cyberarkpas.audit.extra_details.protocol": "SSH",
+        "cyberarkpas.audit.extra_details.psmid": "PSMServer",
+        "cyberarkpas.audit.extra_details.session_id": "35fac41e-22b5-11eb-83ca-000c297aae88",
+        "cyberarkpas.audit.extra_details.src_host": "10.2.0.6",
+        "cyberarkpas.audit.extra_details.user": "admin2",
+        "cyberarkpas.audit.file": "Root\\Operating System-LINUX-SSH-radiussrv.cyberark.local-admin2",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-16T15:01:00Z",
+        "cyberarkpas.audit.issuer": "Administrator",
+        "cyberarkpas.audit.message": "PSM Connect",
+        "cyberarkpas.audit.raw": "<syslog>\n  <audit_record>\n    <Rfc5424>no</Rfc5424>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.6.0000</Version>\n    <MessageID>300</MessageID>\n    <Desc>PSM Connect</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>PSM Connect</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>Linux</Safe>\n    <File>Root\\Operating System-LINUX-SSH-radiussrv.cyberark.local-admin2</File>\n    <Station>10.2.0.7</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails>ApplicationType=PSMP-SSH;DstHost=radiussrv.cyberark.local;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=35fac41e-22b5-11eb-83ca-000c297aae88;SrcHost=10.2.0.6;User=admin2;</ExtraDetails>\n    <Message>PSM Connect</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"LINUX-SSH\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"admin2\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"radiussrv.cyberark.local\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n      <CAProperty Name=\"CPMDisabled\" Value=\"No Reason\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"Customer\" Value=\"Tesla\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n</syslog>",
+        "cyberarkpas.audit.rfc5424": false,
+        "cyberarkpas.audit.safe": "Linux",
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.station": "10.2.0.7",
+        "destination.address": "radiussrv.cyberark.local",
+        "destination.domain": "radiussrv.cyberark.local",
+        "destination.user.name": "admin2",
+        "event.action": "psm connect",
+        "event.category": [
+            "session"
+        ],
+        "event.code": "300",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.outcome": "success",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "event.type": [
+            "start"
+        ],
+        "file.path": "Root\\Operating System-LINUX-SSH-radiussrv.cyberark.local-admin2",
+        "fileset.name": "audit",
+        "input.type": "log",
+        "log.offset": 0,
+        "network.application": "ssh",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.6.0000",
+        "related.ip": [
+            "10.2.0.6",
+            "10.2.0.7"
+        ],
+        "related.user": [
+            "Administrator",
+            "admin2"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "10.2.0.6",
+        "source.ip": "10.2.0.6",
+        "source.user.name": "Administrator",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ],
+        "user.name": "Administrator"
+    },
+    {
+        "@timestamp": "2021-03-11T17:38:20.000Z",
+        "cyberarkpas.audit.action": "PSM Connect",
+        "cyberarkpas.audit.ca_properties.address": "34.123.103.115",
+        "cyberarkpas.audit.ca_properties.creation_method": "PVWA",
+        "cyberarkpas.audit.ca_properties.device_type": "Operating System",
+        "cyberarkpas.audit.ca_properties.policy_id": "UnixSSHKeys",
+        "cyberarkpas.audit.ca_properties.user_name": "adrian",
+        "cyberarkpas.audit.desc": "PSM Connect",
+        "cyberarkpas.audit.extra_details.application_type": "PSMP-SSH",
+        "cyberarkpas.audit.extra_details.dst_host": "34.123.103.115",
+        "cyberarkpas.audit.extra_details.managed_account": "Yes",
+        "cyberarkpas.audit.extra_details.protocol": "ssh",
+        "cyberarkpas.audit.extra_details.psmid": "PSMServer",
+        "cyberarkpas.audit.extra_details.session_id": "87012dcc-8290-11eb-949e-080027efd402",
+        "cyberarkpas.audit.extra_details.src_host": "127.0.0.1",
+        "cyberarkpas.audit.extra_details.user": "adrian",
+        "cyberarkpas.audit.file": "Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-11T17:38:20Z",
+        "cyberarkpas.audit.issuer": "Administrator",
+        "cyberarkpas.audit.message": "PSM Connect",
+        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 09:38:20</Timestamp>\n    <IsoTimestamp>2021-03-11T17:38:20Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>300</MessageID>\n    <Desc>PSM Connect</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>PSM Connect</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>PSM</Safe>\n    <File>Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian</File>\n    <Station>81.32.170.205</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails>ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionID=87012dcc-8290-11eb-949e-080027efd402;SrcHost=127.0.0.1;User=adrian;</ExtraDetails>\n    <Message>PSM Connect</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSHKeys\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"adrian\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.safe": "PSM",
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.station": "81.32.170.205",
+        "cyberarkpas.audit.timestamp": "Mar 11 09:38:20",
+        "destination.address": "34.123.103.115",
+        "destination.geo.city_name": "Council Bluffs",
+        "destination.geo.continent_name": "North America",
+        "destination.geo.country_iso_code": "US",
+        "destination.geo.country_name": "United States",
+        "destination.geo.location.lat": 41.2591,
+        "destination.geo.location.lon": -95.8517,
+        "destination.geo.region_iso_code": "US-IA",
+        "destination.geo.region_name": "Iowa",
+        "destination.ip": "34.123.103.115",
+        "destination.user.name": "adrian",
+        "event.action": "psm connect",
+        "event.category": [
+            "session"
+        ],
+        "event.code": "300",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.outcome": "success",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "event.type": [
+            "start"
+        ],
+        "file.path": "Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian",
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 2566,
+        "log.syslog.priority": "5",
+        "network.application": "ssh",
+        "network.direction": "outbound",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "127.0.0.1",
+            "34.123.103.115",
+            "81.32.170.205"
+        ],
+        "related.user": [
+            "Administrator",
+            "adrian"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "127.0.0.1",
+        "source.ip": "127.0.0.1",
+        "source.user.name": "Administrator",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ],
+        "user.name": "Administrator"
+    },
+    {
+        "@timestamp": "2021-03-11T17:46:56.000Z",
+        "cyberarkpas.audit.action": "PSM Connect",
+        "cyberarkpas.audit.ca_properties.address": "34.123.103.115",
+        "cyberarkpas.audit.ca_properties.creation_method": "PVWA",
+        "cyberarkpas.audit.ca_properties.device_type": "Operating System",
+        "cyberarkpas.audit.ca_properties.policy_id": "UnixSSHKeys",
+        "cyberarkpas.audit.ca_properties.user_name": "adrian",
+        "cyberarkpas.audit.desc": "PSM Connect",
+        "cyberarkpas.audit.extra_details.application_type": "PSMP-SSH",
+        "cyberarkpas.audit.extra_details.dst_host": "34.123.103.115",
+        "cyberarkpas.audit.extra_details.managed_account": "Yes",
+        "cyberarkpas.audit.extra_details.protocol": "ssh",
+        "cyberarkpas.audit.extra_details.psmid": "PSMServer",
+        "cyberarkpas.audit.extra_details.session_id": "ba22b012-8291-11eb-b981-080027efd402",
+        "cyberarkpas.audit.extra_details.src_host": "127.0.0.1",
+        "cyberarkpas.audit.extra_details.user": "adrian",
+        "cyberarkpas.audit.file": "Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-11T17:46:56Z",
+        "cyberarkpas.audit.issuer": "Administrator",
+        "cyberarkpas.audit.message": "PSM Connect",
+        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 09:46:56</Timestamp>\n    <IsoTimestamp>2021-03-11T17:46:56Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>300</MessageID>\n    <Desc>PSM Connect</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>PSM Connect</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>PSM</Safe>\n    <File>Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian</File>\n    <Station>81.32.170.205</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails>ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionID=ba22b012-8291-11eb-b981-080027efd402;SrcHost=127.0.0.1;User=adrian;</ExtraDetails>\n    <Message>PSM Connect</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSHKeys\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"adrian\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.safe": "PSM",
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.station": "81.32.170.205",
+        "cyberarkpas.audit.timestamp": "Mar 11 09:46:56",
+        "destination.address": "34.123.103.115",
+        "destination.geo.city_name": "Council Bluffs",
+        "destination.geo.continent_name": "North America",
+        "destination.geo.country_iso_code": "US",
+        "destination.geo.country_name": "United States",
+        "destination.geo.location.lat": 41.2591,
+        "destination.geo.location.lon": -95.8517,
+        "destination.geo.region_iso_code": "US-IA",
+        "destination.geo.region_name": "Iowa",
+        "destination.ip": "34.123.103.115",
+        "destination.user.name": "adrian",
+        "event.action": "psm connect",
+        "event.category": [
+            "session"
+        ],
+        "event.code": "300",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.outcome": "success",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "event.type": [
+            "start"
+        ],
+        "file.path": "Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian",
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 5086,
+        "log.syslog.priority": "5",
+        "network.application": "ssh",
+        "network.direction": "outbound",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "127.0.0.1",
+            "34.123.103.115",
+            "81.32.170.205"
+        ],
+        "related.user": [
+            "Administrator",
+            "adrian"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "127.0.0.1",
+        "source.ip": "127.0.0.1",
+        "source.user.name": "Administrator",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ],
+        "user.name": "Administrator"
+    },
+    {
+        "@timestamp": "2021-03-11T17:48:34.000Z",
+        "cyberarkpas.audit.action": "PSM Connect",
+        "cyberarkpas.audit.ca_properties.address": "34.123.103.115",
+        "cyberarkpas.audit.ca_properties.creation_method": "PVWA",
+        "cyberarkpas.audit.ca_properties.device_type": "Operating System",
+        "cyberarkpas.audit.ca_properties.policy_id": "UnixSSHKeys",
+        "cyberarkpas.audit.ca_properties.user_name": "adrian",
+        "cyberarkpas.audit.desc": "PSM Connect",
+        "cyberarkpas.audit.extra_details.application_type": "PSMP-SSH",
+        "cyberarkpas.audit.extra_details.dst_host": "34.123.103.115",
+        "cyberarkpas.audit.extra_details.managed_account": "Yes",
+        "cyberarkpas.audit.extra_details.protocol": "ssh",
+        "cyberarkpas.audit.extra_details.psmid": "PSMServer",
+        "cyberarkpas.audit.extra_details.session_id": "f6acbf00-8291-11eb-b9ba-080027efd402",
+        "cyberarkpas.audit.extra_details.src_host": "10.0.2.2",
+        "cyberarkpas.audit.extra_details.user": "adrian",
+        "cyberarkpas.audit.file": "Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-11T17:48:34Z",
+        "cyberarkpas.audit.issuer": "Administrator",
+        "cyberarkpas.audit.message": "PSM Connect",
+        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 09:48:34</Timestamp>\n    <IsoTimestamp>2021-03-11T17:48:34Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>300</MessageID>\n    <Desc>PSM Connect</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>PSM Connect</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>PSM</Safe>\n    <File>Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian</File>\n    <Station>81.32.170.205</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails>ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionID=f6acbf00-8291-11eb-b9ba-080027efd402;SrcHost=10.0.2.2;User=adrian;</ExtraDetails>\n    <Message>PSM Connect</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSHKeys\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"adrian\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.safe": "PSM",
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.station": "81.32.170.205",
+        "cyberarkpas.audit.timestamp": "Mar 11 09:48:34",
+        "destination.address": "34.123.103.115",
+        "destination.geo.city_name": "Council Bluffs",
+        "destination.geo.continent_name": "North America",
+        "destination.geo.country_iso_code": "US",
+        "destination.geo.country_name": "United States",
+        "destination.geo.location.lat": 41.2591,
+        "destination.geo.location.lon": -95.8517,
+        "destination.geo.region_iso_code": "US-IA",
+        "destination.geo.region_name": "Iowa",
+        "destination.ip": "34.123.103.115",
+        "destination.user.name": "adrian",
+        "event.action": "psm connect",
+        "event.category": [
+            "session"
+        ],
+        "event.code": "300",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.outcome": "success",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "event.type": [
+            "start"
+        ],
+        "file.path": "Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian",
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 7606,
+        "log.syslog.priority": "5",
+        "network.application": "ssh",
+        "network.direction": "outbound",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "10.0.2.2",
+            "34.123.103.115",
+            "81.32.170.205"
+        ],
+        "related.user": [
+            "Administrator",
+            "adrian"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "10.0.2.2",
+        "source.ip": "10.0.2.2",
+        "source.user.name": "Administrator",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ],
+        "user.name": "Administrator"
+    },
+    {
+        "@timestamp": "2021-03-11T17:54:56.000Z",
+        "cyberarkpas.audit.action": "PSM Connect",
+        "cyberarkpas.audit.ca_properties.address": "34.123.103.115",
+        "cyberarkpas.audit.ca_properties.creation_method": "PVWA",
+        "cyberarkpas.audit.ca_properties.device_type": "Operating System",
+        "cyberarkpas.audit.ca_properties.policy_id": "UnixSSHKeys",
+        "cyberarkpas.audit.ca_properties.user_name": "adrian",
+        "cyberarkpas.audit.desc": "PSM Connect",
+        "cyberarkpas.audit.extra_details.application_type": "PSMP-SSH",
+        "cyberarkpas.audit.extra_details.dst_host": "34.123.103.115",
+        "cyberarkpas.audit.extra_details.managed_account": "Yes",
+        "cyberarkpas.audit.extra_details.protocol": "ssh",
+        "cyberarkpas.audit.extra_details.psmid": "PSMServer",
+        "cyberarkpas.audit.extra_details.session_id": "d8ff4d32-8292-11eb-b962-080027efd402",
+        "cyberarkpas.audit.extra_details.src_host": "10.0.2.2",
+        "cyberarkpas.audit.extra_details.user": "adrian",
+        "cyberarkpas.audit.file": "Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-11T17:54:56Z",
+        "cyberarkpas.audit.issuer": "Administrator",
+        "cyberarkpas.audit.message": "PSM Connect",
+        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 09:54:56</Timestamp>\n    <IsoTimestamp>2021-03-11T17:54:56Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>300</MessageID>\n    <Desc>PSM Connect</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>PSM Connect</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>PSM</Safe>\n    <File>Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian</File>\n    <Station>81.32.170.205</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails>ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionID=d8ff4d32-8292-11eb-b962-080027efd402;SrcHost=10.0.2.2;User=adrian;</ExtraDetails>\n    <Message>PSM Connect</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSHKeys\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"adrian\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.safe": "PSM",
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.station": "81.32.170.205",
+        "cyberarkpas.audit.timestamp": "Mar 11 09:54:56",
+        "destination.address": "34.123.103.115",
+        "destination.geo.city_name": "Council Bluffs",
+        "destination.geo.continent_name": "North America",
+        "destination.geo.country_iso_code": "US",
+        "destination.geo.country_name": "United States",
+        "destination.geo.location.lat": 41.2591,
+        "destination.geo.location.lon": -95.8517,
+        "destination.geo.region_iso_code": "US-IA",
+        "destination.geo.region_name": "Iowa",
+        "destination.ip": "34.123.103.115",
+        "destination.user.name": "adrian",
+        "event.action": "psm connect",
+        "event.category": [
+            "session"
+        ],
+        "event.code": "300",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.outcome": "success",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "event.type": [
+            "start"
+        ],
+        "file.path": "Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian",
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 10124,
+        "log.syslog.priority": "5",
+        "network.application": "ssh",
+        "network.direction": "outbound",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "10.0.2.2",
+            "34.123.103.115",
+            "81.32.170.205"
+        ],
+        "related.user": [
+            "Administrator",
+            "adrian"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "10.0.2.2",
+        "source.ip": "10.0.2.2",
+        "source.user.name": "Administrator",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ],
+        "user.name": "Administrator"
+    },
+    {
+        "@timestamp": "2021-03-11T17:56:37.000Z",
+        "cyberarkpas.audit.action": "PSM Connect",
+        "cyberarkpas.audit.ca_properties.address": "34.123.103.115",
+        "cyberarkpas.audit.ca_properties.creation_method": "PVWA",
+        "cyberarkpas.audit.ca_properties.device_type": "Operating System",
+        "cyberarkpas.audit.ca_properties.policy_id": "UnixSSHKeys",
+        "cyberarkpas.audit.ca_properties.user_name": "adrian",
+        "cyberarkpas.audit.desc": "PSM Connect",
+        "cyberarkpas.audit.extra_details.application_type": "PSMP-SSH",
+        "cyberarkpas.audit.extra_details.dst_host": "34.123.103.115",
+        "cyberarkpas.audit.extra_details.managed_account": "Yes",
+        "cyberarkpas.audit.extra_details.protocol": "ssh",
+        "cyberarkpas.audit.extra_details.psmid": "PSMServer",
+        "cyberarkpas.audit.extra_details.session_id": "173dd46a-8293-11eb-afcb-080027efd402",
+        "cyberarkpas.audit.extra_details.src_host": "10.0.2.2",
+        "cyberarkpas.audit.extra_details.user": "adrian",
+        "cyberarkpas.audit.file": "Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-11T17:56:37Z",
+        "cyberarkpas.audit.issuer": "Administrator",
+        "cyberarkpas.audit.message": "PSM Connect",
+        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 09:56:37</Timestamp>\n    <IsoTimestamp>2021-03-11T17:56:37Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>300</MessageID>\n    <Desc>PSM Connect</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>PSM Connect</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>PSM</Safe>\n    <File>Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian</File>\n    <Station>81.32.170.205</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails>ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionID=173dd46a-8293-11eb-afcb-080027efd402;SrcHost=10.0.2.2;User=adrian;</ExtraDetails>\n    <Message>PSM Connect</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSHKeys\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"adrian\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.safe": "PSM",
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.station": "81.32.170.205",
+        "cyberarkpas.audit.timestamp": "Mar 11 09:56:37",
+        "destination.address": "34.123.103.115",
+        "destination.geo.city_name": "Council Bluffs",
+        "destination.geo.continent_name": "North America",
+        "destination.geo.country_iso_code": "US",
+        "destination.geo.country_name": "United States",
+        "destination.geo.location.lat": 41.2591,
+        "destination.geo.location.lon": -95.8517,
+        "destination.geo.region_iso_code": "US-IA",
+        "destination.geo.region_name": "Iowa",
+        "destination.ip": "34.123.103.115",
+        "destination.user.name": "adrian",
+        "event.action": "psm connect",
+        "event.category": [
+            "session"
+        ],
+        "event.code": "300",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.outcome": "success",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "event.type": [
+            "start"
+        ],
+        "file.path": "Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian",
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 12642,
+        "log.syslog.priority": "5",
+        "network.application": "ssh",
+        "network.direction": "outbound",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "10.0.2.2",
+            "34.123.103.115",
+            "81.32.170.205"
+        ],
+        "related.user": [
+            "Administrator",
+            "adrian"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "10.0.2.2",
+        "source.ip": "10.0.2.2",
+        "source.user.name": "Administrator",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ],
+        "user.name": "Administrator"
+    },
+    {
+        "@timestamp": "2021-03-11T20:23:25.000Z",
+        "cyberarkpas.audit.action": "PSM Connect",
+        "cyberarkpas.audit.ca_properties.address": "34.123.103.115",
+        "cyberarkpas.audit.ca_properties.creation_method": "PVWA",
+        "cyberarkpas.audit.ca_properties.device_type": "Operating System",
+        "cyberarkpas.audit.ca_properties.policy_id": "UnixSSHKeys",
+        "cyberarkpas.audit.ca_properties.user_name": "adrian",
+        "cyberarkpas.audit.desc": "PSM Connect",
+        "cyberarkpas.audit.extra_details.application_type": "PSMP-SSH",
+        "cyberarkpas.audit.extra_details.dst_host": "34.123.103.115",
+        "cyberarkpas.audit.extra_details.managed_account": "Yes",
+        "cyberarkpas.audit.extra_details.protocol": "ssh",
+        "cyberarkpas.audit.extra_details.psmid": "PSMServer",
+        "cyberarkpas.audit.extra_details.session_id": "988b22e8-82a7-11eb-83b9-080027efd402",
+        "cyberarkpas.audit.extra_details.src_host": "10.0.2.2",
+        "cyberarkpas.audit.extra_details.user": "adrian",
+        "cyberarkpas.audit.file": "Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-11T20:23:25Z",
+        "cyberarkpas.audit.issuer": "Administrator",
+        "cyberarkpas.audit.message": "PSM Connect",
+        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 12:23:25</Timestamp>\n    <IsoTimestamp>2021-03-11T20:23:25Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>300</MessageID>\n    <Desc>PSM Connect</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>PSM Connect</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>PSM</Safe>\n    <File>Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian</File>\n    <Station>81.32.170.205</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails>ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionID=988b22e8-82a7-11eb-83b9-080027efd402;SrcHost=10.0.2.2;User=adrian;</ExtraDetails>\n    <Message>PSM Connect</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSHKeys\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"adrian\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.safe": "PSM",
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.station": "81.32.170.205",
+        "cyberarkpas.audit.timestamp": "Mar 11 12:23:25",
+        "destination.address": "34.123.103.115",
+        "destination.geo.city_name": "Council Bluffs",
+        "destination.geo.continent_name": "North America",
+        "destination.geo.country_iso_code": "US",
+        "destination.geo.country_name": "United States",
+        "destination.geo.location.lat": 41.2591,
+        "destination.geo.location.lon": -95.8517,
+        "destination.geo.region_iso_code": "US-IA",
+        "destination.geo.region_name": "Iowa",
+        "destination.ip": "34.123.103.115",
+        "destination.user.name": "adrian",
+        "event.action": "psm connect",
+        "event.category": [
+            "session"
+        ],
+        "event.code": "300",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.outcome": "success",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "event.type": [
+            "start"
+        ],
+        "file.path": "Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian",
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 15160,
+        "log.syslog.priority": "5",
+        "network.application": "ssh",
+        "network.direction": "outbound",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "10.0.2.2",
+            "34.123.103.115",
+            "81.32.170.205"
+        ],
+        "related.user": [
+            "Administrator",
+            "adrian"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "10.0.2.2",
+        "source.ip": "10.0.2.2",
+        "source.user.name": "Administrator",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ],
+        "user.name": "Administrator"
+    },
+    {
+        "@timestamp": "2021-03-14T13:49:37.000Z",
+        "cyberarkpas.audit.action": "PSM Connect",
+        "cyberarkpas.audit.ca_properties.address": "34.123.103.115",
+        "cyberarkpas.audit.ca_properties.cpm_error_details": "First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031",
+        "cyberarkpas.audit.ca_properties.cpm_status": "failure",
+        "cyberarkpas.audit.ca_properties.creation_method": "PVWA",
+        "cyberarkpas.audit.ca_properties.device_type": "Operating System",
+        "cyberarkpas.audit.ca_properties.last_fail_date": "1615729572",
+        "cyberarkpas.audit.ca_properties.last_task": "ReconcileTask",
+        "cyberarkpas.audit.ca_properties.policy_id": "UnixSSH",
+        "cyberarkpas.audit.ca_properties.reset_immediately": "ReconcileTask",
+        "cyberarkpas.audit.ca_properties.retries_count": "0",
+        "cyberarkpas.audit.ca_properties.user_name": "testark",
+        "cyberarkpas.audit.desc": "PSM Connect",
+        "cyberarkpas.audit.extra_details.application_type": "PSMP-SSH",
+        "cyberarkpas.audit.extra_details.dst_host": "34.123.103.115",
+        "cyberarkpas.audit.extra_details.managed_account": "Yes",
+        "cyberarkpas.audit.extra_details.protocol": "SSH",
+        "cyberarkpas.audit.extra_details.psmid": "PSMServer",
+        "cyberarkpas.audit.extra_details.session_id": "d284c268-2ba0-4366-af52-e33459b073a1",
+        "cyberarkpas.audit.extra_details.src_host": "81.32.170.205",
+        "cyberarkpas.audit.extra_details.user": "testark",
+        "cyberarkpas.audit.file": "Root\\Operating System-UnixSSH-34.123.103.115-testark",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-14T13:49:37Z",
+        "cyberarkpas.audit.issuer": "Administrator",
+        "cyberarkpas.audit.message": "PSM Connect",
+        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 14 06:49:37</Timestamp>\n    <IsoTimestamp>2021-03-14T13:49:37Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>300</MessageID>\n    <Desc>PSM Connect</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>PSM Connect</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Operating System-UnixSSH-34.123.103.115-testark</File>\n    <Station>34.71.250.247</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails>ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=d284c268-2ba0-4366-af52-e33459b073a1;SrcHost=81.32.170.205;User=testark;</ExtraDetails>\n    <Message>PSM Connect</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSH\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"testark\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"ResetImmediately\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"failure\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"0\"></CAProperty>\n      <CAProperty Name=\"LastFailDate\" Value=\"1615729572\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"CPMErrorDetails\" Value=\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.safe": "partner",
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.station": "34.71.250.247",
+        "cyberarkpas.audit.timestamp": "Mar 14 06:49:37",
+        "destination.address": "34.123.103.115",
+        "destination.geo.city_name": "Council Bluffs",
+        "destination.geo.continent_name": "North America",
+        "destination.geo.country_iso_code": "US",
+        "destination.geo.country_name": "United States",
+        "destination.geo.location.lat": 41.2591,
+        "destination.geo.location.lon": -95.8517,
+        "destination.geo.region_iso_code": "US-IA",
+        "destination.geo.region_name": "Iowa",
+        "destination.ip": "34.123.103.115",
+        "destination.user.name": "testark",
+        "event.action": "psm connect",
+        "event.category": [
+            "session"
+        ],
+        "event.code": "300",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.outcome": "success",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "event.type": [
+            "start"
+        ],
+        "file.path": "Root\\Operating System-UnixSSH-34.123.103.115-testark",
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 17678,
+        "log.syslog.priority": "5",
+        "network.application": "ssh",
+        "network.direction": "external",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "81.32.170.205",
+            "34.123.103.115",
+            "34.71.250.247"
+        ],
+        "related.user": [
+            "Administrator",
+            "testark"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "81.32.170.205",
+        "source.geo.city_name": "Barcelona",
+        "source.geo.continent_name": "Europe",
+        "source.geo.country_iso_code": "ES",
+        "source.geo.country_name": "Spain",
+        "source.geo.location.lat": 41.387,
+        "source.geo.location.lon": 2.1701,
+        "source.geo.region_iso_code": "ES-B",
+        "source.geo.region_name": "Barcelona",
+        "source.ip": "81.32.170.205",
+        "source.user.name": "Administrator",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ],
+        "user.name": "Administrator"
+    },
+    {
+        "@timestamp": "2021-03-14T13:50:43.000Z",
+        "cyberarkpas.audit.action": "PSM Connect",
+        "cyberarkpas.audit.ca_properties.address": "34.123.103.115",
+        "cyberarkpas.audit.ca_properties.cpm_error_details": "First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031",
+        "cyberarkpas.audit.ca_properties.cpm_status": "failure",
+        "cyberarkpas.audit.ca_properties.creation_method": "PVWA",
+        "cyberarkpas.audit.ca_properties.device_type": "Operating System",
+        "cyberarkpas.audit.ca_properties.last_fail_date": "1615729572",
+        "cyberarkpas.audit.ca_properties.last_task": "ReconcileTask",
+        "cyberarkpas.audit.ca_properties.policy_id": "UnixSSH",
+        "cyberarkpas.audit.ca_properties.reset_immediately": "ReconcileTask",
+        "cyberarkpas.audit.ca_properties.retries_count": "0",
+        "cyberarkpas.audit.ca_properties.user_name": "testark",
+        "cyberarkpas.audit.desc": "PSM Connect",
+        "cyberarkpas.audit.extra_details.application_type": "PSMP-SSH",
+        "cyberarkpas.audit.extra_details.dst_host": "34.123.103.115",
+        "cyberarkpas.audit.extra_details.managed_account": "Yes",
+        "cyberarkpas.audit.extra_details.protocol": "SSH",
+        "cyberarkpas.audit.extra_details.psmid": "PSMServer",
+        "cyberarkpas.audit.extra_details.session_id": "47747796-03e1-4a11-af39-ab56c00e7732",
+        "cyberarkpas.audit.extra_details.src_host": "81.32.170.205",
+        "cyberarkpas.audit.extra_details.user": "testark",
+        "cyberarkpas.audit.file": "Root\\Operating System-UnixSSH-34.123.103.115-testark",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-14T13:50:43Z",
+        "cyberarkpas.audit.issuer": "Administrator",
+        "cyberarkpas.audit.message": "PSM Connect",
+        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 14 06:50:43</Timestamp>\n    <IsoTimestamp>2021-03-14T13:50:43Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>300</MessageID>\n    <Desc>PSM Connect</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>PSM Connect</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Operating System-UnixSSH-34.123.103.115-testark</File>\n    <Station>34.71.250.247</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails>ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=47747796-03e1-4a11-af39-ab56c00e7732;SrcHost=81.32.170.205;User=testark;</ExtraDetails>\n    <Message>PSM Connect</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSH\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"testark\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"ResetImmediately\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"failure\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"0\"></CAProperty>\n      <CAProperty Name=\"LastFailDate\" Value=\"1615729572\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"CPMErrorDetails\" Value=\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.safe": "partner",
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.station": "34.71.250.247",
+        "cyberarkpas.audit.timestamp": "Mar 14 06:50:43",
+        "destination.address": "34.123.103.115",
+        "destination.geo.city_name": "Council Bluffs",
+        "destination.geo.continent_name": "North America",
+        "destination.geo.country_iso_code": "US",
+        "destination.geo.country_name": "United States",
+        "destination.geo.location.lat": 41.2591,
+        "destination.geo.location.lon": -95.8517,
+        "destination.geo.region_iso_code": "US-IA",
+        "destination.geo.region_name": "Iowa",
+        "destination.ip": "34.123.103.115",
+        "destination.user.name": "testark",
+        "event.action": "psm connect",
+        "event.category": [
+            "session"
+        ],
+        "event.code": "300",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.outcome": "success",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "event.type": [
+            "start"
+        ],
+        "file.path": "Root\\Operating System-UnixSSH-34.123.103.115-testark",
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 21194,
+        "log.syslog.priority": "5",
+        "network.application": "ssh",
+        "network.direction": "external",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "81.32.170.205",
+            "34.123.103.115",
+            "34.71.250.247"
+        ],
+        "related.user": [
+            "Administrator",
+            "testark"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "81.32.170.205",
+        "source.geo.city_name": "Barcelona",
+        "source.geo.continent_name": "Europe",
+        "source.geo.country_iso_code": "ES",
+        "source.geo.country_name": "Spain",
+        "source.geo.location.lat": 41.387,
+        "source.geo.location.lon": 2.1701,
+        "source.geo.region_iso_code": "ES-B",
+        "source.geo.region_name": "Barcelona",
+        "source.ip": "81.32.170.205",
+        "source.user.name": "Administrator",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ],
+        "user.name": "Administrator"
+    },
+    {
+        "@timestamp": "2021-03-15T10:31:56.000Z",
+        "cyberarkpas.audit.action": "PSM Connect",
+        "cyberarkpas.audit.ca_properties.address": "34.123.103.115",
+        "cyberarkpas.audit.ca_properties.cpm_status": "success",
+        "cyberarkpas.audit.ca_properties.creation_method": "PVWA",
+        "cyberarkpas.audit.ca_properties.device_type": "Operating System",
+        "cyberarkpas.audit.ca_properties.last_success_verification": "1615803764",
+        "cyberarkpas.audit.ca_properties.last_task": "VerifyTask",
+        "cyberarkpas.audit.ca_properties.policy_id": "UnixSSH",
+        "cyberarkpas.audit.ca_properties.retries_count": "-1",
+        "cyberarkpas.audit.ca_properties.user_name": "testark",
+        "cyberarkpas.audit.desc": "PSM Connect",
+        "cyberarkpas.audit.extra_details.application_type": "PSMP-SSH",
+        "cyberarkpas.audit.extra_details.dst_host": "34.123.103.115",
+        "cyberarkpas.audit.extra_details.managed_account": "Yes",
+        "cyberarkpas.audit.extra_details.protocol": "SSH",
+        "cyberarkpas.audit.extra_details.psmid": "PSMServer",
+        "cyberarkpas.audit.extra_details.session_id": "29f340df-89e9-405a-beae-0216390cda42",
+        "cyberarkpas.audit.extra_details.src_host": "81.32.170.205",
+        "cyberarkpas.audit.extra_details.user": "testark",
+        "cyberarkpas.audit.file": "Root\\Operating System-UnixSSH-34.123.103.115-testark",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-15T10:31:56Z",
+        "cyberarkpas.audit.issuer": "Administrator",
+        "cyberarkpas.audit.message": "PSM Connect",
+        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 15 03:31:56</Timestamp>\n    <IsoTimestamp>2021-03-15T10:31:56Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>300</MessageID>\n    <Desc>PSM Connect</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>PSM Connect</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Operating System-UnixSSH-34.123.103.115-testark</File>\n    <Station>34.71.250.247</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails>ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=29f340df-89e9-405a-beae-0216390cda42;SrcHost=81.32.170.205;User=testark;</ExtraDetails>\n    <Message>PSM Connect</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSH\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"testark\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"success\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"-1\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"VerifyTask\"></CAProperty>\n      <CAProperty Name=\"LastSuccessVerification\" Value=\"1615803764\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.safe": "partner",
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.station": "34.71.250.247",
+        "cyberarkpas.audit.timestamp": "Mar 15 03:31:56",
+        "destination.address": "34.123.103.115",
+        "destination.geo.city_name": "Council Bluffs",
+        "destination.geo.continent_name": "North America",
+        "destination.geo.country_iso_code": "US",
+        "destination.geo.country_name": "United States",
+        "destination.geo.location.lat": 41.2591,
+        "destination.geo.location.lon": -95.8517,
+        "destination.geo.region_iso_code": "US-IA",
+        "destination.geo.region_name": "Iowa",
+        "destination.ip": "34.123.103.115",
+        "destination.user.name": "testark",
+        "event.action": "psm connect",
+        "event.category": [
+            "session"
+        ],
+        "event.code": "300",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.outcome": "success",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "event.type": [
+            "start"
+        ],
+        "file.path": "Root\\Operating System-UnixSSH-34.123.103.115-testark",
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 24710,
+        "log.syslog.priority": "5",
+        "network.application": "ssh",
+        "network.direction": "external",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "81.32.170.205",
+            "34.123.103.115",
+            "34.71.250.247"
+        ],
+        "related.user": [
+            "Administrator",
+            "testark"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "81.32.170.205",
+        "source.geo.city_name": "Barcelona",
+        "source.geo.continent_name": "Europe",
+        "source.geo.country_iso_code": "ES",
+        "source.geo.country_name": "Spain",
+        "source.geo.location.lat": 41.387,
+        "source.geo.location.lon": 2.1701,
+        "source.geo.region_iso_code": "ES-B",
+        "source.geo.region_name": "Barcelona",
+        "source.ip": "81.32.170.205",
+        "source.user.name": "Administrator",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ],
+        "user.name": "Administrator"
+    },
+    {
+        "@timestamp": "2021-03-15T10:33:39.000Z",
+        "cyberarkpas.audit.action": "PSM Connect",
+        "cyberarkpas.audit.ca_properties.address": "34.123.103.115",
+        "cyberarkpas.audit.ca_properties.cpm_status": "success",
+        "cyberarkpas.audit.ca_properties.creation_method": "PVWA",
+        "cyberarkpas.audit.ca_properties.device_type": "Operating System",
+        "cyberarkpas.audit.ca_properties.last_success_verification": "1615803764",
+        "cyberarkpas.audit.ca_properties.last_task": "VerifyTask",
+        "cyberarkpas.audit.ca_properties.policy_id": "UnixSSH",
+        "cyberarkpas.audit.ca_properties.retries_count": "-1",
+        "cyberarkpas.audit.ca_properties.user_name": "testark",
+        "cyberarkpas.audit.desc": "PSM Connect",
+        "cyberarkpas.audit.extra_details.application_type": "PSMP-SSH",
+        "cyberarkpas.audit.extra_details.dst_host": "34.123.103.115",
+        "cyberarkpas.audit.extra_details.managed_account": "Yes",
+        "cyberarkpas.audit.extra_details.protocol": "SSH",
+        "cyberarkpas.audit.extra_details.psmid": "PSMServer",
+        "cyberarkpas.audit.extra_details.session_id": "f1654cf8-8ce5-472a-8205-ba731b0fab46",
+        "cyberarkpas.audit.extra_details.src_host": "81.32.170.205",
+        "cyberarkpas.audit.extra_details.user": "testark",
+        "cyberarkpas.audit.file": "Root\\Operating System-UnixSSH-34.123.103.115-testark",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-15T10:33:39Z",
+        "cyberarkpas.audit.issuer": "Administrator",
+        "cyberarkpas.audit.message": "PSM Connect",
+        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 15 03:33:39</Timestamp>\n    <IsoTimestamp>2021-03-15T10:33:39Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>300</MessageID>\n    <Desc>PSM Connect</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>PSM Connect</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Operating System-UnixSSH-34.123.103.115-testark</File>\n    <Station>34.71.250.247</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails>ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=f1654cf8-8ce5-472a-8205-ba731b0fab46;SrcHost=81.32.170.205;User=testark;</ExtraDetails>\n    <Message>PSM Connect</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSH\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"testark\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"success\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"-1\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"VerifyTask\"></CAProperty>\n      <CAProperty Name=\"LastSuccessVerification\" Value=\"1615803764\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.safe": "partner",
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.station": "34.71.250.247",
+        "cyberarkpas.audit.timestamp": "Mar 15 03:33:39",
+        "destination.address": "34.123.103.115",
+        "destination.geo.city_name": "Council Bluffs",
+        "destination.geo.continent_name": "North America",
+        "destination.geo.country_iso_code": "US",
+        "destination.geo.country_name": "United States",
+        "destination.geo.location.lat": 41.2591,
+        "destination.geo.location.lon": -95.8517,
+        "destination.geo.region_iso_code": "US-IA",
+        "destination.geo.region_name": "Iowa",
+        "destination.ip": "34.123.103.115",
+        "destination.user.name": "testark",
+        "event.action": "psm connect",
+        "event.category": [
+            "session"
+        ],
+        "event.code": "300",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.outcome": "success",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "event.type": [
+            "start"
+        ],
+        "file.path": "Root\\Operating System-UnixSSH-34.123.103.115-testark",
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 27706,
+        "log.syslog.priority": "5",
+        "network.application": "ssh",
+        "network.direction": "external",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "81.32.170.205",
+            "34.123.103.115",
+            "34.71.250.247"
+        ],
+        "related.user": [
+            "Administrator",
+            "testark"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "81.32.170.205",
+        "source.geo.city_name": "Barcelona",
+        "source.geo.continent_name": "Europe",
+        "source.geo.country_iso_code": "ES",
+        "source.geo.country_name": "Spain",
+        "source.geo.location.lat": 41.387,
+        "source.geo.location.lon": 2.1701,
+        "source.geo.region_iso_code": "ES-B",
+        "source.geo.region_name": "Barcelona",
+        "source.ip": "81.32.170.205",
+        "source.user.name": "Administrator",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ],
+        "user.name": "Administrator"
+    },
+    {
+        "@timestamp": "2021-03-15T10:35:00.000Z",
+        "cyberarkpas.audit.action": "PSM Connect",
+        "cyberarkpas.audit.ca_properties.address": "34.123.103.115",
+        "cyberarkpas.audit.ca_properties.cpm_status": "success",
+        "cyberarkpas.audit.ca_properties.creation_method": "PVWA",
+        "cyberarkpas.audit.ca_properties.device_type": "Operating System",
+        "cyberarkpas.audit.ca_properties.last_success_verification": "1615803764",
+        "cyberarkpas.audit.ca_properties.last_task": "VerifyTask",
+        "cyberarkpas.audit.ca_properties.policy_id": "UnixSSH",
+        "cyberarkpas.audit.ca_properties.retries_count": "-1",
+        "cyberarkpas.audit.ca_properties.user_name": "testark",
+        "cyberarkpas.audit.desc": "PSM Connect",
+        "cyberarkpas.audit.extra_details.application_type": "PSMP-SSH",
+        "cyberarkpas.audit.extra_details.dst_host": "34.123.103.115",
+        "cyberarkpas.audit.extra_details.managed_account": "Yes",
+        "cyberarkpas.audit.extra_details.protocol": "SSH",
+        "cyberarkpas.audit.extra_details.psmid": "PSMServer",
+        "cyberarkpas.audit.extra_details.session_id": "8b3d0b38-aef5-49d9-bdd7-d57706887d8b",
+        "cyberarkpas.audit.extra_details.src_host": "81.32.170.205",
+        "cyberarkpas.audit.extra_details.user": "testark",
+        "cyberarkpas.audit.file": "Root\\Operating System-UnixSSH-34.123.103.115-testark",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-15T10:35:00Z",
+        "cyberarkpas.audit.issuer": "Administrator",
+        "cyberarkpas.audit.message": "PSM Connect",
+        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 15 03:35:00</Timestamp>\n    <IsoTimestamp>2021-03-15T10:35:00Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>300</MessageID>\n    <Desc>PSM Connect</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>PSM Connect</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Operating System-UnixSSH-34.123.103.115-testark</File>\n    <Station>34.71.250.247</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails>ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=8b3d0b38-aef5-49d9-bdd7-d57706887d8b;SrcHost=81.32.170.205;User=testark;</ExtraDetails>\n    <Message>PSM Connect</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSH\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"testark\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"success\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"-1\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"VerifyTask\"></CAProperty>\n      <CAProperty Name=\"LastSuccessVerification\" Value=\"1615803764\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.safe": "partner",
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.station": "34.71.250.247",
+        "cyberarkpas.audit.timestamp": "Mar 15 03:35:00",
+        "destination.address": "34.123.103.115",
+        "destination.geo.city_name": "Council Bluffs",
+        "destination.geo.continent_name": "North America",
+        "destination.geo.country_iso_code": "US",
+        "destination.geo.country_name": "United States",
+        "destination.geo.location.lat": 41.2591,
+        "destination.geo.location.lon": -95.8517,
+        "destination.geo.region_iso_code": "US-IA",
+        "destination.geo.region_name": "Iowa",
+        "destination.ip": "34.123.103.115",
+        "destination.user.name": "testark",
+        "event.action": "psm connect",
+        "event.category": [
+            "session"
+        ],
+        "event.code": "300",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.outcome": "success",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "event.type": [
+            "start"
+        ],
+        "file.path": "Root\\Operating System-UnixSSH-34.123.103.115-testark",
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 30702,
+        "log.syslog.priority": "5",
+        "network.application": "ssh",
+        "network.direction": "external",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "81.32.170.205",
+            "34.123.103.115",
+            "34.71.250.247"
+        ],
+        "related.user": [
+            "Administrator",
+            "testark"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "81.32.170.205",
+        "source.geo.city_name": "Barcelona",
+        "source.geo.continent_name": "Europe",
+        "source.geo.country_iso_code": "ES",
+        "source.geo.country_name": "Spain",
+        "source.geo.location.lat": 41.387,
+        "source.geo.location.lon": 2.1701,
+        "source.geo.region_iso_code": "ES-B",
+        "source.geo.region_name": "Barcelona",
+        "source.ip": "81.32.170.205",
+        "source.user.name": "Administrator",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ],
+        "user.name": "Administrator"
+    },
+    {
+        "@timestamp": "2021-03-15T13:18:31.000Z",
+        "cyberarkpas.audit.action": "PSM Connect",
+        "cyberarkpas.audit.ca_properties.address": "34.123.103.115",
+        "cyberarkpas.audit.ca_properties.creation_method": "PVWA",
+        "cyberarkpas.audit.ca_properties.device_type": "Operating System",
+        "cyberarkpas.audit.ca_properties.policy_id": "UnixSSHKeys",
+        "cyberarkpas.audit.ca_properties.user_name": "adrian",
+        "cyberarkpas.audit.desc": "PSM Connect",
+        "cyberarkpas.audit.extra_details.application_type": "PSMP-SSH",
+        "cyberarkpas.audit.extra_details.dst_host": "34.123.103.115",
+        "cyberarkpas.audit.extra_details.managed_account": "Yes",
+        "cyberarkpas.audit.extra_details.protocol": "SSH",
+        "cyberarkpas.audit.extra_details.psmid": "PSMServer",
+        "cyberarkpas.audit.extra_details.session_id": "692fe25f-f940-4170-8ea4-5241b35173f0",
+        "cyberarkpas.audit.extra_details.src_host": "81.32.170.205",
+        "cyberarkpas.audit.extra_details.user": "adrian",
+        "cyberarkpas.audit.file": "Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-15T13:18:31Z",
+        "cyberarkpas.audit.issuer": "Administrator",
+        "cyberarkpas.audit.message": "PSM Connect",
+        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 15 06:18:31</Timestamp>\n    <IsoTimestamp>2021-03-15T13:18:31Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>300</MessageID>\n    <Desc>PSM Connect</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>PSM Connect</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>PSM</Safe>\n    <File>Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian</File>\n    <Station>34.71.250.247</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails>ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=692fe25f-f940-4170-8ea4-5241b35173f0;SrcHost=81.32.170.205;User=adrian;</ExtraDetails>\n    <Message>PSM Connect</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSHKeys\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"adrian\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.safe": "PSM",
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.station": "34.71.250.247",
+        "cyberarkpas.audit.timestamp": "Mar 15 06:18:31",
+        "destination.address": "34.123.103.115",
+        "destination.geo.city_name": "Council Bluffs",
+        "destination.geo.continent_name": "North America",
+        "destination.geo.country_iso_code": "US",
+        "destination.geo.country_name": "United States",
+        "destination.geo.location.lat": 41.2591,
+        "destination.geo.location.lon": -95.8517,
+        "destination.geo.region_iso_code": "US-IA",
+        "destination.geo.region_name": "Iowa",
+        "destination.ip": "34.123.103.115",
+        "destination.user.name": "adrian",
+        "event.action": "psm connect",
+        "event.category": [
+            "session"
+        ],
+        "event.code": "300",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.outcome": "success",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "event.type": [
+            "start"
+        ],
+        "file.path": "Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian",
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 33698,
+        "log.syslog.priority": "5",
+        "network.application": "ssh",
+        "network.direction": "external",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "81.32.170.205",
+            "34.123.103.115",
+            "34.71.250.247"
+        ],
+        "related.user": [
+            "Administrator",
+            "adrian"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "81.32.170.205",
+        "source.geo.city_name": "Barcelona",
+        "source.geo.continent_name": "Europe",
+        "source.geo.country_iso_code": "ES",
+        "source.geo.country_name": "Spain",
+        "source.geo.location.lat": 41.387,
+        "source.geo.location.lon": 2.1701,
+        "source.geo.region_iso_code": "ES-B",
+        "source.geo.region_name": "Barcelona",
+        "source.ip": "81.32.170.205",
+        "source.user.name": "Administrator",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ],
+        "user.name": "Administrator"
+    },
+    {
+        "@timestamp": "2021-03-15T14:08:06.000Z",
+        "cyberarkpas.audit.action": "PSM Connect",
+        "cyberarkpas.audit.ca_properties.address": "34.123.103.115",
+        "cyberarkpas.audit.ca_properties.creation_method": "PVWA",
+        "cyberarkpas.audit.ca_properties.device_type": "Operating System",
+        "cyberarkpas.audit.ca_properties.policy_id": "UnixSSHKeys",
+        "cyberarkpas.audit.ca_properties.user_name": "adrian",
+        "cyberarkpas.audit.desc": "PSM Connect",
+        "cyberarkpas.audit.extra_details.application_type": "PSMP-SSH",
+        "cyberarkpas.audit.extra_details.dst_host": "34.123.103.115",
+        "cyberarkpas.audit.extra_details.managed_account": "Yes",
+        "cyberarkpas.audit.extra_details.protocol": "SSH",
+        "cyberarkpas.audit.extra_details.psmid": "PSMServer",
+        "cyberarkpas.audit.extra_details.session_id": "f5725611-ca57-4a2a-a089-f45b3174a358",
+        "cyberarkpas.audit.extra_details.src_host": "81.32.170.205",
+        "cyberarkpas.audit.extra_details.user": "adrian",
+        "cyberarkpas.audit.file": "Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-15T14:08:06Z",
+        "cyberarkpas.audit.issuer": "Administrator",
+        "cyberarkpas.audit.message": "PSM Connect",
+        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 15 07:08:06</Timestamp>\n    <IsoTimestamp>2021-03-15T14:08:06Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>300</MessageID>\n    <Desc>PSM Connect</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>PSM Connect</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>PSM</Safe>\n    <File>Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian</File>\n    <Station>34.71.250.247</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails>ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=f5725611-ca57-4a2a-a089-f45b3174a358;SrcHost=81.32.170.205;User=adrian;</ExtraDetails>\n    <Message>PSM Connect</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSHKeys\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"adrian\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.safe": "PSM",
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.station": "34.71.250.247",
+        "cyberarkpas.audit.timestamp": "Mar 15 07:08:06",
+        "destination.address": "34.123.103.115",
+        "destination.geo.city_name": "Council Bluffs",
+        "destination.geo.continent_name": "North America",
+        "destination.geo.country_iso_code": "US",
+        "destination.geo.country_name": "United States",
+        "destination.geo.location.lat": 41.2591,
+        "destination.geo.location.lon": -95.8517,
+        "destination.geo.region_iso_code": "US-IA",
+        "destination.geo.region_name": "Iowa",
+        "destination.ip": "34.123.103.115",
+        "destination.user.name": "adrian",
+        "event.action": "psm connect",
+        "event.category": [
+            "session"
+        ],
+        "event.code": "300",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.outcome": "success",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "event.type": [
+            "start"
+        ],
+        "file.path": "Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian",
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 36226,
+        "log.syslog.priority": "5",
+        "network.application": "ssh",
+        "network.direction": "external",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "81.32.170.205",
+            "34.123.103.115",
+            "34.71.250.247"
+        ],
+        "related.user": [
+            "Administrator",
+            "adrian"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "81.32.170.205",
+        "source.geo.city_name": "Barcelona",
+        "source.geo.continent_name": "Europe",
+        "source.geo.country_iso_code": "ES",
+        "source.geo.country_name": "Spain",
+        "source.geo.location.lat": 41.387,
+        "source.geo.location.lon": 2.1701,
+        "source.geo.region_iso_code": "ES-B",
+        "source.geo.region_name": "Barcelona",
+        "source.ip": "81.32.170.205",
+        "source.user.name": "Administrator",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ],
+        "user.name": "Administrator"
+    },
+    {
+        "@timestamp": "2021-03-15T14:08:28.000Z",
+        "cyberarkpas.audit.action": "PSM Connect",
+        "cyberarkpas.audit.ca_properties.address": "34.123.103.115",
+        "cyberarkpas.audit.ca_properties.cpm_error_details": "First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031",
+        "cyberarkpas.audit.ca_properties.cpm_status": "failure",
+        "cyberarkpas.audit.ca_properties.creation_method": "PVWA",
+        "cyberarkpas.audit.ca_properties.device_type": "Operating System",
+        "cyberarkpas.audit.ca_properties.last_fail_date": "1615814025",
+        "cyberarkpas.audit.ca_properties.last_success_verification": "1615803764",
+        "cyberarkpas.audit.ca_properties.last_task": "ReconcileTask",
+        "cyberarkpas.audit.ca_properties.policy_id": "UnixSSH",
+        "cyberarkpas.audit.ca_properties.reset_immediately": "ReconcileTask",
+        "cyberarkpas.audit.ca_properties.retries_count": "0",
+        "cyberarkpas.audit.ca_properties.use_sudo_on_reconcile": "Yes",
+        "cyberarkpas.audit.ca_properties.user_name": "testark",
+        "cyberarkpas.audit.desc": "PSM Connect",
+        "cyberarkpas.audit.extra_details.application_type": "PSMP-SSH",
+        "cyberarkpas.audit.extra_details.dst_host": "34.123.103.115",
+        "cyberarkpas.audit.extra_details.managed_account": "Yes",
+        "cyberarkpas.audit.extra_details.protocol": "SSH",
+        "cyberarkpas.audit.extra_details.psmid": "PSMServer",
+        "cyberarkpas.audit.extra_details.session_id": "7db90436-8a1a-4203-9a96-65137625ab2d",
+        "cyberarkpas.audit.extra_details.src_host": "81.32.170.205",
+        "cyberarkpas.audit.extra_details.user": "testark",
+        "cyberarkpas.audit.file": "Root\\Operating System-UnixSSH-34.123.103.115-testark",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-15T14:08:28Z",
+        "cyberarkpas.audit.issuer": "Administrator",
+        "cyberarkpas.audit.message": "PSM Connect",
+        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 15 07:08:28</Timestamp>\n    <IsoTimestamp>2021-03-15T14:08:28Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>300</MessageID>\n    <Desc>PSM Connect</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>PSM Connect</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Operating System-UnixSSH-34.123.103.115-testark</File>\n    <Station>34.71.250.247</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails>ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=7db90436-8a1a-4203-9a96-65137625ab2d;SrcHost=81.32.170.205;User=testark;</ExtraDetails>\n    <Message>PSM Connect</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSH\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"testark\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"ResetImmediately\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"failure\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"0\"></CAProperty>\n      <CAProperty Name=\"LastFailDate\" Value=\"1615814025\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"LastSuccessVerification\" Value=\"1615803764\"></CAProperty>\n      <CAProperty Name=\"CPMErrorDetails\" Value=\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n      <CAProperty Name=\"UseSudoOnReconcile\" Value=\"Yes\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.safe": "partner",
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.station": "34.71.250.247",
+        "cyberarkpas.audit.timestamp": "Mar 15 07:08:28",
+        "destination.address": "34.123.103.115",
+        "destination.geo.city_name": "Council Bluffs",
+        "destination.geo.continent_name": "North America",
+        "destination.geo.country_iso_code": "US",
+        "destination.geo.country_name": "United States",
+        "destination.geo.location.lat": 41.2591,
+        "destination.geo.location.lon": -95.8517,
+        "destination.geo.region_iso_code": "US-IA",
+        "destination.geo.region_name": "Iowa",
+        "destination.ip": "34.123.103.115",
+        "destination.user.name": "testark",
+        "event.action": "psm connect",
+        "event.category": [
+            "session"
+        ],
+        "event.code": "300",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.outcome": "success",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "event.type": [
+            "start"
+        ],
+        "file.path": "Root\\Operating System-UnixSSH-34.123.103.115-testark",
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 38754,
+        "log.syslog.priority": "5",
+        "network.application": "ssh",
+        "network.direction": "external",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "81.32.170.205",
+            "34.123.103.115",
+            "34.71.250.247"
+        ],
+        "related.user": [
+            "Administrator",
+            "testark"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "81.32.170.205",
+        "source.geo.city_name": "Barcelona",
+        "source.geo.continent_name": "Europe",
+        "source.geo.country_iso_code": "ES",
+        "source.geo.country_name": "Spain",
+        "source.geo.location.lat": 41.387,
+        "source.geo.location.lon": 2.1701,
+        "source.geo.region_iso_code": "ES-B",
+        "source.geo.region_name": "Barcelona",
+        "source.ip": "81.32.170.205",
+        "source.user.name": "Administrator",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ],
+        "user.name": "Administrator"
+    },
+    {
+        "@timestamp": "2021-03-15T14:11:09.000Z",
+        "cyberarkpas.audit.action": "PSM Connect",
+        "cyberarkpas.audit.ca_properties.address": "34.123.103.115",
+        "cyberarkpas.audit.ca_properties.cpm_error_details": "First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031",
+        "cyberarkpas.audit.ca_properties.cpm_status": "failure",
+        "cyberarkpas.audit.ca_properties.creation_method": "PVWA",
+        "cyberarkpas.audit.ca_properties.device_type": "Operating System",
+        "cyberarkpas.audit.ca_properties.last_fail_date": "1615814025",
+        "cyberarkpas.audit.ca_properties.last_success_verification": "1615803764",
+        "cyberarkpas.audit.ca_properties.last_task": "ReconcileTask",
+        "cyberarkpas.audit.ca_properties.policy_id": "UnixSSH",
+        "cyberarkpas.audit.ca_properties.reset_immediately": "ReconcileTask",
+        "cyberarkpas.audit.ca_properties.retries_count": "0",
+        "cyberarkpas.audit.ca_properties.use_sudo_on_reconcile": "Yes",
+        "cyberarkpas.audit.ca_properties.user_name": "testark",
+        "cyberarkpas.audit.desc": "PSM Connect",
+        "cyberarkpas.audit.extra_details.application_type": "PSMP-SSH",
+        "cyberarkpas.audit.extra_details.dst_host": "34.123.103.115",
+        "cyberarkpas.audit.extra_details.managed_account": "Yes",
+        "cyberarkpas.audit.extra_details.protocol": "SSH",
+        "cyberarkpas.audit.extra_details.psmid": "PSMServer",
+        "cyberarkpas.audit.extra_details.session_id": "27f74dce-f5d5-4c94-bf99-ca6aafe2c518",
+        "cyberarkpas.audit.extra_details.src_host": "81.32.170.205",
+        "cyberarkpas.audit.extra_details.user": "testark",
+        "cyberarkpas.audit.file": "Root\\Operating System-UnixSSH-34.123.103.115-testark",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-15T14:11:09Z",
+        "cyberarkpas.audit.issuer": "Administrator",
+        "cyberarkpas.audit.message": "PSM Connect",
+        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 15 07:11:09</Timestamp>\n    <IsoTimestamp>2021-03-15T14:11:09Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>300</MessageID>\n    <Desc>PSM Connect</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>PSM Connect</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Operating System-UnixSSH-34.123.103.115-testark</File>\n    <Station>34.71.250.247</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails>ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=27f74dce-f5d5-4c94-bf99-ca6aafe2c518;SrcHost=81.32.170.205;User=testark;</ExtraDetails>\n    <Message>PSM Connect</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSH\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"testark\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"ResetImmediately\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"failure\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"0\"></CAProperty>\n      <CAProperty Name=\"LastFailDate\" Value=\"1615814025\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"LastSuccessVerification\" Value=\"1615803764\"></CAProperty>\n      <CAProperty Name=\"CPMErrorDetails\" Value=\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n      <CAProperty Name=\"UseSudoOnReconcile\" Value=\"Yes\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.safe": "partner",
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.station": "34.71.250.247",
+        "cyberarkpas.audit.timestamp": "Mar 15 07:11:09",
+        "destination.address": "34.123.103.115",
+        "destination.geo.city_name": "Council Bluffs",
+        "destination.geo.continent_name": "North America",
+        "destination.geo.country_iso_code": "US",
+        "destination.geo.country_name": "United States",
+        "destination.geo.location.lat": 41.2591,
+        "destination.geo.location.lon": -95.8517,
+        "destination.geo.region_iso_code": "US-IA",
+        "destination.geo.region_name": "Iowa",
+        "destination.ip": "34.123.103.115",
+        "destination.user.name": "testark",
+        "event.action": "psm connect",
+        "event.category": [
+            "session"
+        ],
+        "event.code": "300",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.outcome": "success",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "event.type": [
+            "start"
+        ],
+        "file.path": "Root\\Operating System-UnixSSH-34.123.103.115-testark",
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 42532,
+        "log.syslog.priority": "5",
+        "network.application": "ssh",
+        "network.direction": "external",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "81.32.170.205",
+            "34.123.103.115",
+            "34.71.250.247"
+        ],
+        "related.user": [
+            "Administrator",
+            "testark"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "81.32.170.205",
+        "source.geo.city_name": "Barcelona",
+        "source.geo.continent_name": "Europe",
+        "source.geo.country_iso_code": "ES",
+        "source.geo.country_name": "Spain",
+        "source.geo.location.lat": 41.387,
+        "source.geo.location.lon": 2.1701,
+        "source.geo.region_iso_code": "ES-B",
+        "source.geo.region_name": "Barcelona",
+        "source.ip": "81.32.170.205",
+        "source.user.name": "Administrator",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ],
+        "user.name": "Administrator"
+    },
+    {
+        "@timestamp": "2021-03-16T10:04:51.000Z",
+        "cyberarkpas.audit.action": "PSM Connect",
+        "cyberarkpas.audit.ca_properties.address": "34.123.103.115",
+        "cyberarkpas.audit.ca_properties.cpm_error_details": "First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031",
+        "cyberarkpas.audit.ca_properties.cpm_status": "failure",
+        "cyberarkpas.audit.ca_properties.creation_method": "PVWA",
+        "cyberarkpas.audit.ca_properties.device_type": "Operating System",
+        "cyberarkpas.audit.ca_properties.last_fail_date": "1615888216",
+        "cyberarkpas.audit.ca_properties.last_success_verification": "1615803764",
+        "cyberarkpas.audit.ca_properties.last_task": "ReconcileTask",
+        "cyberarkpas.audit.ca_properties.policy_id": "UnixSSH",
+        "cyberarkpas.audit.ca_properties.reset_immediately": "ReconcileTask",
+        "cyberarkpas.audit.ca_properties.retries_count": "4",
+        "cyberarkpas.audit.ca_properties.use_sudo_on_reconcile": "Yes",
+        "cyberarkpas.audit.ca_properties.user_name": "testark",
+        "cyberarkpas.audit.desc": "PSM Connect",
+        "cyberarkpas.audit.extra_details.application_type": "PSMP-SSH",
+        "cyberarkpas.audit.extra_details.dst_host": "34.123.103.115",
+        "cyberarkpas.audit.extra_details.managed_account": "Yes",
+        "cyberarkpas.audit.extra_details.protocol": "SSH",
+        "cyberarkpas.audit.extra_details.psmid": "PSMServer",
+        "cyberarkpas.audit.extra_details.session_id": "8b222ac9-c2ad-49ea-9c4e-6829940f58d4",
+        "cyberarkpas.audit.extra_details.src_host": "81.32.170.205",
+        "cyberarkpas.audit.extra_details.user": "testark",
+        "cyberarkpas.audit.file": "Root\\Operating System-UnixSSH-34.123.103.115-testark",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-16T10:04:51Z",
+        "cyberarkpas.audit.issuer": "Administrator",
+        "cyberarkpas.audit.message": "PSM Connect",
+        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 16 03:04:51</Timestamp>\n    <IsoTimestamp>2021-03-16T10:04:51Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>300</MessageID>\n    <Desc>PSM Connect</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>PSM Connect</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Operating System-UnixSSH-34.123.103.115-testark</File>\n    <Station>34.71.250.247</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails>ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=8b222ac9-c2ad-49ea-9c4e-6829940f58d4;SrcHost=81.32.170.205;User=testark;</ExtraDetails>\n    <Message>PSM Connect</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSH\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"testark\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"ResetImmediately\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"failure\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"4\"></CAProperty>\n      <CAProperty Name=\"LastFailDate\" Value=\"1615888216\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"LastSuccessVerification\" Value=\"1615803764\"></CAProperty>\n      <CAProperty Name=\"CPMErrorDetails\" Value=\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n      <CAProperty Name=\"UseSudoOnReconcile\" Value=\"Yes\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.safe": "partner",
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.station": "34.71.250.247",
+        "cyberarkpas.audit.timestamp": "Mar 16 03:04:51",
+        "destination.address": "34.123.103.115",
+        "destination.geo.city_name": "Council Bluffs",
+        "destination.geo.continent_name": "North America",
+        "destination.geo.country_iso_code": "US",
+        "destination.geo.country_name": "United States",
+        "destination.geo.location.lat": 41.2591,
+        "destination.geo.location.lon": -95.8517,
+        "destination.geo.region_iso_code": "US-IA",
+        "destination.geo.region_name": "Iowa",
+        "destination.ip": "34.123.103.115",
+        "destination.user.name": "testark",
+        "event.action": "psm connect",
+        "event.category": [
+            "session"
+        ],
+        "event.code": "300",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.outcome": "success",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "event.type": [
+            "start"
+        ],
+        "file.path": "Root\\Operating System-UnixSSH-34.123.103.115-testark",
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 46310,
+        "log.syslog.priority": "5",
+        "network.application": "ssh",
+        "network.direction": "external",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "81.32.170.205",
+            "34.123.103.115",
+            "34.71.250.247"
+        ],
+        "related.user": [
+            "Administrator",
+            "testark"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "81.32.170.205",
+        "source.geo.city_name": "Barcelona",
+        "source.geo.continent_name": "Europe",
+        "source.geo.country_iso_code": "ES",
+        "source.geo.country_name": "Spain",
+        "source.geo.location.lat": 41.387,
+        "source.geo.location.lon": 2.1701,
+        "source.geo.region_iso_code": "ES-B",
+        "source.geo.region_name": "Barcelona",
+        "source.ip": "81.32.170.205",
+        "source.user.name": "Administrator",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ],
+        "user.name": "Administrator"
+    }
+]
\ No newline at end of file
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/302_psm_disconnect.log b/x-pack/filebeat/module/cyberarkpas/audit/test/302_psm_disconnect.log
new file mode 100644
index 00000000000..c172f644c9f
--- /dev/null
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/302_psm_disconnect.log
@@ -0,0 +1,16 @@
+{"format":"elastic","version":"1.0","raw":"<syslog>\n  <audit_record>\n    <Rfc5424>no</Rfc5424>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.6.0000</Version>\n    <MessageID>302</MessageID>\n    <Desc>PSM Disconnect</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>PSM Disconnect</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>Linux</Safe>\n    <File>Root\\Operating System-LINUX-SSH-radiussrv.cyberark.local-admin2</File>\n    <Station>10.2.0.7</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails>ApplicationType=PSMP-SSH;DstHost=radiussrv.cyberark.local;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:00:07;SessionID=35fac41e-22b5-11eb-83ca-000c297aae88;SrcHost=10.2.0.6;User=admin2;</ExtraDetails>\n    <Message>PSM Disconnect</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"LINUX-SSH\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"admin2\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"radiussrv.cyberark.local\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n      <CAProperty Name=\"CPMDisabled\" Value=\"No Reason\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"Customer\" Value=\"Tesla\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n</syslog>","syslog":{"audit_record":{"Rfc5424":"no","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.6.0000","MessageID":"302","IsoTimestamp":"2021-03-16T15:01:00Z","Desc":"PSM Disconnect","Severity":"Info","Issuer":"Administrator","Action":"PSM Disconnect","SourceUser":"","TargetUser":"","Safe":"Linux","File":"Root\\Operating System-LINUX-SSH-radiussrv.cyberark.local-admin2","Station":"10.2.0.7","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=radiussrv.cyberark.local;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:00:07;SessionID=35fac41e-22b5-11eb-83ca-000c297aae88;SrcHost=10.2.0.6;User=admin2;","Message":"PSM Disconnect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"LINUX-SSH"},{"Name":"UserName","Value":"admin2"},{"Name":"Address","Value":"radiussrv.cyberark.local"},{"Name":"DeviceType","Value":"Operating System"},{"Name":"CPMDisabled","Value":"No Reason"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"Customer","Value":"Tesla"}]}}}}
+<5>1 2021-03-11T17:38:26Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 09:38:26</Timestamp>\n    <IsoTimestamp>2021-03-11T17:38:26Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>302</MessageID>\n    <Desc>PSM Disconnect</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>PSM Disconnect</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>PSM</Safe>\n    <File>Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian</File>\n    <Station>81.32.170.205</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails>ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionDuration=00:00:13;SessionID=87012dcc-8290-11eb-949e-080027efd402;SrcHost=127.0.0.1;User=adrian;</ExtraDetails>\n    <Message>PSM Disconnect</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSHKeys\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"adrian\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 09:38:26","IsoTimestamp":"2021-03-11T17:38:26Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"302","Desc":"PSM Disconnect","Severity":"Info","Issuer":"Administrator","Action":"PSM Disconnect","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionDuration=00:00:13;SessionID=87012dcc-8290-11eb-949e-080027efd402;SrcHost=127.0.0.1;User=adrian;","Message":"PSM Disconnect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSHKeys"},{"Name":"UserName","Value":"adrian"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}}
+<5>1 2021-03-11T17:47:01Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 09:47:01</Timestamp>\n    <IsoTimestamp>2021-03-11T17:47:01Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>302</MessageID>\n    <Desc>PSM Disconnect</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>PSM Disconnect</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>PSM</Safe>\n    <File>Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian</File>\n    <Station>81.32.170.205</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails>ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionDuration=00:00:11;SessionID=ba22b012-8291-11eb-b981-080027efd402;SrcHost=127.0.0.1;User=adrian;</ExtraDetails>\n    <Message>PSM Disconnect</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSHKeys\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"adrian\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 09:47:01","IsoTimestamp":"2021-03-11T17:47:01Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"302","Desc":"PSM Disconnect","Severity":"Info","Issuer":"Administrator","Action":"PSM Disconnect","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionDuration=00:00:11;SessionID=ba22b012-8291-11eb-b981-080027efd402;SrcHost=127.0.0.1;User=adrian;","Message":"PSM Disconnect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSHKeys"},{"Name":"UserName","Value":"adrian"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}}
+<5>1 2021-03-11T17:48:40Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 09:48:40</Timestamp>\n    <IsoTimestamp>2021-03-11T17:48:40Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>302</MessageID>\n    <Desc>PSM Disconnect</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>PSM Disconnect</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>PSM</Safe>\n    <File>Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian</File>\n    <Station>81.32.170.205</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails>ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionDuration=00:00:12;SessionID=f6acbf00-8291-11eb-b9ba-080027efd402;SrcHost=10.0.2.2;User=adrian;</ExtraDetails>\n    <Message>PSM Disconnect</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSHKeys\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"adrian\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 09:48:40","IsoTimestamp":"2021-03-11T17:48:40Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"302","Desc":"PSM Disconnect","Severity":"Info","Issuer":"Administrator","Action":"PSM Disconnect","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionDuration=00:00:12;SessionID=f6acbf00-8291-11eb-b9ba-080027efd402;SrcHost=10.0.2.2;User=adrian;","Message":"PSM Disconnect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSHKeys"},{"Name":"UserName","Value":"adrian"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}}
+<5>1 2021-03-11T17:55:02Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 09:55:02</Timestamp>\n    <IsoTimestamp>2021-03-11T17:55:02Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>302</MessageID>\n    <Desc>PSM Disconnect</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>PSM Disconnect</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>PSM</Safe>\n    <File>Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian</File>\n    <Station>81.32.170.205</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails>ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionDuration=00:00:12;SessionID=d8ff4d32-8292-11eb-b962-080027efd402;SrcHost=10.0.2.2;User=adrian;</ExtraDetails>\n    <Message>PSM Disconnect</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSHKeys\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"adrian\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 09:55:02","IsoTimestamp":"2021-03-11T17:55:02Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"302","Desc":"PSM Disconnect","Severity":"Info","Issuer":"Administrator","Action":"PSM Disconnect","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionDuration=00:00:12;SessionID=d8ff4d32-8292-11eb-b962-080027efd402;SrcHost=10.0.2.2;User=adrian;","Message":"PSM Disconnect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSHKeys"},{"Name":"UserName","Value":"adrian"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}}
+<5>1 2021-03-11T17:56:42Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 09:56:42</Timestamp>\n    <IsoTimestamp>2021-03-11T17:56:42Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>302</MessageID>\n    <Desc>PSM Disconnect</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>PSM Disconnect</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>PSM</Safe>\n    <File>Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian</File>\n    <Station>81.32.170.205</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails>ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionDuration=00:00:12;SessionID=173dd46a-8293-11eb-afcb-080027efd402;SrcHost=10.0.2.2;User=adrian;</ExtraDetails>\n    <Message>PSM Disconnect</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSHKeys\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"adrian\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 09:56:42","IsoTimestamp":"2021-03-11T17:56:42Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"302","Desc":"PSM Disconnect","Severity":"Info","Issuer":"Administrator","Action":"PSM Disconnect","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionDuration=00:00:12;SessionID=173dd46a-8293-11eb-afcb-080027efd402;SrcHost=10.0.2.2;User=adrian;","Message":"PSM Disconnect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSHKeys"},{"Name":"UserName","Value":"adrian"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}}
+<5>1 2021-03-11T20:23:30Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 12:23:30</Timestamp>\n    <IsoTimestamp>2021-03-11T20:23:30Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>302</MessageID>\n    <Desc>PSM Disconnect</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>PSM Disconnect</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>PSM</Safe>\n    <File>Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian</File>\n    <Station>81.32.170.205</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails>ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionDuration=00:00:12;SessionID=988b22e8-82a7-11eb-83b9-080027efd402;SrcHost=10.0.2.2;User=adrian;</ExtraDetails>\n    <Message>PSM Disconnect</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSHKeys\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"adrian\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 12:23:30","IsoTimestamp":"2021-03-11T20:23:30Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"302","Desc":"PSM Disconnect","Severity":"Info","Issuer":"Administrator","Action":"PSM Disconnect","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionDuration=00:00:12;SessionID=988b22e8-82a7-11eb-83b9-080027efd402;SrcHost=10.0.2.2;User=adrian;","Message":"PSM Disconnect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSHKeys"},{"Name":"UserName","Value":"adrian"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}}
+<5>1 2021-03-14T13:49:54Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 14 06:49:54</Timestamp>\n    <IsoTimestamp>2021-03-14T13:49:54Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>302</MessageID>\n    <Desc>PSM Disconnect</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>PSM Disconnect</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Operating System-UnixSSH-34.123.103.115-testark</File>\n    <Station>34.71.250.247</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails>ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:00:18;SessionID=d284c268-2ba0-4366-af52-e33459b073a1;SrcHost=81.32.170.205;User=testark;</ExtraDetails>\n    <Message>PSM Disconnect</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSH\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"testark\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"ResetImmediately\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"failure\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"0\"></CAProperty>\n      <CAProperty Name=\"LastFailDate\" Value=\"1615729572\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"CPMErrorDetails\" Value=\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 06:49:54","IsoTimestamp":"2021-03-14T13:49:54Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"302","Desc":"PSM Disconnect","Severity":"Info","Issuer":"Administrator","Action":"PSM Disconnect","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-34.123.103.115-testark","Station":"34.71.250.247","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:00:18;SessionID=d284c268-2ba0-4366-af52-e33459b073a1;SrcHost=81.32.170.205;User=testark;","Message":"PSM Disconnect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"testark"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"ResetImmediately","Value":"ReconcileTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"0"},{"Name":"LastFailDate","Value":"1615729572"},{"Name":"LastTask","Value":"ReconcileTask"},{"Name":"CPMErrorDetails","Value":"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}}
+<5>1 2021-03-14T13:51:35Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 14 06:51:35</Timestamp>\n    <IsoTimestamp>2021-03-14T13:51:35Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>302</MessageID>\n    <Desc>PSM Disconnect</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>PSM Disconnect</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Operating System-UnixSSH-34.123.103.115-testark</File>\n    <Station>34.71.250.247</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails>ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:00:54;SessionID=47747796-03e1-4a11-af39-ab56c00e7732;SrcHost=81.32.170.205;User=testark;</ExtraDetails>\n    <Message>PSM Disconnect</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSH\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"testark\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"ResetImmediately\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"failure\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"0\"></CAProperty>\n      <CAProperty Name=\"LastFailDate\" Value=\"1615729572\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"CPMErrorDetails\" Value=\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 06:51:35","IsoTimestamp":"2021-03-14T13:51:35Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"302","Desc":"PSM Disconnect","Severity":"Info","Issuer":"Administrator","Action":"PSM Disconnect","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-34.123.103.115-testark","Station":"34.71.250.247","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:00:54;SessionID=47747796-03e1-4a11-af39-ab56c00e7732;SrcHost=81.32.170.205;User=testark;","Message":"PSM Disconnect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"testark"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"ResetImmediately","Value":"ReconcileTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"0"},{"Name":"LastFailDate","Value":"1615729572"},{"Name":"LastTask","Value":"ReconcileTask"},{"Name":"CPMErrorDetails","Value":"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}}
+<5>1 2021-03-15T10:33:30Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 15 03:33:30</Timestamp>\n    <IsoTimestamp>2021-03-15T10:33:30Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>302</MessageID>\n    <Desc>PSM Disconnect</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>PSM Disconnect</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Operating System-UnixSSH-34.123.103.115-testark</File>\n    <Station>34.71.250.247</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails>ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:01:35;SessionID=29f340df-89e9-405a-beae-0216390cda42;SrcHost=81.32.170.205;User=testark;</ExtraDetails>\n    <Message>PSM Disconnect</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSH\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"testark\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"success\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"-1\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"VerifyTask\"></CAProperty>\n      <CAProperty Name=\"LastSuccessVerification\" Value=\"1615803764\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 03:33:30","IsoTimestamp":"2021-03-15T10:33:30Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"302","Desc":"PSM Disconnect","Severity":"Info","Issuer":"Administrator","Action":"PSM Disconnect","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-34.123.103.115-testark","Station":"34.71.250.247","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:01:35;SessionID=29f340df-89e9-405a-beae-0216390cda42;SrcHost=81.32.170.205;User=testark;","Message":"PSM Disconnect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"testark"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"CPMStatus","Value":"success"},{"Name":"RetriesCount","Value":"-1"},{"Name":"LastTask","Value":"VerifyTask"},{"Name":"LastSuccessVerification","Value":"1615803764"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}}
+<5>1 2021-03-15T10:34:50Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 15 03:34:50</Timestamp>\n    <IsoTimestamp>2021-03-15T10:34:50Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>302</MessageID>\n    <Desc>PSM Disconnect</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>PSM Disconnect</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Operating System-UnixSSH-34.123.103.115-testark</File>\n    <Station>34.71.250.247</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails>ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:01:13;SessionID=f1654cf8-8ce5-472a-8205-ba731b0fab46;SrcHost=81.32.170.205;User=testark;</ExtraDetails>\n    <Message>PSM Disconnect</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSH\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"testark\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"success\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"-1\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"VerifyTask\"></CAProperty>\n      <CAProperty Name=\"LastSuccessVerification\" Value=\"1615803764\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 03:34:50","IsoTimestamp":"2021-03-15T10:34:50Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"302","Desc":"PSM Disconnect","Severity":"Info","Issuer":"Administrator","Action":"PSM Disconnect","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-34.123.103.115-testark","Station":"34.71.250.247","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:01:13;SessionID=f1654cf8-8ce5-472a-8205-ba731b0fab46;SrcHost=81.32.170.205;User=testark;","Message":"PSM Disconnect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"testark"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"CPMStatus","Value":"success"},{"Name":"RetriesCount","Value":"-1"},{"Name":"LastTask","Value":"VerifyTask"},{"Name":"LastSuccessVerification","Value":"1615803764"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}}
+<5>1 2021-03-15T11:12:09Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 15 04:12:09</Timestamp>\n    <IsoTimestamp>2021-03-15T11:12:09Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>302</MessageID>\n    <Desc>PSM Disconnect</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>PSM Disconnect</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Operating System-UnixSSH-34.123.103.115-testark</File>\n    <Station>34.71.250.247</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails>ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:37:10;SessionID=8b3d0b38-aef5-49d9-bdd7-d57706887d8b;SrcHost=81.32.170.205;User=testark;</ExtraDetails>\n    <Message>PSM Disconnect</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSH\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"testark\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"success\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"-1\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"VerifyTask\"></CAProperty>\n      <CAProperty Name=\"LastSuccessVerification\" Value=\"1615803764\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 04:12:09","IsoTimestamp":"2021-03-15T11:12:09Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"302","Desc":"PSM Disconnect","Severity":"Info","Issuer":"Administrator","Action":"PSM Disconnect","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-34.123.103.115-testark","Station":"34.71.250.247","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:37:10;SessionID=8b3d0b38-aef5-49d9-bdd7-d57706887d8b;SrcHost=81.32.170.205;User=testark;","Message":"PSM Disconnect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"testark"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"CPMStatus","Value":"success"},{"Name":"RetriesCount","Value":"-1"},{"Name":"LastTask","Value":"VerifyTask"},{"Name":"LastSuccessVerification","Value":"1615803764"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}}
+<5>1 2021-03-15T13:18:36Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 15 06:18:36</Timestamp>\n    <IsoTimestamp>2021-03-15T13:18:36Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>302</MessageID>\n    <Desc>PSM Disconnect</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>PSM Disconnect</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>PSM</Safe>\n    <File>Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian</File>\n    <Station>34.71.250.247</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails>ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:00:05;SessionID=692fe25f-f940-4170-8ea4-5241b35173f0;SrcHost=81.32.170.205;User=adrian;</ExtraDetails>\n    <Message>PSM Disconnect</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSHKeys\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"adrian\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 06:18:36","IsoTimestamp":"2021-03-15T13:18:36Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"302","Desc":"PSM Disconnect","Severity":"Info","Issuer":"Administrator","Action":"PSM Disconnect","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian","Station":"34.71.250.247","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:00:05;SessionID=692fe25f-f940-4170-8ea4-5241b35173f0;SrcHost=81.32.170.205;User=adrian;","Message":"PSM Disconnect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSHKeys"},{"Name":"UserName","Value":"adrian"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}}
+<5>1 2021-03-15T14:08:11Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 15 07:08:11</Timestamp>\n    <IsoTimestamp>2021-03-15T14:08:11Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>302</MessageID>\n    <Desc>PSM Disconnect</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>PSM Disconnect</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>PSM</Safe>\n    <File>Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian</File>\n    <Station>34.71.250.247</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails>ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:00:06;SessionID=f5725611-ca57-4a2a-a089-f45b3174a358;SrcHost=81.32.170.205;User=adrian;</ExtraDetails>\n    <Message>PSM Disconnect</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSHKeys\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"adrian\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 07:08:11","IsoTimestamp":"2021-03-15T14:08:11Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"302","Desc":"PSM Disconnect","Severity":"Info","Issuer":"Administrator","Action":"PSM Disconnect","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian","Station":"34.71.250.247","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:00:06;SessionID=f5725611-ca57-4a2a-a089-f45b3174a358;SrcHost=81.32.170.205;User=adrian;","Message":"PSM Disconnect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSHKeys"},{"Name":"UserName","Value":"adrian"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}}
+<5>1 2021-03-15T14:08:36Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 15 07:08:36</Timestamp>\n    <IsoTimestamp>2021-03-15T14:08:36Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>302</MessageID>\n    <Desc>PSM Disconnect</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>PSM Disconnect</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Operating System-UnixSSH-34.123.103.115-testark</File>\n    <Station>34.71.250.247</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails>ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:00:09;SessionID=7db90436-8a1a-4203-9a96-65137625ab2d;SrcHost=81.32.170.205;User=testark;</ExtraDetails>\n    <Message>PSM Disconnect</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSH\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"testark\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"ResetImmediately\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"failure\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"0\"></CAProperty>\n      <CAProperty Name=\"LastFailDate\" Value=\"1615814025\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"LastSuccessVerification\" Value=\"1615803764\"></CAProperty>\n      <CAProperty Name=\"CPMErrorDetails\" Value=\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n      <CAProperty Name=\"UseSudoOnReconcile\" Value=\"Yes\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 07:08:36","IsoTimestamp":"2021-03-15T14:08:36Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"302","Desc":"PSM Disconnect","Severity":"Info","Issuer":"Administrator","Action":"PSM Disconnect","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-34.123.103.115-testark","Station":"34.71.250.247","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:00:09;SessionID=7db90436-8a1a-4203-9a96-65137625ab2d;SrcHost=81.32.170.205;User=testark;","Message":"PSM Disconnect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"testark"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"ResetImmediately","Value":"ReconcileTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"0"},{"Name":"LastFailDate","Value":"1615814025"},{"Name":"LastTask","Value":"ReconcileTask"},{"Name":"LastSuccessVerification","Value":"1615803764"},{"Name":"CPMErrorDetails","Value":"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"},{"Name":"UseSudoOnReconcile","Value":"Yes"}]}}}}
+<5>1 2021-03-15T15:00:21Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 15 08:00:21</Timestamp>\n    <IsoTimestamp>2021-03-15T15:00:21Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>302</MessageID>\n    <Desc>PSM Disconnect</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>PSM Disconnect</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Operating System-UnixSSH-34.123.103.115-testark</File>\n    <Station>34.71.250.247</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails>ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:49:12;SessionID=27f74dce-f5d5-4c94-bf99-ca6aafe2c518;SrcHost=81.32.170.205;User=testark;</ExtraDetails>\n    <Message>PSM Disconnect</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSH\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"testark\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"ResetImmediately\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"failure\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"1\"></CAProperty>\n      <CAProperty Name=\"LastFailDate\" Value=\"1615819476\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"LastSuccessVerification\" Value=\"1615803764\"></CAProperty>\n      <CAProperty Name=\"CPMErrorDetails\" Value=\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n      <CAProperty Name=\"UseSudoOnReconcile\" Value=\"Yes\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 08:00:21","IsoTimestamp":"2021-03-15T15:00:21Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"302","Desc":"PSM Disconnect","Severity":"Info","Issuer":"Administrator","Action":"PSM Disconnect","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-34.123.103.115-testark","Station":"34.71.250.247","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:49:12;SessionID=27f74dce-f5d5-4c94-bf99-ca6aafe2c518;SrcHost=81.32.170.205;User=testark;","Message":"PSM Disconnect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"testark"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"ResetImmediately","Value":"ReconcileTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"1"},{"Name":"LastFailDate","Value":"1615819476"},{"Name":"LastTask","Value":"ReconcileTask"},{"Name":"LastSuccessVerification","Value":"1615803764"},{"Name":"CPMErrorDetails","Value":"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"},{"Name":"UseSudoOnReconcile","Value":"Yes"}]}}}}
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/302_psm_disconnect.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/302_psm_disconnect.log-expected.json
new file mode 100644
index 00000000000..4785084bcee
--- /dev/null
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/302_psm_disconnect.log-expected.json
@@ -0,0 +1,1462 @@
+[
+    {
+        "@timestamp": "2021-03-16T15:01:00.000Z",
+        "cyberarkpas.audit.action": "PSM Disconnect",
+        "cyberarkpas.audit.ca_properties.address": "radiussrv.cyberark.local",
+        "cyberarkpas.audit.ca_properties.cpm_disabled": "No Reason",
+        "cyberarkpas.audit.ca_properties.creation_method": "PVWA",
+        "cyberarkpas.audit.ca_properties.customer": "Tesla",
+        "cyberarkpas.audit.ca_properties.device_type": "Operating System",
+        "cyberarkpas.audit.ca_properties.policy_id": "LINUX-SSH",
+        "cyberarkpas.audit.ca_properties.user_name": "admin2",
+        "cyberarkpas.audit.desc": "PSM Disconnect",
+        "cyberarkpas.audit.extra_details.application_type": "PSMP-SSH",
+        "cyberarkpas.audit.extra_details.dst_host": "radiussrv.cyberark.local",
+        "cyberarkpas.audit.extra_details.managed_account": "Yes",
+        "cyberarkpas.audit.extra_details.protocol": "SSH",
+        "cyberarkpas.audit.extra_details.psmid": "PSMServer",
+        "cyberarkpas.audit.extra_details.session_duration": "00:00:07",
+        "cyberarkpas.audit.extra_details.session_id": "35fac41e-22b5-11eb-83ca-000c297aae88",
+        "cyberarkpas.audit.extra_details.src_host": "10.2.0.6",
+        "cyberarkpas.audit.extra_details.user": "admin2",
+        "cyberarkpas.audit.file": "Root\\Operating System-LINUX-SSH-radiussrv.cyberark.local-admin2",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-16T15:01:00Z",
+        "cyberarkpas.audit.issuer": "Administrator",
+        "cyberarkpas.audit.message": "PSM Disconnect",
+        "cyberarkpas.audit.raw": "<syslog>\n  <audit_record>\n    <Rfc5424>no</Rfc5424>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.6.0000</Version>\n    <MessageID>302</MessageID>\n    <Desc>PSM Disconnect</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>PSM Disconnect</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>Linux</Safe>\n    <File>Root\\Operating System-LINUX-SSH-radiussrv.cyberark.local-admin2</File>\n    <Station>10.2.0.7</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails>ApplicationType=PSMP-SSH;DstHost=radiussrv.cyberark.local;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:00:07;SessionID=35fac41e-22b5-11eb-83ca-000c297aae88;SrcHost=10.2.0.6;User=admin2;</ExtraDetails>\n    <Message>PSM Disconnect</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"LINUX-SSH\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"admin2\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"radiussrv.cyberark.local\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n      <CAProperty Name=\"CPMDisabled\" Value=\"No Reason\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"Customer\" Value=\"Tesla\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n</syslog>",
+        "cyberarkpas.audit.rfc5424": false,
+        "cyberarkpas.audit.safe": "Linux",
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.station": "10.2.0.7",
+        "destination.address": "radiussrv.cyberark.local",
+        "destination.domain": "radiussrv.cyberark.local",
+        "destination.user.name": "admin2",
+        "event.action": "psm disconnect",
+        "event.category": [
+            "session"
+        ],
+        "event.code": "302",
+        "event.dataset": "cyberarkpas.audit",
+        "event.duration": 7000000000,
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.outcome": "success",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "event.type": [
+            "end"
+        ],
+        "file.path": "Root\\Operating System-LINUX-SSH-radiussrv.cyberark.local-admin2",
+        "fileset.name": "audit",
+        "input.type": "log",
+        "log.offset": 0,
+        "network.application": "ssh",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.6.0000",
+        "related.ip": [
+            "10.2.0.6",
+            "10.2.0.7"
+        ],
+        "related.user": [
+            "Administrator",
+            "admin2"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "10.2.0.6",
+        "source.ip": "10.2.0.6",
+        "source.user.name": "Administrator",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ],
+        "user.name": "Administrator"
+    },
+    {
+        "@timestamp": "2021-03-11T17:38:26.000Z",
+        "cyberarkpas.audit.action": "PSM Disconnect",
+        "cyberarkpas.audit.ca_properties.address": "34.123.103.115",
+        "cyberarkpas.audit.ca_properties.creation_method": "PVWA",
+        "cyberarkpas.audit.ca_properties.device_type": "Operating System",
+        "cyberarkpas.audit.ca_properties.policy_id": "UnixSSHKeys",
+        "cyberarkpas.audit.ca_properties.user_name": "adrian",
+        "cyberarkpas.audit.desc": "PSM Disconnect",
+        "cyberarkpas.audit.extra_details.application_type": "PSMP-SSH",
+        "cyberarkpas.audit.extra_details.dst_host": "34.123.103.115",
+        "cyberarkpas.audit.extra_details.managed_account": "Yes",
+        "cyberarkpas.audit.extra_details.protocol": "ssh",
+        "cyberarkpas.audit.extra_details.psmid": "PSMServer",
+        "cyberarkpas.audit.extra_details.session_duration": "00:00:13",
+        "cyberarkpas.audit.extra_details.session_id": "87012dcc-8290-11eb-949e-080027efd402",
+        "cyberarkpas.audit.extra_details.src_host": "127.0.0.1",
+        "cyberarkpas.audit.extra_details.user": "adrian",
+        "cyberarkpas.audit.file": "Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-11T17:38:26Z",
+        "cyberarkpas.audit.issuer": "Administrator",
+        "cyberarkpas.audit.message": "PSM Disconnect",
+        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 09:38:26</Timestamp>\n    <IsoTimestamp>2021-03-11T17:38:26Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>302</MessageID>\n    <Desc>PSM Disconnect</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>PSM Disconnect</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>PSM</Safe>\n    <File>Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian</File>\n    <Station>81.32.170.205</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails>ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionDuration=00:00:13;SessionID=87012dcc-8290-11eb-949e-080027efd402;SrcHost=127.0.0.1;User=adrian;</ExtraDetails>\n    <Message>PSM Disconnect</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSHKeys\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"adrian\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.safe": "PSM",
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.station": "81.32.170.205",
+        "cyberarkpas.audit.timestamp": "Mar 11 09:38:26",
+        "destination.address": "34.123.103.115",
+        "destination.geo.city_name": "Council Bluffs",
+        "destination.geo.continent_name": "North America",
+        "destination.geo.country_iso_code": "US",
+        "destination.geo.country_name": "United States",
+        "destination.geo.location.lat": 41.2591,
+        "destination.geo.location.lon": -95.8517,
+        "destination.geo.region_iso_code": "US-IA",
+        "destination.geo.region_name": "Iowa",
+        "destination.ip": "34.123.103.115",
+        "destination.user.name": "adrian",
+        "event.action": "psm disconnect",
+        "event.category": [
+            "session"
+        ],
+        "event.code": "302",
+        "event.dataset": "cyberarkpas.audit",
+        "event.duration": 13000000000,
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.outcome": "success",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "event.type": [
+            "end"
+        ],
+        "file.path": "Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian",
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 2634,
+        "log.syslog.priority": "5",
+        "network.application": "ssh",
+        "network.direction": "outbound",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "127.0.0.1",
+            "34.123.103.115",
+            "81.32.170.205"
+        ],
+        "related.user": [
+            "Administrator",
+            "adrian"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "127.0.0.1",
+        "source.ip": "127.0.0.1",
+        "source.user.name": "Administrator",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ],
+        "user.name": "Administrator"
+    },
+    {
+        "@timestamp": "2021-03-11T17:47:01.000Z",
+        "cyberarkpas.audit.action": "PSM Disconnect",
+        "cyberarkpas.audit.ca_properties.address": "34.123.103.115",
+        "cyberarkpas.audit.ca_properties.creation_method": "PVWA",
+        "cyberarkpas.audit.ca_properties.device_type": "Operating System",
+        "cyberarkpas.audit.ca_properties.policy_id": "UnixSSHKeys",
+        "cyberarkpas.audit.ca_properties.user_name": "adrian",
+        "cyberarkpas.audit.desc": "PSM Disconnect",
+        "cyberarkpas.audit.extra_details.application_type": "PSMP-SSH",
+        "cyberarkpas.audit.extra_details.dst_host": "34.123.103.115",
+        "cyberarkpas.audit.extra_details.managed_account": "Yes",
+        "cyberarkpas.audit.extra_details.protocol": "ssh",
+        "cyberarkpas.audit.extra_details.psmid": "PSMServer",
+        "cyberarkpas.audit.extra_details.session_duration": "00:00:11",
+        "cyberarkpas.audit.extra_details.session_id": "ba22b012-8291-11eb-b981-080027efd402",
+        "cyberarkpas.audit.extra_details.src_host": "127.0.0.1",
+        "cyberarkpas.audit.extra_details.user": "adrian",
+        "cyberarkpas.audit.file": "Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-11T17:47:01Z",
+        "cyberarkpas.audit.issuer": "Administrator",
+        "cyberarkpas.audit.message": "PSM Disconnect",
+        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 09:47:01</Timestamp>\n    <IsoTimestamp>2021-03-11T17:47:01Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>302</MessageID>\n    <Desc>PSM Disconnect</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>PSM Disconnect</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>PSM</Safe>\n    <File>Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian</File>\n    <Station>81.32.170.205</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails>ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionDuration=00:00:11;SessionID=ba22b012-8291-11eb-b981-080027efd402;SrcHost=127.0.0.1;User=adrian;</ExtraDetails>\n    <Message>PSM Disconnect</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSHKeys\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"adrian\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.safe": "PSM",
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.station": "81.32.170.205",
+        "cyberarkpas.audit.timestamp": "Mar 11 09:47:01",
+        "destination.address": "34.123.103.115",
+        "destination.geo.city_name": "Council Bluffs",
+        "destination.geo.continent_name": "North America",
+        "destination.geo.country_iso_code": "US",
+        "destination.geo.country_name": "United States",
+        "destination.geo.location.lat": 41.2591,
+        "destination.geo.location.lon": -95.8517,
+        "destination.geo.region_iso_code": "US-IA",
+        "destination.geo.region_name": "Iowa",
+        "destination.ip": "34.123.103.115",
+        "destination.user.name": "adrian",
+        "event.action": "psm disconnect",
+        "event.category": [
+            "session"
+        ],
+        "event.code": "302",
+        "event.dataset": "cyberarkpas.audit",
+        "event.duration": 11000000000,
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.outcome": "success",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "event.type": [
+            "end"
+        ],
+        "file.path": "Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian",
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 5222,
+        "log.syslog.priority": "5",
+        "network.application": "ssh",
+        "network.direction": "outbound",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "127.0.0.1",
+            "34.123.103.115",
+            "81.32.170.205"
+        ],
+        "related.user": [
+            "Administrator",
+            "adrian"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "127.0.0.1",
+        "source.ip": "127.0.0.1",
+        "source.user.name": "Administrator",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ],
+        "user.name": "Administrator"
+    },
+    {
+        "@timestamp": "2021-03-11T17:48:40.000Z",
+        "cyberarkpas.audit.action": "PSM Disconnect",
+        "cyberarkpas.audit.ca_properties.address": "34.123.103.115",
+        "cyberarkpas.audit.ca_properties.creation_method": "PVWA",
+        "cyberarkpas.audit.ca_properties.device_type": "Operating System",
+        "cyberarkpas.audit.ca_properties.policy_id": "UnixSSHKeys",
+        "cyberarkpas.audit.ca_properties.user_name": "adrian",
+        "cyberarkpas.audit.desc": "PSM Disconnect",
+        "cyberarkpas.audit.extra_details.application_type": "PSMP-SSH",
+        "cyberarkpas.audit.extra_details.dst_host": "34.123.103.115",
+        "cyberarkpas.audit.extra_details.managed_account": "Yes",
+        "cyberarkpas.audit.extra_details.protocol": "ssh",
+        "cyberarkpas.audit.extra_details.psmid": "PSMServer",
+        "cyberarkpas.audit.extra_details.session_duration": "00:00:12",
+        "cyberarkpas.audit.extra_details.session_id": "f6acbf00-8291-11eb-b9ba-080027efd402",
+        "cyberarkpas.audit.extra_details.src_host": "10.0.2.2",
+        "cyberarkpas.audit.extra_details.user": "adrian",
+        "cyberarkpas.audit.file": "Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-11T17:48:40Z",
+        "cyberarkpas.audit.issuer": "Administrator",
+        "cyberarkpas.audit.message": "PSM Disconnect",
+        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 09:48:40</Timestamp>\n    <IsoTimestamp>2021-03-11T17:48:40Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>302</MessageID>\n    <Desc>PSM Disconnect</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>PSM Disconnect</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>PSM</Safe>\n    <File>Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian</File>\n    <Station>81.32.170.205</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails>ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionDuration=00:00:12;SessionID=f6acbf00-8291-11eb-b9ba-080027efd402;SrcHost=10.0.2.2;User=adrian;</ExtraDetails>\n    <Message>PSM Disconnect</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSHKeys\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"adrian\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.safe": "PSM",
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.station": "81.32.170.205",
+        "cyberarkpas.audit.timestamp": "Mar 11 09:48:40",
+        "destination.address": "34.123.103.115",
+        "destination.geo.city_name": "Council Bluffs",
+        "destination.geo.continent_name": "North America",
+        "destination.geo.country_iso_code": "US",
+        "destination.geo.country_name": "United States",
+        "destination.geo.location.lat": 41.2591,
+        "destination.geo.location.lon": -95.8517,
+        "destination.geo.region_iso_code": "US-IA",
+        "destination.geo.region_name": "Iowa",
+        "destination.ip": "34.123.103.115",
+        "destination.user.name": "adrian",
+        "event.action": "psm disconnect",
+        "event.category": [
+            "session"
+        ],
+        "event.code": "302",
+        "event.dataset": "cyberarkpas.audit",
+        "event.duration": 12000000000,
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.outcome": "success",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "event.type": [
+            "end"
+        ],
+        "file.path": "Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian",
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 7810,
+        "log.syslog.priority": "5",
+        "network.application": "ssh",
+        "network.direction": "outbound",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "10.0.2.2",
+            "34.123.103.115",
+            "81.32.170.205"
+        ],
+        "related.user": [
+            "Administrator",
+            "adrian"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "10.0.2.2",
+        "source.ip": "10.0.2.2",
+        "source.user.name": "Administrator",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ],
+        "user.name": "Administrator"
+    },
+    {
+        "@timestamp": "2021-03-11T17:55:02.000Z",
+        "cyberarkpas.audit.action": "PSM Disconnect",
+        "cyberarkpas.audit.ca_properties.address": "34.123.103.115",
+        "cyberarkpas.audit.ca_properties.creation_method": "PVWA",
+        "cyberarkpas.audit.ca_properties.device_type": "Operating System",
+        "cyberarkpas.audit.ca_properties.policy_id": "UnixSSHKeys",
+        "cyberarkpas.audit.ca_properties.user_name": "adrian",
+        "cyberarkpas.audit.desc": "PSM Disconnect",
+        "cyberarkpas.audit.extra_details.application_type": "PSMP-SSH",
+        "cyberarkpas.audit.extra_details.dst_host": "34.123.103.115",
+        "cyberarkpas.audit.extra_details.managed_account": "Yes",
+        "cyberarkpas.audit.extra_details.protocol": "ssh",
+        "cyberarkpas.audit.extra_details.psmid": "PSMServer",
+        "cyberarkpas.audit.extra_details.session_duration": "00:00:12",
+        "cyberarkpas.audit.extra_details.session_id": "d8ff4d32-8292-11eb-b962-080027efd402",
+        "cyberarkpas.audit.extra_details.src_host": "10.0.2.2",
+        "cyberarkpas.audit.extra_details.user": "adrian",
+        "cyberarkpas.audit.file": "Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-11T17:55:02Z",
+        "cyberarkpas.audit.issuer": "Administrator",
+        "cyberarkpas.audit.message": "PSM Disconnect",
+        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 09:55:02</Timestamp>\n    <IsoTimestamp>2021-03-11T17:55:02Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>302</MessageID>\n    <Desc>PSM Disconnect</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>PSM Disconnect</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>PSM</Safe>\n    <File>Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian</File>\n    <Station>81.32.170.205</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails>ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionDuration=00:00:12;SessionID=d8ff4d32-8292-11eb-b962-080027efd402;SrcHost=10.0.2.2;User=adrian;</ExtraDetails>\n    <Message>PSM Disconnect</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSHKeys\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"adrian\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.safe": "PSM",
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.station": "81.32.170.205",
+        "cyberarkpas.audit.timestamp": "Mar 11 09:55:02",
+        "destination.address": "34.123.103.115",
+        "destination.geo.city_name": "Council Bluffs",
+        "destination.geo.continent_name": "North America",
+        "destination.geo.country_iso_code": "US",
+        "destination.geo.country_name": "United States",
+        "destination.geo.location.lat": 41.2591,
+        "destination.geo.location.lon": -95.8517,
+        "destination.geo.region_iso_code": "US-IA",
+        "destination.geo.region_name": "Iowa",
+        "destination.ip": "34.123.103.115",
+        "destination.user.name": "adrian",
+        "event.action": "psm disconnect",
+        "event.category": [
+            "session"
+        ],
+        "event.code": "302",
+        "event.dataset": "cyberarkpas.audit",
+        "event.duration": 12000000000,
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.outcome": "success",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "event.type": [
+            "end"
+        ],
+        "file.path": "Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian",
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 10396,
+        "log.syslog.priority": "5",
+        "network.application": "ssh",
+        "network.direction": "outbound",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "10.0.2.2",
+            "34.123.103.115",
+            "81.32.170.205"
+        ],
+        "related.user": [
+            "Administrator",
+            "adrian"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "10.0.2.2",
+        "source.ip": "10.0.2.2",
+        "source.user.name": "Administrator",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ],
+        "user.name": "Administrator"
+    },
+    {
+        "@timestamp": "2021-03-11T17:56:42.000Z",
+        "cyberarkpas.audit.action": "PSM Disconnect",
+        "cyberarkpas.audit.ca_properties.address": "34.123.103.115",
+        "cyberarkpas.audit.ca_properties.creation_method": "PVWA",
+        "cyberarkpas.audit.ca_properties.device_type": "Operating System",
+        "cyberarkpas.audit.ca_properties.policy_id": "UnixSSHKeys",
+        "cyberarkpas.audit.ca_properties.user_name": "adrian",
+        "cyberarkpas.audit.desc": "PSM Disconnect",
+        "cyberarkpas.audit.extra_details.application_type": "PSMP-SSH",
+        "cyberarkpas.audit.extra_details.dst_host": "34.123.103.115",
+        "cyberarkpas.audit.extra_details.managed_account": "Yes",
+        "cyberarkpas.audit.extra_details.protocol": "ssh",
+        "cyberarkpas.audit.extra_details.psmid": "PSMServer",
+        "cyberarkpas.audit.extra_details.session_duration": "00:00:12",
+        "cyberarkpas.audit.extra_details.session_id": "173dd46a-8293-11eb-afcb-080027efd402",
+        "cyberarkpas.audit.extra_details.src_host": "10.0.2.2",
+        "cyberarkpas.audit.extra_details.user": "adrian",
+        "cyberarkpas.audit.file": "Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-11T17:56:42Z",
+        "cyberarkpas.audit.issuer": "Administrator",
+        "cyberarkpas.audit.message": "PSM Disconnect",
+        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 09:56:42</Timestamp>\n    <IsoTimestamp>2021-03-11T17:56:42Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>302</MessageID>\n    <Desc>PSM Disconnect</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>PSM Disconnect</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>PSM</Safe>\n    <File>Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian</File>\n    <Station>81.32.170.205</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails>ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionDuration=00:00:12;SessionID=173dd46a-8293-11eb-afcb-080027efd402;SrcHost=10.0.2.2;User=adrian;</ExtraDetails>\n    <Message>PSM Disconnect</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSHKeys\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"adrian\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.safe": "PSM",
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.station": "81.32.170.205",
+        "cyberarkpas.audit.timestamp": "Mar 11 09:56:42",
+        "destination.address": "34.123.103.115",
+        "destination.geo.city_name": "Council Bluffs",
+        "destination.geo.continent_name": "North America",
+        "destination.geo.country_iso_code": "US",
+        "destination.geo.country_name": "United States",
+        "destination.geo.location.lat": 41.2591,
+        "destination.geo.location.lon": -95.8517,
+        "destination.geo.region_iso_code": "US-IA",
+        "destination.geo.region_name": "Iowa",
+        "destination.ip": "34.123.103.115",
+        "destination.user.name": "adrian",
+        "event.action": "psm disconnect",
+        "event.category": [
+            "session"
+        ],
+        "event.code": "302",
+        "event.dataset": "cyberarkpas.audit",
+        "event.duration": 12000000000,
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.outcome": "success",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "event.type": [
+            "end"
+        ],
+        "file.path": "Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian",
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 12982,
+        "log.syslog.priority": "5",
+        "network.application": "ssh",
+        "network.direction": "outbound",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "10.0.2.2",
+            "34.123.103.115",
+            "81.32.170.205"
+        ],
+        "related.user": [
+            "Administrator",
+            "adrian"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "10.0.2.2",
+        "source.ip": "10.0.2.2",
+        "source.user.name": "Administrator",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ],
+        "user.name": "Administrator"
+    },
+    {
+        "@timestamp": "2021-03-11T20:23:30.000Z",
+        "cyberarkpas.audit.action": "PSM Disconnect",
+        "cyberarkpas.audit.ca_properties.address": "34.123.103.115",
+        "cyberarkpas.audit.ca_properties.creation_method": "PVWA",
+        "cyberarkpas.audit.ca_properties.device_type": "Operating System",
+        "cyberarkpas.audit.ca_properties.policy_id": "UnixSSHKeys",
+        "cyberarkpas.audit.ca_properties.user_name": "adrian",
+        "cyberarkpas.audit.desc": "PSM Disconnect",
+        "cyberarkpas.audit.extra_details.application_type": "PSMP-SSH",
+        "cyberarkpas.audit.extra_details.dst_host": "34.123.103.115",
+        "cyberarkpas.audit.extra_details.managed_account": "Yes",
+        "cyberarkpas.audit.extra_details.protocol": "ssh",
+        "cyberarkpas.audit.extra_details.psmid": "PSMServer",
+        "cyberarkpas.audit.extra_details.session_duration": "00:00:12",
+        "cyberarkpas.audit.extra_details.session_id": "988b22e8-82a7-11eb-83b9-080027efd402",
+        "cyberarkpas.audit.extra_details.src_host": "10.0.2.2",
+        "cyberarkpas.audit.extra_details.user": "adrian",
+        "cyberarkpas.audit.file": "Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-11T20:23:30Z",
+        "cyberarkpas.audit.issuer": "Administrator",
+        "cyberarkpas.audit.message": "PSM Disconnect",
+        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 12:23:30</Timestamp>\n    <IsoTimestamp>2021-03-11T20:23:30Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>302</MessageID>\n    <Desc>PSM Disconnect</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>PSM Disconnect</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>PSM</Safe>\n    <File>Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian</File>\n    <Station>81.32.170.205</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails>ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionDuration=00:00:12;SessionID=988b22e8-82a7-11eb-83b9-080027efd402;SrcHost=10.0.2.2;User=adrian;</ExtraDetails>\n    <Message>PSM Disconnect</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSHKeys\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"adrian\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.safe": "PSM",
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.station": "81.32.170.205",
+        "cyberarkpas.audit.timestamp": "Mar 11 12:23:30",
+        "destination.address": "34.123.103.115",
+        "destination.geo.city_name": "Council Bluffs",
+        "destination.geo.continent_name": "North America",
+        "destination.geo.country_iso_code": "US",
+        "destination.geo.country_name": "United States",
+        "destination.geo.location.lat": 41.2591,
+        "destination.geo.location.lon": -95.8517,
+        "destination.geo.region_iso_code": "US-IA",
+        "destination.geo.region_name": "Iowa",
+        "destination.ip": "34.123.103.115",
+        "destination.user.name": "adrian",
+        "event.action": "psm disconnect",
+        "event.category": [
+            "session"
+        ],
+        "event.code": "302",
+        "event.dataset": "cyberarkpas.audit",
+        "event.duration": 12000000000,
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.outcome": "success",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "event.type": [
+            "end"
+        ],
+        "file.path": "Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian",
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 15568,
+        "log.syslog.priority": "5",
+        "network.application": "ssh",
+        "network.direction": "outbound",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "10.0.2.2",
+            "34.123.103.115",
+            "81.32.170.205"
+        ],
+        "related.user": [
+            "Administrator",
+            "adrian"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "10.0.2.2",
+        "source.ip": "10.0.2.2",
+        "source.user.name": "Administrator",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ],
+        "user.name": "Administrator"
+    },
+    {
+        "@timestamp": "2021-03-14T13:49:54.000Z",
+        "cyberarkpas.audit.action": "PSM Disconnect",
+        "cyberarkpas.audit.ca_properties.address": "34.123.103.115",
+        "cyberarkpas.audit.ca_properties.cpm_error_details": "First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031",
+        "cyberarkpas.audit.ca_properties.cpm_status": "failure",
+        "cyberarkpas.audit.ca_properties.creation_method": "PVWA",
+        "cyberarkpas.audit.ca_properties.device_type": "Operating System",
+        "cyberarkpas.audit.ca_properties.last_fail_date": "1615729572",
+        "cyberarkpas.audit.ca_properties.last_task": "ReconcileTask",
+        "cyberarkpas.audit.ca_properties.policy_id": "UnixSSH",
+        "cyberarkpas.audit.ca_properties.reset_immediately": "ReconcileTask",
+        "cyberarkpas.audit.ca_properties.retries_count": "0",
+        "cyberarkpas.audit.ca_properties.user_name": "testark",
+        "cyberarkpas.audit.desc": "PSM Disconnect",
+        "cyberarkpas.audit.extra_details.application_type": "PSMP-SSH",
+        "cyberarkpas.audit.extra_details.dst_host": "34.123.103.115",
+        "cyberarkpas.audit.extra_details.managed_account": "Yes",
+        "cyberarkpas.audit.extra_details.protocol": "SSH",
+        "cyberarkpas.audit.extra_details.psmid": "PSMServer",
+        "cyberarkpas.audit.extra_details.session_duration": "00:00:18",
+        "cyberarkpas.audit.extra_details.session_id": "d284c268-2ba0-4366-af52-e33459b073a1",
+        "cyberarkpas.audit.extra_details.src_host": "81.32.170.205",
+        "cyberarkpas.audit.extra_details.user": "testark",
+        "cyberarkpas.audit.file": "Root\\Operating System-UnixSSH-34.123.103.115-testark",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-14T13:49:54Z",
+        "cyberarkpas.audit.issuer": "Administrator",
+        "cyberarkpas.audit.message": "PSM Disconnect",
+        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 14 06:49:54</Timestamp>\n    <IsoTimestamp>2021-03-14T13:49:54Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>302</MessageID>\n    <Desc>PSM Disconnect</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>PSM Disconnect</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Operating System-UnixSSH-34.123.103.115-testark</File>\n    <Station>34.71.250.247</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails>ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:00:18;SessionID=d284c268-2ba0-4366-af52-e33459b073a1;SrcHost=81.32.170.205;User=testark;</ExtraDetails>\n    <Message>PSM Disconnect</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSH\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"testark\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"ResetImmediately\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"failure\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"0\"></CAProperty>\n      <CAProperty Name=\"LastFailDate\" Value=\"1615729572\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"CPMErrorDetails\" Value=\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.safe": "partner",
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.station": "34.71.250.247",
+        "cyberarkpas.audit.timestamp": "Mar 14 06:49:54",
+        "destination.address": "34.123.103.115",
+        "destination.geo.city_name": "Council Bluffs",
+        "destination.geo.continent_name": "North America",
+        "destination.geo.country_iso_code": "US",
+        "destination.geo.country_name": "United States",
+        "destination.geo.location.lat": 41.2591,
+        "destination.geo.location.lon": -95.8517,
+        "destination.geo.region_iso_code": "US-IA",
+        "destination.geo.region_name": "Iowa",
+        "destination.ip": "34.123.103.115",
+        "destination.user.name": "testark",
+        "event.action": "psm disconnect",
+        "event.category": [
+            "session"
+        ],
+        "event.code": "302",
+        "event.dataset": "cyberarkpas.audit",
+        "event.duration": 18000000000,
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.outcome": "success",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "event.type": [
+            "end"
+        ],
+        "file.path": "Root\\Operating System-UnixSSH-34.123.103.115-testark",
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 18154,
+        "log.syslog.priority": "5",
+        "network.application": "ssh",
+        "network.direction": "external",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "81.32.170.205",
+            "34.123.103.115",
+            "34.71.250.247"
+        ],
+        "related.user": [
+            "Administrator",
+            "testark"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "81.32.170.205",
+        "source.geo.city_name": "Barcelona",
+        "source.geo.continent_name": "Europe",
+        "source.geo.country_iso_code": "ES",
+        "source.geo.country_name": "Spain",
+        "source.geo.location.lat": 41.387,
+        "source.geo.location.lon": 2.1701,
+        "source.geo.region_iso_code": "ES-B",
+        "source.geo.region_name": "Barcelona",
+        "source.ip": "81.32.170.205",
+        "source.user.name": "Administrator",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ],
+        "user.name": "Administrator"
+    },
+    {
+        "@timestamp": "2021-03-14T13:51:35.000Z",
+        "cyberarkpas.audit.action": "PSM Disconnect",
+        "cyberarkpas.audit.ca_properties.address": "34.123.103.115",
+        "cyberarkpas.audit.ca_properties.cpm_error_details": "First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031",
+        "cyberarkpas.audit.ca_properties.cpm_status": "failure",
+        "cyberarkpas.audit.ca_properties.creation_method": "PVWA",
+        "cyberarkpas.audit.ca_properties.device_type": "Operating System",
+        "cyberarkpas.audit.ca_properties.last_fail_date": "1615729572",
+        "cyberarkpas.audit.ca_properties.last_task": "ReconcileTask",
+        "cyberarkpas.audit.ca_properties.policy_id": "UnixSSH",
+        "cyberarkpas.audit.ca_properties.reset_immediately": "ReconcileTask",
+        "cyberarkpas.audit.ca_properties.retries_count": "0",
+        "cyberarkpas.audit.ca_properties.user_name": "testark",
+        "cyberarkpas.audit.desc": "PSM Disconnect",
+        "cyberarkpas.audit.extra_details.application_type": "PSMP-SSH",
+        "cyberarkpas.audit.extra_details.dst_host": "34.123.103.115",
+        "cyberarkpas.audit.extra_details.managed_account": "Yes",
+        "cyberarkpas.audit.extra_details.protocol": "SSH",
+        "cyberarkpas.audit.extra_details.psmid": "PSMServer",
+        "cyberarkpas.audit.extra_details.session_duration": "00:00:54",
+        "cyberarkpas.audit.extra_details.session_id": "47747796-03e1-4a11-af39-ab56c00e7732",
+        "cyberarkpas.audit.extra_details.src_host": "81.32.170.205",
+        "cyberarkpas.audit.extra_details.user": "testark",
+        "cyberarkpas.audit.file": "Root\\Operating System-UnixSSH-34.123.103.115-testark",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-14T13:51:35Z",
+        "cyberarkpas.audit.issuer": "Administrator",
+        "cyberarkpas.audit.message": "PSM Disconnect",
+        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 14 06:51:35</Timestamp>\n    <IsoTimestamp>2021-03-14T13:51:35Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>302</MessageID>\n    <Desc>PSM Disconnect</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>PSM Disconnect</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Operating System-UnixSSH-34.123.103.115-testark</File>\n    <Station>34.71.250.247</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails>ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:00:54;SessionID=47747796-03e1-4a11-af39-ab56c00e7732;SrcHost=81.32.170.205;User=testark;</ExtraDetails>\n    <Message>PSM Disconnect</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSH\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"testark\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"ResetImmediately\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"failure\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"0\"></CAProperty>\n      <CAProperty Name=\"LastFailDate\" Value=\"1615729572\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"CPMErrorDetails\" Value=\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.safe": "partner",
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.station": "34.71.250.247",
+        "cyberarkpas.audit.timestamp": "Mar 14 06:51:35",
+        "destination.address": "34.123.103.115",
+        "destination.geo.city_name": "Council Bluffs",
+        "destination.geo.continent_name": "North America",
+        "destination.geo.country_iso_code": "US",
+        "destination.geo.country_name": "United States",
+        "destination.geo.location.lat": 41.2591,
+        "destination.geo.location.lon": -95.8517,
+        "destination.geo.region_iso_code": "US-IA",
+        "destination.geo.region_name": "Iowa",
+        "destination.ip": "34.123.103.115",
+        "destination.user.name": "testark",
+        "event.action": "psm disconnect",
+        "event.category": [
+            "session"
+        ],
+        "event.code": "302",
+        "event.dataset": "cyberarkpas.audit",
+        "event.duration": 54000000000,
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.outcome": "success",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "event.type": [
+            "end"
+        ],
+        "file.path": "Root\\Operating System-UnixSSH-34.123.103.115-testark",
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 21738,
+        "log.syslog.priority": "5",
+        "network.application": "ssh",
+        "network.direction": "external",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "81.32.170.205",
+            "34.123.103.115",
+            "34.71.250.247"
+        ],
+        "related.user": [
+            "Administrator",
+            "testark"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "81.32.170.205",
+        "source.geo.city_name": "Barcelona",
+        "source.geo.continent_name": "Europe",
+        "source.geo.country_iso_code": "ES",
+        "source.geo.country_name": "Spain",
+        "source.geo.location.lat": 41.387,
+        "source.geo.location.lon": 2.1701,
+        "source.geo.region_iso_code": "ES-B",
+        "source.geo.region_name": "Barcelona",
+        "source.ip": "81.32.170.205",
+        "source.user.name": "Administrator",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ],
+        "user.name": "Administrator"
+    },
+    {
+        "@timestamp": "2021-03-15T10:33:30.000Z",
+        "cyberarkpas.audit.action": "PSM Disconnect",
+        "cyberarkpas.audit.ca_properties.address": "34.123.103.115",
+        "cyberarkpas.audit.ca_properties.cpm_status": "success",
+        "cyberarkpas.audit.ca_properties.creation_method": "PVWA",
+        "cyberarkpas.audit.ca_properties.device_type": "Operating System",
+        "cyberarkpas.audit.ca_properties.last_success_verification": "1615803764",
+        "cyberarkpas.audit.ca_properties.last_task": "VerifyTask",
+        "cyberarkpas.audit.ca_properties.policy_id": "UnixSSH",
+        "cyberarkpas.audit.ca_properties.retries_count": "-1",
+        "cyberarkpas.audit.ca_properties.user_name": "testark",
+        "cyberarkpas.audit.desc": "PSM Disconnect",
+        "cyberarkpas.audit.extra_details.application_type": "PSMP-SSH",
+        "cyberarkpas.audit.extra_details.dst_host": "34.123.103.115",
+        "cyberarkpas.audit.extra_details.managed_account": "Yes",
+        "cyberarkpas.audit.extra_details.protocol": "SSH",
+        "cyberarkpas.audit.extra_details.psmid": "PSMServer",
+        "cyberarkpas.audit.extra_details.session_duration": "00:01:35",
+        "cyberarkpas.audit.extra_details.session_id": "29f340df-89e9-405a-beae-0216390cda42",
+        "cyberarkpas.audit.extra_details.src_host": "81.32.170.205",
+        "cyberarkpas.audit.extra_details.user": "testark",
+        "cyberarkpas.audit.file": "Root\\Operating System-UnixSSH-34.123.103.115-testark",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-15T10:33:30Z",
+        "cyberarkpas.audit.issuer": "Administrator",
+        "cyberarkpas.audit.message": "PSM Disconnect",
+        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 15 03:33:30</Timestamp>\n    <IsoTimestamp>2021-03-15T10:33:30Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>302</MessageID>\n    <Desc>PSM Disconnect</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>PSM Disconnect</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Operating System-UnixSSH-34.123.103.115-testark</File>\n    <Station>34.71.250.247</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails>ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:01:35;SessionID=29f340df-89e9-405a-beae-0216390cda42;SrcHost=81.32.170.205;User=testark;</ExtraDetails>\n    <Message>PSM Disconnect</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSH\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"testark\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"success\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"-1\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"VerifyTask\"></CAProperty>\n      <CAProperty Name=\"LastSuccessVerification\" Value=\"1615803764\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.safe": "partner",
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.station": "34.71.250.247",
+        "cyberarkpas.audit.timestamp": "Mar 15 03:33:30",
+        "destination.address": "34.123.103.115",
+        "destination.geo.city_name": "Council Bluffs",
+        "destination.geo.continent_name": "North America",
+        "destination.geo.country_iso_code": "US",
+        "destination.geo.country_name": "United States",
+        "destination.geo.location.lat": 41.2591,
+        "destination.geo.location.lon": -95.8517,
+        "destination.geo.region_iso_code": "US-IA",
+        "destination.geo.region_name": "Iowa",
+        "destination.ip": "34.123.103.115",
+        "destination.user.name": "testark",
+        "event.action": "psm disconnect",
+        "event.category": [
+            "session"
+        ],
+        "event.code": "302",
+        "event.dataset": "cyberarkpas.audit",
+        "event.duration": 95000000000,
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.outcome": "success",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "event.type": [
+            "end"
+        ],
+        "file.path": "Root\\Operating System-UnixSSH-34.123.103.115-testark",
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 25322,
+        "log.syslog.priority": "5",
+        "network.application": "ssh",
+        "network.direction": "external",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "81.32.170.205",
+            "34.123.103.115",
+            "34.71.250.247"
+        ],
+        "related.user": [
+            "Administrator",
+            "testark"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "81.32.170.205",
+        "source.geo.city_name": "Barcelona",
+        "source.geo.continent_name": "Europe",
+        "source.geo.country_iso_code": "ES",
+        "source.geo.country_name": "Spain",
+        "source.geo.location.lat": 41.387,
+        "source.geo.location.lon": 2.1701,
+        "source.geo.region_iso_code": "ES-B",
+        "source.geo.region_name": "Barcelona",
+        "source.ip": "81.32.170.205",
+        "source.user.name": "Administrator",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ],
+        "user.name": "Administrator"
+    },
+    {
+        "@timestamp": "2021-03-15T10:34:50.000Z",
+        "cyberarkpas.audit.action": "PSM Disconnect",
+        "cyberarkpas.audit.ca_properties.address": "34.123.103.115",
+        "cyberarkpas.audit.ca_properties.cpm_status": "success",
+        "cyberarkpas.audit.ca_properties.creation_method": "PVWA",
+        "cyberarkpas.audit.ca_properties.device_type": "Operating System",
+        "cyberarkpas.audit.ca_properties.last_success_verification": "1615803764",
+        "cyberarkpas.audit.ca_properties.last_task": "VerifyTask",
+        "cyberarkpas.audit.ca_properties.policy_id": "UnixSSH",
+        "cyberarkpas.audit.ca_properties.retries_count": "-1",
+        "cyberarkpas.audit.ca_properties.user_name": "testark",
+        "cyberarkpas.audit.desc": "PSM Disconnect",
+        "cyberarkpas.audit.extra_details.application_type": "PSMP-SSH",
+        "cyberarkpas.audit.extra_details.dst_host": "34.123.103.115",
+        "cyberarkpas.audit.extra_details.managed_account": "Yes",
+        "cyberarkpas.audit.extra_details.protocol": "SSH",
+        "cyberarkpas.audit.extra_details.psmid": "PSMServer",
+        "cyberarkpas.audit.extra_details.session_duration": "00:01:13",
+        "cyberarkpas.audit.extra_details.session_id": "f1654cf8-8ce5-472a-8205-ba731b0fab46",
+        "cyberarkpas.audit.extra_details.src_host": "81.32.170.205",
+        "cyberarkpas.audit.extra_details.user": "testark",
+        "cyberarkpas.audit.file": "Root\\Operating System-UnixSSH-34.123.103.115-testark",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-15T10:34:50Z",
+        "cyberarkpas.audit.issuer": "Administrator",
+        "cyberarkpas.audit.message": "PSM Disconnect",
+        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 15 03:34:50</Timestamp>\n    <IsoTimestamp>2021-03-15T10:34:50Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>302</MessageID>\n    <Desc>PSM Disconnect</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>PSM Disconnect</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Operating System-UnixSSH-34.123.103.115-testark</File>\n    <Station>34.71.250.247</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails>ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:01:13;SessionID=f1654cf8-8ce5-472a-8205-ba731b0fab46;SrcHost=81.32.170.205;User=testark;</ExtraDetails>\n    <Message>PSM Disconnect</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSH\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"testark\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"success\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"-1\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"VerifyTask\"></CAProperty>\n      <CAProperty Name=\"LastSuccessVerification\" Value=\"1615803764\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.safe": "partner",
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.station": "34.71.250.247",
+        "cyberarkpas.audit.timestamp": "Mar 15 03:34:50",
+        "destination.address": "34.123.103.115",
+        "destination.geo.city_name": "Council Bluffs",
+        "destination.geo.continent_name": "North America",
+        "destination.geo.country_iso_code": "US",
+        "destination.geo.country_name": "United States",
+        "destination.geo.location.lat": 41.2591,
+        "destination.geo.location.lon": -95.8517,
+        "destination.geo.region_iso_code": "US-IA",
+        "destination.geo.region_name": "Iowa",
+        "destination.ip": "34.123.103.115",
+        "destination.user.name": "testark",
+        "event.action": "psm disconnect",
+        "event.category": [
+            "session"
+        ],
+        "event.code": "302",
+        "event.dataset": "cyberarkpas.audit",
+        "event.duration": 73000000000,
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.outcome": "success",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "event.type": [
+            "end"
+        ],
+        "file.path": "Root\\Operating System-UnixSSH-34.123.103.115-testark",
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 28386,
+        "log.syslog.priority": "5",
+        "network.application": "ssh",
+        "network.direction": "external",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "81.32.170.205",
+            "34.123.103.115",
+            "34.71.250.247"
+        ],
+        "related.user": [
+            "Administrator",
+            "testark"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "81.32.170.205",
+        "source.geo.city_name": "Barcelona",
+        "source.geo.continent_name": "Europe",
+        "source.geo.country_iso_code": "ES",
+        "source.geo.country_name": "Spain",
+        "source.geo.location.lat": 41.387,
+        "source.geo.location.lon": 2.1701,
+        "source.geo.region_iso_code": "ES-B",
+        "source.geo.region_name": "Barcelona",
+        "source.ip": "81.32.170.205",
+        "source.user.name": "Administrator",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ],
+        "user.name": "Administrator"
+    },
+    {
+        "@timestamp": "2021-03-15T11:12:09.000Z",
+        "cyberarkpas.audit.action": "PSM Disconnect",
+        "cyberarkpas.audit.ca_properties.address": "34.123.103.115",
+        "cyberarkpas.audit.ca_properties.cpm_status": "success",
+        "cyberarkpas.audit.ca_properties.creation_method": "PVWA",
+        "cyberarkpas.audit.ca_properties.device_type": "Operating System",
+        "cyberarkpas.audit.ca_properties.last_success_verification": "1615803764",
+        "cyberarkpas.audit.ca_properties.last_task": "VerifyTask",
+        "cyberarkpas.audit.ca_properties.policy_id": "UnixSSH",
+        "cyberarkpas.audit.ca_properties.retries_count": "-1",
+        "cyberarkpas.audit.ca_properties.user_name": "testark",
+        "cyberarkpas.audit.desc": "PSM Disconnect",
+        "cyberarkpas.audit.extra_details.application_type": "PSMP-SSH",
+        "cyberarkpas.audit.extra_details.dst_host": "34.123.103.115",
+        "cyberarkpas.audit.extra_details.managed_account": "Yes",
+        "cyberarkpas.audit.extra_details.protocol": "SSH",
+        "cyberarkpas.audit.extra_details.psmid": "PSMServer",
+        "cyberarkpas.audit.extra_details.session_duration": "00:37:10",
+        "cyberarkpas.audit.extra_details.session_id": "8b3d0b38-aef5-49d9-bdd7-d57706887d8b",
+        "cyberarkpas.audit.extra_details.src_host": "81.32.170.205",
+        "cyberarkpas.audit.extra_details.user": "testark",
+        "cyberarkpas.audit.file": "Root\\Operating System-UnixSSH-34.123.103.115-testark",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-15T11:12:09Z",
+        "cyberarkpas.audit.issuer": "Administrator",
+        "cyberarkpas.audit.message": "PSM Disconnect",
+        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 15 04:12:09</Timestamp>\n    <IsoTimestamp>2021-03-15T11:12:09Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>302</MessageID>\n    <Desc>PSM Disconnect</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>PSM Disconnect</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Operating System-UnixSSH-34.123.103.115-testark</File>\n    <Station>34.71.250.247</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails>ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:37:10;SessionID=8b3d0b38-aef5-49d9-bdd7-d57706887d8b;SrcHost=81.32.170.205;User=testark;</ExtraDetails>\n    <Message>PSM Disconnect</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSH\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"testark\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"success\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"-1\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"VerifyTask\"></CAProperty>\n      <CAProperty Name=\"LastSuccessVerification\" Value=\"1615803764\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.safe": "partner",
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.station": "34.71.250.247",
+        "cyberarkpas.audit.timestamp": "Mar 15 04:12:09",
+        "destination.address": "34.123.103.115",
+        "destination.geo.city_name": "Council Bluffs",
+        "destination.geo.continent_name": "North America",
+        "destination.geo.country_iso_code": "US",
+        "destination.geo.country_name": "United States",
+        "destination.geo.location.lat": 41.2591,
+        "destination.geo.location.lon": -95.8517,
+        "destination.geo.region_iso_code": "US-IA",
+        "destination.geo.region_name": "Iowa",
+        "destination.ip": "34.123.103.115",
+        "destination.user.name": "testark",
+        "event.action": "psm disconnect",
+        "event.category": [
+            "session"
+        ],
+        "event.code": "302",
+        "event.dataset": "cyberarkpas.audit",
+        "event.duration": 2230000000000,
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.outcome": "success",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "event.type": [
+            "end"
+        ],
+        "file.path": "Root\\Operating System-UnixSSH-34.123.103.115-testark",
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 31450,
+        "log.syslog.priority": "5",
+        "network.application": "ssh",
+        "network.direction": "external",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "81.32.170.205",
+            "34.123.103.115",
+            "34.71.250.247"
+        ],
+        "related.user": [
+            "Administrator",
+            "testark"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "81.32.170.205",
+        "source.geo.city_name": "Barcelona",
+        "source.geo.continent_name": "Europe",
+        "source.geo.country_iso_code": "ES",
+        "source.geo.country_name": "Spain",
+        "source.geo.location.lat": 41.387,
+        "source.geo.location.lon": 2.1701,
+        "source.geo.region_iso_code": "ES-B",
+        "source.geo.region_name": "Barcelona",
+        "source.ip": "81.32.170.205",
+        "source.user.name": "Administrator",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ],
+        "user.name": "Administrator"
+    },
+    {
+        "@timestamp": "2021-03-15T13:18:36.000Z",
+        "cyberarkpas.audit.action": "PSM Disconnect",
+        "cyberarkpas.audit.ca_properties.address": "34.123.103.115",
+        "cyberarkpas.audit.ca_properties.creation_method": "PVWA",
+        "cyberarkpas.audit.ca_properties.device_type": "Operating System",
+        "cyberarkpas.audit.ca_properties.policy_id": "UnixSSHKeys",
+        "cyberarkpas.audit.ca_properties.user_name": "adrian",
+        "cyberarkpas.audit.desc": "PSM Disconnect",
+        "cyberarkpas.audit.extra_details.application_type": "PSMP-SSH",
+        "cyberarkpas.audit.extra_details.dst_host": "34.123.103.115",
+        "cyberarkpas.audit.extra_details.managed_account": "Yes",
+        "cyberarkpas.audit.extra_details.protocol": "SSH",
+        "cyberarkpas.audit.extra_details.psmid": "PSMServer",
+        "cyberarkpas.audit.extra_details.session_duration": "00:00:05",
+        "cyberarkpas.audit.extra_details.session_id": "692fe25f-f940-4170-8ea4-5241b35173f0",
+        "cyberarkpas.audit.extra_details.src_host": "81.32.170.205",
+        "cyberarkpas.audit.extra_details.user": "adrian",
+        "cyberarkpas.audit.file": "Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-15T13:18:36Z",
+        "cyberarkpas.audit.issuer": "Administrator",
+        "cyberarkpas.audit.message": "PSM Disconnect",
+        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 15 06:18:36</Timestamp>\n    <IsoTimestamp>2021-03-15T13:18:36Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>302</MessageID>\n    <Desc>PSM Disconnect</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>PSM Disconnect</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>PSM</Safe>\n    <File>Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian</File>\n    <Station>34.71.250.247</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails>ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:00:05;SessionID=692fe25f-f940-4170-8ea4-5241b35173f0;SrcHost=81.32.170.205;User=adrian;</ExtraDetails>\n    <Message>PSM Disconnect</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSHKeys\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"adrian\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.safe": "PSM",
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.station": "34.71.250.247",
+        "cyberarkpas.audit.timestamp": "Mar 15 06:18:36",
+        "destination.address": "34.123.103.115",
+        "destination.geo.city_name": "Council Bluffs",
+        "destination.geo.continent_name": "North America",
+        "destination.geo.country_iso_code": "US",
+        "destination.geo.country_name": "United States",
+        "destination.geo.location.lat": 41.2591,
+        "destination.geo.location.lon": -95.8517,
+        "destination.geo.region_iso_code": "US-IA",
+        "destination.geo.region_name": "Iowa",
+        "destination.ip": "34.123.103.115",
+        "destination.user.name": "adrian",
+        "event.action": "psm disconnect",
+        "event.category": [
+            "session"
+        ],
+        "event.code": "302",
+        "event.dataset": "cyberarkpas.audit",
+        "event.duration": 5000000000,
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.outcome": "success",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "event.type": [
+            "end"
+        ],
+        "file.path": "Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian",
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 34514,
+        "log.syslog.priority": "5",
+        "network.application": "ssh",
+        "network.direction": "external",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "81.32.170.205",
+            "34.123.103.115",
+            "34.71.250.247"
+        ],
+        "related.user": [
+            "Administrator",
+            "adrian"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "81.32.170.205",
+        "source.geo.city_name": "Barcelona",
+        "source.geo.continent_name": "Europe",
+        "source.geo.country_iso_code": "ES",
+        "source.geo.country_name": "Spain",
+        "source.geo.location.lat": 41.387,
+        "source.geo.location.lon": 2.1701,
+        "source.geo.region_iso_code": "ES-B",
+        "source.geo.region_name": "Barcelona",
+        "source.ip": "81.32.170.205",
+        "source.user.name": "Administrator",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ],
+        "user.name": "Administrator"
+    },
+    {
+        "@timestamp": "2021-03-15T14:08:11.000Z",
+        "cyberarkpas.audit.action": "PSM Disconnect",
+        "cyberarkpas.audit.ca_properties.address": "34.123.103.115",
+        "cyberarkpas.audit.ca_properties.creation_method": "PVWA",
+        "cyberarkpas.audit.ca_properties.device_type": "Operating System",
+        "cyberarkpas.audit.ca_properties.policy_id": "UnixSSHKeys",
+        "cyberarkpas.audit.ca_properties.user_name": "adrian",
+        "cyberarkpas.audit.desc": "PSM Disconnect",
+        "cyberarkpas.audit.extra_details.application_type": "PSMP-SSH",
+        "cyberarkpas.audit.extra_details.dst_host": "34.123.103.115",
+        "cyberarkpas.audit.extra_details.managed_account": "Yes",
+        "cyberarkpas.audit.extra_details.protocol": "SSH",
+        "cyberarkpas.audit.extra_details.psmid": "PSMServer",
+        "cyberarkpas.audit.extra_details.session_duration": "00:00:06",
+        "cyberarkpas.audit.extra_details.session_id": "f5725611-ca57-4a2a-a089-f45b3174a358",
+        "cyberarkpas.audit.extra_details.src_host": "81.32.170.205",
+        "cyberarkpas.audit.extra_details.user": "adrian",
+        "cyberarkpas.audit.file": "Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-15T14:08:11Z",
+        "cyberarkpas.audit.issuer": "Administrator",
+        "cyberarkpas.audit.message": "PSM Disconnect",
+        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 15 07:08:11</Timestamp>\n    <IsoTimestamp>2021-03-15T14:08:11Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>302</MessageID>\n    <Desc>PSM Disconnect</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>PSM Disconnect</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>PSM</Safe>\n    <File>Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian</File>\n    <Station>34.71.250.247</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails>ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:00:06;SessionID=f5725611-ca57-4a2a-a089-f45b3174a358;SrcHost=81.32.170.205;User=adrian;</ExtraDetails>\n    <Message>PSM Disconnect</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSHKeys\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"adrian\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.safe": "PSM",
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.station": "34.71.250.247",
+        "cyberarkpas.audit.timestamp": "Mar 15 07:08:11",
+        "destination.address": "34.123.103.115",
+        "destination.geo.city_name": "Council Bluffs",
+        "destination.geo.continent_name": "North America",
+        "destination.geo.country_iso_code": "US",
+        "destination.geo.country_name": "United States",
+        "destination.geo.location.lat": 41.2591,
+        "destination.geo.location.lon": -95.8517,
+        "destination.geo.region_iso_code": "US-IA",
+        "destination.geo.region_name": "Iowa",
+        "destination.ip": "34.123.103.115",
+        "destination.user.name": "adrian",
+        "event.action": "psm disconnect",
+        "event.category": [
+            "session"
+        ],
+        "event.code": "302",
+        "event.dataset": "cyberarkpas.audit",
+        "event.duration": 6000000000,
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.outcome": "success",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "event.type": [
+            "end"
+        ],
+        "file.path": "Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian",
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 37110,
+        "log.syslog.priority": "5",
+        "network.application": "ssh",
+        "network.direction": "external",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "81.32.170.205",
+            "34.123.103.115",
+            "34.71.250.247"
+        ],
+        "related.user": [
+            "Administrator",
+            "adrian"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "81.32.170.205",
+        "source.geo.city_name": "Barcelona",
+        "source.geo.continent_name": "Europe",
+        "source.geo.country_iso_code": "ES",
+        "source.geo.country_name": "Spain",
+        "source.geo.location.lat": 41.387,
+        "source.geo.location.lon": 2.1701,
+        "source.geo.region_iso_code": "ES-B",
+        "source.geo.region_name": "Barcelona",
+        "source.ip": "81.32.170.205",
+        "source.user.name": "Administrator",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ],
+        "user.name": "Administrator"
+    },
+    {
+        "@timestamp": "2021-03-15T14:08:36.000Z",
+        "cyberarkpas.audit.action": "PSM Disconnect",
+        "cyberarkpas.audit.ca_properties.address": "34.123.103.115",
+        "cyberarkpas.audit.ca_properties.cpm_error_details": "First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031",
+        "cyberarkpas.audit.ca_properties.cpm_status": "failure",
+        "cyberarkpas.audit.ca_properties.creation_method": "PVWA",
+        "cyberarkpas.audit.ca_properties.device_type": "Operating System",
+        "cyberarkpas.audit.ca_properties.last_fail_date": "1615814025",
+        "cyberarkpas.audit.ca_properties.last_success_verification": "1615803764",
+        "cyberarkpas.audit.ca_properties.last_task": "ReconcileTask",
+        "cyberarkpas.audit.ca_properties.policy_id": "UnixSSH",
+        "cyberarkpas.audit.ca_properties.reset_immediately": "ReconcileTask",
+        "cyberarkpas.audit.ca_properties.retries_count": "0",
+        "cyberarkpas.audit.ca_properties.use_sudo_on_reconcile": "Yes",
+        "cyberarkpas.audit.ca_properties.user_name": "testark",
+        "cyberarkpas.audit.desc": "PSM Disconnect",
+        "cyberarkpas.audit.extra_details.application_type": "PSMP-SSH",
+        "cyberarkpas.audit.extra_details.dst_host": "34.123.103.115",
+        "cyberarkpas.audit.extra_details.managed_account": "Yes",
+        "cyberarkpas.audit.extra_details.protocol": "SSH",
+        "cyberarkpas.audit.extra_details.psmid": "PSMServer",
+        "cyberarkpas.audit.extra_details.session_duration": "00:00:09",
+        "cyberarkpas.audit.extra_details.session_id": "7db90436-8a1a-4203-9a96-65137625ab2d",
+        "cyberarkpas.audit.extra_details.src_host": "81.32.170.205",
+        "cyberarkpas.audit.extra_details.user": "testark",
+        "cyberarkpas.audit.file": "Root\\Operating System-UnixSSH-34.123.103.115-testark",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-15T14:08:36Z",
+        "cyberarkpas.audit.issuer": "Administrator",
+        "cyberarkpas.audit.message": "PSM Disconnect",
+        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 15 07:08:36</Timestamp>\n    <IsoTimestamp>2021-03-15T14:08:36Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>302</MessageID>\n    <Desc>PSM Disconnect</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>PSM Disconnect</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Operating System-UnixSSH-34.123.103.115-testark</File>\n    <Station>34.71.250.247</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails>ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:00:09;SessionID=7db90436-8a1a-4203-9a96-65137625ab2d;SrcHost=81.32.170.205;User=testark;</ExtraDetails>\n    <Message>PSM Disconnect</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSH\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"testark\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"ResetImmediately\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"failure\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"0\"></CAProperty>\n      <CAProperty Name=\"LastFailDate\" Value=\"1615814025\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"LastSuccessVerification\" Value=\"1615803764\"></CAProperty>\n      <CAProperty Name=\"CPMErrorDetails\" Value=\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n      <CAProperty Name=\"UseSudoOnReconcile\" Value=\"Yes\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.safe": "partner",
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.station": "34.71.250.247",
+        "cyberarkpas.audit.timestamp": "Mar 15 07:08:36",
+        "destination.address": "34.123.103.115",
+        "destination.geo.city_name": "Council Bluffs",
+        "destination.geo.continent_name": "North America",
+        "destination.geo.country_iso_code": "US",
+        "destination.geo.country_name": "United States",
+        "destination.geo.location.lat": 41.2591,
+        "destination.geo.location.lon": -95.8517,
+        "destination.geo.region_iso_code": "US-IA",
+        "destination.geo.region_name": "Iowa",
+        "destination.ip": "34.123.103.115",
+        "destination.user.name": "testark",
+        "event.action": "psm disconnect",
+        "event.category": [
+            "session"
+        ],
+        "event.code": "302",
+        "event.dataset": "cyberarkpas.audit",
+        "event.duration": 9000000000,
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.outcome": "success",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "event.type": [
+            "end"
+        ],
+        "file.path": "Root\\Operating System-UnixSSH-34.123.103.115-testark",
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 39706,
+        "log.syslog.priority": "5",
+        "network.application": "ssh",
+        "network.direction": "external",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "81.32.170.205",
+            "34.123.103.115",
+            "34.71.250.247"
+        ],
+        "related.user": [
+            "Administrator",
+            "testark"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "81.32.170.205",
+        "source.geo.city_name": "Barcelona",
+        "source.geo.continent_name": "Europe",
+        "source.geo.country_iso_code": "ES",
+        "source.geo.country_name": "Spain",
+        "source.geo.location.lat": 41.387,
+        "source.geo.location.lon": 2.1701,
+        "source.geo.region_iso_code": "ES-B",
+        "source.geo.region_name": "Barcelona",
+        "source.ip": "81.32.170.205",
+        "source.user.name": "Administrator",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ],
+        "user.name": "Administrator"
+    },
+    {
+        "@timestamp": "2021-03-15T15:00:21.000Z",
+        "cyberarkpas.audit.action": "PSM Disconnect",
+        "cyberarkpas.audit.ca_properties.address": "34.123.103.115",
+        "cyberarkpas.audit.ca_properties.cpm_error_details": "First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031",
+        "cyberarkpas.audit.ca_properties.cpm_status": "failure",
+        "cyberarkpas.audit.ca_properties.creation_method": "PVWA",
+        "cyberarkpas.audit.ca_properties.device_type": "Operating System",
+        "cyberarkpas.audit.ca_properties.last_fail_date": "1615819476",
+        "cyberarkpas.audit.ca_properties.last_success_verification": "1615803764",
+        "cyberarkpas.audit.ca_properties.last_task": "ReconcileTask",
+        "cyberarkpas.audit.ca_properties.policy_id": "UnixSSH",
+        "cyberarkpas.audit.ca_properties.reset_immediately": "ReconcileTask",
+        "cyberarkpas.audit.ca_properties.retries_count": "1",
+        "cyberarkpas.audit.ca_properties.use_sudo_on_reconcile": "Yes",
+        "cyberarkpas.audit.ca_properties.user_name": "testark",
+        "cyberarkpas.audit.desc": "PSM Disconnect",
+        "cyberarkpas.audit.extra_details.application_type": "PSMP-SSH",
+        "cyberarkpas.audit.extra_details.dst_host": "34.123.103.115",
+        "cyberarkpas.audit.extra_details.managed_account": "Yes",
+        "cyberarkpas.audit.extra_details.protocol": "SSH",
+        "cyberarkpas.audit.extra_details.psmid": "PSMServer",
+        "cyberarkpas.audit.extra_details.session_duration": "00:49:12",
+        "cyberarkpas.audit.extra_details.session_id": "27f74dce-f5d5-4c94-bf99-ca6aafe2c518",
+        "cyberarkpas.audit.extra_details.src_host": "81.32.170.205",
+        "cyberarkpas.audit.extra_details.user": "testark",
+        "cyberarkpas.audit.file": "Root\\Operating System-UnixSSH-34.123.103.115-testark",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-15T15:00:21Z",
+        "cyberarkpas.audit.issuer": "Administrator",
+        "cyberarkpas.audit.message": "PSM Disconnect",
+        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 15 08:00:21</Timestamp>\n    <IsoTimestamp>2021-03-15T15:00:21Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>302</MessageID>\n    <Desc>PSM Disconnect</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>PSM Disconnect</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Operating System-UnixSSH-34.123.103.115-testark</File>\n    <Station>34.71.250.247</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails>ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:49:12;SessionID=27f74dce-f5d5-4c94-bf99-ca6aafe2c518;SrcHost=81.32.170.205;User=testark;</ExtraDetails>\n    <Message>PSM Disconnect</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSH\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"testark\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"ResetImmediately\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"failure\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"1\"></CAProperty>\n      <CAProperty Name=\"LastFailDate\" Value=\"1615819476\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"LastSuccessVerification\" Value=\"1615803764\"></CAProperty>\n      <CAProperty Name=\"CPMErrorDetails\" Value=\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n      <CAProperty Name=\"UseSudoOnReconcile\" Value=\"Yes\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.safe": "partner",
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.station": "34.71.250.247",
+        "cyberarkpas.audit.timestamp": "Mar 15 08:00:21",
+        "destination.address": "34.123.103.115",
+        "destination.geo.city_name": "Council Bluffs",
+        "destination.geo.continent_name": "North America",
+        "destination.geo.country_iso_code": "US",
+        "destination.geo.country_name": "United States",
+        "destination.geo.location.lat": 41.2591,
+        "destination.geo.location.lon": -95.8517,
+        "destination.geo.region_iso_code": "US-IA",
+        "destination.geo.region_name": "Iowa",
+        "destination.ip": "34.123.103.115",
+        "destination.user.name": "testark",
+        "event.action": "psm disconnect",
+        "event.category": [
+            "session"
+        ],
+        "event.code": "302",
+        "event.dataset": "cyberarkpas.audit",
+        "event.duration": 2952000000000,
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.outcome": "success",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "event.type": [
+            "end"
+        ],
+        "file.path": "Root\\Operating System-UnixSSH-34.123.103.115-testark",
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 43552,
+        "log.syslog.priority": "5",
+        "network.application": "ssh",
+        "network.direction": "external",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "81.32.170.205",
+            "34.123.103.115",
+            "34.71.250.247"
+        ],
+        "related.user": [
+            "Administrator",
+            "testark"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "81.32.170.205",
+        "source.geo.city_name": "Barcelona",
+        "source.geo.continent_name": "Europe",
+        "source.geo.country_iso_code": "ES",
+        "source.geo.country_name": "Spain",
+        "source.geo.location.lat": 41.387,
+        "source.geo.location.lon": 2.1701,
+        "source.geo.region_iso_code": "ES-B",
+        "source.geo.region_name": "Barcelona",
+        "source.ip": "81.32.170.205",
+        "source.user.name": "Administrator",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ],
+        "user.name": "Administrator"
+    }
+]
\ No newline at end of file
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/304_psm_upload_recording.log b/x-pack/filebeat/module/cyberarkpas/audit/test/304_psm_upload_recording.log
new file mode 100644
index 00000000000..1469d6ed00a
--- /dev/null
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/304_psm_upload_recording.log
@@ -0,0 +1 @@
+<5>1 2021-03-25T09:20:56Z VLT01 {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 25 05:20:56</Timestamp>\n    <IsoTimestamp>2021-03-25T09:20:56Z</IsoTimestamp>\n    <Hostname>VLT01</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>12.0.0000</Version>\n    <MessageID>304</MessageID>\n    <Desc>PSM Upload Recording</Desc>\n    <Severity>Info</Severity>\n    <Issuer>PSMApp_COMP01</Issuer>\n    <Action>PSM Upload Recording</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>PSMRecordings</Safe>\n    <File>Root\\a4636750-50a2-492e-984c-e08743d8a883.SSH.txt</File>\n    <Station>10.0.0.15</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails>DstHost=rhel7.cybr.com;LogonAccount=logon;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:00:46;SessionID=a4636750-50a2-492e-984c-e08743d8a883;SrcHost=127.0.0.1;User=root;</ExtraDetails>\n    <Message>PSM Upload Recording</Message>\n    <GatewayStation></GatewayStation>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 25 05:20:56","IsoTimestamp":"2021-03-25T09:20:56Z","Hostname":"VLT01","Vendor":"Cyber-Ark","Product":"Vault","Version":"12.0.0000","MessageID":"304","Desc":"PSM Upload Recording","Severity":"Info","Issuer":"PSMApp_COMP01","Action":"PSM Upload Recording","SourceUser":"","TargetUser":"","Safe":"PSMRecordings","File":"Root\\a4636750-50a2-492e-984c-e08743d8a883.SSH.txt","Station":"10.0.0.15","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"DstHost=rhel7.cybr.com;LogonAccount=logon;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:00:46;SessionID=a4636750-50a2-492e-984c-e08743d8a883;SrcHost=127.0.0.1;User=root;","Message":"PSM Upload Recording","GatewayStation":""}}}
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/304_psm_upload_recording.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/304_psm_upload_recording.log-expected.json
new file mode 100644
index 00000000000..14603f0592b
--- /dev/null
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/304_psm_upload_recording.log-expected.json
@@ -0,0 +1,52 @@
+[
+    {
+        "@timestamp": "2021-03-25T09:20:56.000Z",
+        "cyberarkpas.audit.action": "PSM Upload Recording",
+        "cyberarkpas.audit.desc": "PSM Upload Recording",
+        "cyberarkpas.audit.extra_details.dst_host": "rhel7.cybr.com",
+        "cyberarkpas.audit.extra_details.logon_account": "logon",
+        "cyberarkpas.audit.extra_details.protocol": "SSH",
+        "cyberarkpas.audit.extra_details.psmid": "PSMServer",
+        "cyberarkpas.audit.extra_details.session_duration": "00:00:46",
+        "cyberarkpas.audit.extra_details.session_id": "a4636750-50a2-492e-984c-e08743d8a883",
+        "cyberarkpas.audit.extra_details.src_host": "127.0.0.1",
+        "cyberarkpas.audit.extra_details.user": "root",
+        "cyberarkpas.audit.file": "Root\\a4636750-50a2-492e-984c-e08743d8a883.SSH.txt",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-25T09:20:56Z",
+        "cyberarkpas.audit.issuer": "PSMApp_COMP01",
+        "cyberarkpas.audit.message": "PSM Upload Recording",
+        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 25 05:20:56</Timestamp>\n    <IsoTimestamp>2021-03-25T09:20:56Z</IsoTimestamp>\n    <Hostname>VLT01</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>12.0.0000</Version>\n    <MessageID>304</MessageID>\n    <Desc>PSM Upload Recording</Desc>\n    <Severity>Info</Severity>\n    <Issuer>PSMApp_COMP01</Issuer>\n    <Action>PSM Upload Recording</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>PSMRecordings</Safe>\n    <File>Root\\a4636750-50a2-492e-984c-e08743d8a883.SSH.txt</File>\n    <Station>10.0.0.15</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails>DstHost=rhel7.cybr.com;LogonAccount=logon;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:00:46;SessionID=a4636750-50a2-492e-984c-e08743d8a883;SrcHost=127.0.0.1;User=root;</ExtraDetails>\n    <Message>PSM Upload Recording</Message>\n    <GatewayStation></GatewayStation>\n  </audit_record>\n\n</syslog>",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.safe": "PSMRecordings",
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.station": "10.0.0.15",
+        "cyberarkpas.audit.timestamp": "Mar 25 05:20:56",
+        "event.action": "psm upload recording",
+        "event.code": "304",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "file.path": "Root\\a4636750-50a2-492e-984c-e08743d8a883.SSH.txt",
+        "fileset.name": "audit",
+        "host.name": "VLT01",
+        "input.type": "log",
+        "log.offset": 0,
+        "log.syslog.priority": "5",
+        "observer.hostname": "VLT01",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "12.0.0000",
+        "related.ip": [
+            "10.0.0.15"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "10.0.0.15",
+        "source.ip": "10.0.0.15",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ]
+    }
+]
\ No newline at end of file
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/308_use_password.log b/x-pack/filebeat/module/cyberarkpas/audit/test/308_use_password.log
new file mode 100644
index 00000000000..8c77aabf909
--- /dev/null
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/308_use_password.log
@@ -0,0 +1,11 @@
+{"format":"elastic","version":"1.0","raw":"<syslog>\n  <audit_record>\n    <Rfc5424>no</Rfc5424>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.6.0000</Version>\n    <MessageID>308</MessageID>\n    <Desc>Use Password</Desc>\n    <Severity>Info</Severity>\n    <Issuer>adm2</Issuer>\n    <Action>Use Password</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>Windows</Safe>\n    <File>Root\\Operating System-WIN-SERVER-LOCAL-dbserver.cyberark.local-Administrator2</File>\n    <Station>10.2.0.6</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason>(Action: Connect)</Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Use Password</Message>\n    <GatewayStation>10.2.0.3</GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"WIN-SERVER-LOCAL\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"Administrator2\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"dbserver.cyberark.local\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n      <CAProperty Name=\"LogonDomain\" Value=\"DBServer\"></CAProperty>\n      <CAProperty Name=\"SequenceID\" Value=\"1\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"-1\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"success\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"LastSuccessReconciliation\" Value=\"1604944215\"></CAProperty>\n      <CAProperty Name=\"Customer\" Value=\"EvilCorp\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n</syslog>","syslog":{"audit_record":{"Rfc5424":"no","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.6.0000","MessageID":"308","IsoTimestamp":"2021-03-16T15:01:00Z","Desc":"Use Password","Severity":"Info","Issuer":"adm2","Action":"Use Password","SourceUser":"","TargetUser":"","Safe":"Windows","File":"Root\\Operating System-WIN-SERVER-LOCAL-dbserver.cyberark.local-Administrator2","Station":"10.2.0.6","Location":"","Category":"","RequestId":"","Reason":"(Action: Connect)","ExtraDetails":"","Message":"Use Password","GatewayStation":"10.2.0.3","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"WIN-SERVER-LOCAL"},{"Name":"UserName","Value":"Administrator2"},{"Name":"Address","Value":"dbserver.cyberark.local"},{"Name":"DeviceType","Value":"Operating System"},{"Name":"LogonDomain","Value":"DBServer"},{"Name":"SequenceID","Value":"1"},{"Name":"RetriesCount","Value":"-1"},{"Name":"LastTask","Value":"ReconcileTask"},{"Name":"CPMStatus","Value":"success"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"LastSuccessReconciliation","Value":"1604944215"},{"Name":"Customer","Value":"EvilCorp"}]}}}}
+<5>1 2021-03-11T17:38:12Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 09:38:12</Timestamp>\n    <IsoTimestamp>2021-03-11T17:38:12Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>308</MessageID>\n    <Desc>Use Password</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Use Password</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>PSM</Safe>\n    <File>Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian</File>\n    <Station>127.0.0.1</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason>fun and profit</Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Use Password</Message>\n    <GatewayStation>81.32.170.205</GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSHKeys\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"adrian\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 09:38:12","IsoTimestamp":"2021-03-11T17:38:12Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"308","Desc":"Use Password","Severity":"Info","Issuer":"Administrator","Action":"Use Password","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian","Station":"127.0.0.1","Location":"","Category":"","RequestId":"","Reason":"fun and profit","ExtraDetails":"","Message":"Use Password","GatewayStation":"81.32.170.205","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSHKeys"},{"Name":"UserName","Value":"adrian"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}}
+<5>1 2021-03-11T17:46:49Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 09:46:49</Timestamp>\n    <IsoTimestamp>2021-03-11T17:46:49Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>308</MessageID>\n    <Desc>Use Password</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Use Password</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>PSM</Safe>\n    <File>Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian</File>\n    <Station>127.0.0.1</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason>FOR FUN.</Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Use Password</Message>\n    <GatewayStation>81.32.170.205</GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSHKeys\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"adrian\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 09:46:49","IsoTimestamp":"2021-03-11T17:46:49Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"308","Desc":"Use Password","Severity":"Info","Issuer":"Administrator","Action":"Use Password","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian","Station":"127.0.0.1","Location":"","Category":"","RequestId":"","Reason":"FOR FUN.","ExtraDetails":"","Message":"Use Password","GatewayStation":"81.32.170.205","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSHKeys"},{"Name":"UserName","Value":"adrian"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}}
+<5>1 2021-03-11T17:48:27Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 09:48:27</Timestamp>\n    <IsoTimestamp>2021-03-11T17:48:27Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>308</MessageID>\n    <Desc>Use Password</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Use Password</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>PSM</Safe>\n    <File>Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian</File>\n    <Station>10.0.2.2</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason>For fun and profit</Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Use Password</Message>\n    <GatewayStation>81.32.170.205</GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSHKeys\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"adrian\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 09:48:27","IsoTimestamp":"2021-03-11T17:48:27Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"308","Desc":"Use Password","Severity":"Info","Issuer":"Administrator","Action":"Use Password","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian","Station":"10.0.2.2","Location":"","Category":"","RequestId":"","Reason":"For fun and profit","ExtraDetails":"","Message":"Use Password","GatewayStation":"81.32.170.205","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSHKeys"},{"Name":"UserName","Value":"adrian"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}}
+<5>1 2021-03-11T17:54:49Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 09:54:49</Timestamp>\n    <IsoTimestamp>2021-03-11T17:54:49Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>308</MessageID>\n    <Desc>Use Password</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Use Password</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>PSM</Safe>\n    <File>Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian</File>\n    <Station>10.0.2.2</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason>Because I say so</Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Use Password</Message>\n    <GatewayStation>81.32.170.205</GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSHKeys\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"adrian\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 09:54:49","IsoTimestamp":"2021-03-11T17:54:49Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"308","Desc":"Use Password","Severity":"Info","Issuer":"Administrator","Action":"Use Password","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian","Station":"10.0.2.2","Location":"","Category":"","RequestId":"","Reason":"Because I say so","ExtraDetails":"","Message":"Use Password","GatewayStation":"81.32.170.205","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSHKeys"},{"Name":"UserName","Value":"adrian"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}}
+<5>1 2021-03-11T17:56:30Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 09:56:30</Timestamp>\n    <IsoTimestamp>2021-03-11T17:56:30Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>308</MessageID>\n    <Desc>Use Password</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Use Password</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>PSM</Safe>\n    <File>Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian</File>\n    <Station>10.0.2.2</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason>for fun</Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Use Password</Message>\n    <GatewayStation>81.32.170.205</GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSHKeys\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"adrian\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 09:56:30","IsoTimestamp":"2021-03-11T17:56:30Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"308","Desc":"Use Password","Severity":"Info","Issuer":"Administrator","Action":"Use Password","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian","Station":"10.0.2.2","Location":"","Category":"","RequestId":"","Reason":"for fun","ExtraDetails":"","Message":"Use Password","GatewayStation":"81.32.170.205","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSHKeys"},{"Name":"UserName","Value":"adrian"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}}
+<5>1 2021-03-11T20:23:17Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 12:23:17</Timestamp>\n    <IsoTimestamp>2021-03-11T20:23:17Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>308</MessageID>\n    <Desc>Use Password</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Use Password</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>PSM</Safe>\n    <File>Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian</File>\n    <Station>10.0.2.2</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason>testing</Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Use Password</Message>\n    <GatewayStation>81.32.170.205</GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSHKeys\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"adrian\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 12:23:17","IsoTimestamp":"2021-03-11T20:23:17Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"308","Desc":"Use Password","Severity":"Info","Issuer":"Administrator","Action":"Use Password","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian","Station":"10.0.2.2","Location":"","Category":"","RequestId":"","Reason":"testing","ExtraDetails":"","Message":"Use Password","GatewayStation":"81.32.170.205","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSHKeys"},{"Name":"UserName","Value":"adrian"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}}
+<5>1 2021-03-14T13:49:35Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 14 06:49:35</Timestamp>\n    <IsoTimestamp>2021-03-14T13:49:35Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>308</MessageID>\n    <Desc>Use Password</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Use Password</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Operating System-UnixSSH-34.123.103.115-testark</File>\n    <Station>81.32.170.205</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Use Password</Message>\n    <GatewayStation>34.71.250.247</GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSH\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"testark\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"ResetImmediately\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"failure\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"0\"></CAProperty>\n      <CAProperty Name=\"LastFailDate\" Value=\"1615729572\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"CPMErrorDetails\" Value=\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 06:49:35","IsoTimestamp":"2021-03-14T13:49:35Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"308","Desc":"Use Password","Severity":"Info","Issuer":"Administrator","Action":"Use Password","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-34.123.103.115-testark","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Use Password","GatewayStation":"34.71.250.247","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"testark"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"ResetImmediately","Value":"ReconcileTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"0"},{"Name":"LastFailDate","Value":"1615729572"},{"Name":"LastTask","Value":"ReconcileTask"},{"Name":"CPMErrorDetails","Value":"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}}
+<5>1 2021-03-15T10:31:54Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 15 03:31:54</Timestamp>\n    <IsoTimestamp>2021-03-15T10:31:54Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>308</MessageID>\n    <Desc>Use Password</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Use Password</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Operating System-UnixSSH-34.123.103.115-testark</File>\n    <Station>81.32.170.205</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Use Password</Message>\n    <GatewayStation>34.71.250.247</GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSH\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"testark\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"success\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"-1\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"VerifyTask\"></CAProperty>\n      <CAProperty Name=\"LastSuccessVerification\" Value=\"1615803764\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 03:31:54","IsoTimestamp":"2021-03-15T10:31:54Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"308","Desc":"Use Password","Severity":"Info","Issuer":"Administrator","Action":"Use Password","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-34.123.103.115-testark","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Use Password","GatewayStation":"34.71.250.247","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"testark"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"CPMStatus","Value":"success"},{"Name":"RetriesCount","Value":"-1"},{"Name":"LastTask","Value":"VerifyTask"},{"Name":"LastSuccessVerification","Value":"1615803764"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}}
+<5>1 2021-03-15T14:08:26Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 15 07:08:26</Timestamp>\n    <IsoTimestamp>2021-03-15T14:08:26Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>308</MessageID>\n    <Desc>Use Password</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Use Password</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Operating System-UnixSSH-34.123.103.115-testark</File>\n    <Station>81.32.170.205</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Use Password</Message>\n    <GatewayStation>34.71.250.247</GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSH\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"testark\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"ResetImmediately\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"failure\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"0\"></CAProperty>\n      <CAProperty Name=\"LastFailDate\" Value=\"1615814025\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"LastSuccessVerification\" Value=\"1615803764\"></CAProperty>\n      <CAProperty Name=\"CPMErrorDetails\" Value=\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n      <CAProperty Name=\"UseSudoOnReconcile\" Value=\"Yes\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 07:08:26","IsoTimestamp":"2021-03-15T14:08:26Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"308","Desc":"Use Password","Severity":"Info","Issuer":"Administrator","Action":"Use Password","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-34.123.103.115-testark","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Use Password","GatewayStation":"34.71.250.247","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"testark"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"ResetImmediately","Value":"ReconcileTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"0"},{"Name":"LastFailDate","Value":"1615814025"},{"Name":"LastTask","Value":"ReconcileTask"},{"Name":"LastSuccessVerification","Value":"1615803764"},{"Name":"CPMErrorDetails","Value":"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"},{"Name":"UseSudoOnReconcile","Value":"Yes"}]}}}}
+<5>1 2021-03-16T10:04:49Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 16 03:04:49</Timestamp>\n    <IsoTimestamp>2021-03-16T10:04:49Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>308</MessageID>\n    <Desc>Use Password</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Use Password</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Operating System-UnixSSH-34.123.103.115-testark</File>\n    <Station>81.32.170.205</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Use Password</Message>\n    <GatewayStation>34.71.250.247</GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSH\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"testark\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"ResetImmediately\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"failure\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"4\"></CAProperty>\n      <CAProperty Name=\"LastFailDate\" Value=\"1615888216\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"LastSuccessVerification\" Value=\"1615803764\"></CAProperty>\n      <CAProperty Name=\"CPMErrorDetails\" Value=\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n      <CAProperty Name=\"UseSudoOnReconcile\" Value=\"Yes\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 16 03:04:49","IsoTimestamp":"2021-03-16T10:04:49Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"308","Desc":"Use Password","Severity":"Info","Issuer":"Administrator","Action":"Use Password","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-34.123.103.115-testark","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Use Password","GatewayStation":"34.71.250.247","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"testark"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"ResetImmediately","Value":"ReconcileTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"4"},{"Name":"LastFailDate","Value":"1615888216"},{"Name":"LastTask","Value":"ReconcileTask"},{"Name":"LastSuccessVerification","Value":"1615803764"},{"Name":"CPMErrorDetails","Value":"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"},{"Name":"UseSudoOnReconcile","Value":"Yes"}]}}}}
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/308_use_password.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/308_use_password.log-expected.json
new file mode 100644
index 00000000000..a2125afe5c1
--- /dev/null
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/308_use_password.log-expected.json
@@ -0,0 +1,897 @@
+[
+    {
+        "@timestamp": "2021-03-16T15:01:00.000Z",
+        "cyberarkpas.audit.action": "Use Password",
+        "cyberarkpas.audit.ca_properties.address": "dbserver.cyberark.local",
+        "cyberarkpas.audit.ca_properties.cpm_status": "success",
+        "cyberarkpas.audit.ca_properties.creation_method": "PVWA",
+        "cyberarkpas.audit.ca_properties.customer": "EvilCorp",
+        "cyberarkpas.audit.ca_properties.device_type": "Operating System",
+        "cyberarkpas.audit.ca_properties.last_success_reconciliation": "1604944215",
+        "cyberarkpas.audit.ca_properties.last_task": "ReconcileTask",
+        "cyberarkpas.audit.ca_properties.logon_domain": "DBServer",
+        "cyberarkpas.audit.ca_properties.policy_id": "WIN-SERVER-LOCAL",
+        "cyberarkpas.audit.ca_properties.retries_count": "-1",
+        "cyberarkpas.audit.ca_properties.sequence_id": "1",
+        "cyberarkpas.audit.ca_properties.user_name": "Administrator2",
+        "cyberarkpas.audit.desc": "Use Password",
+        "cyberarkpas.audit.file": "Root\\Operating System-WIN-SERVER-LOCAL-dbserver.cyberark.local-Administrator2",
+        "cyberarkpas.audit.gateway_station": "10.2.0.3",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-16T15:01:00Z",
+        "cyberarkpas.audit.issuer": "adm2",
+        "cyberarkpas.audit.message": "Use Password",
+        "cyberarkpas.audit.raw": "<syslog>\n  <audit_record>\n    <Rfc5424>no</Rfc5424>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.6.0000</Version>\n    <MessageID>308</MessageID>\n    <Desc>Use Password</Desc>\n    <Severity>Info</Severity>\n    <Issuer>adm2</Issuer>\n    <Action>Use Password</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>Windows</Safe>\n    <File>Root\\Operating System-WIN-SERVER-LOCAL-dbserver.cyberark.local-Administrator2</File>\n    <Station>10.2.0.6</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason>(Action: Connect)</Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Use Password</Message>\n    <GatewayStation>10.2.0.3</GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"WIN-SERVER-LOCAL\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"Administrator2\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"dbserver.cyberark.local\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n      <CAProperty Name=\"LogonDomain\" Value=\"DBServer\"></CAProperty>\n      <CAProperty Name=\"SequenceID\" Value=\"1\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"-1\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"success\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"LastSuccessReconciliation\" Value=\"1604944215\"></CAProperty>\n      <CAProperty Name=\"Customer\" Value=\"EvilCorp\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n</syslog>",
+        "cyberarkpas.audit.reason": "(Action: Connect)",
+        "cyberarkpas.audit.rfc5424": false,
+        "cyberarkpas.audit.safe": "Windows",
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.station": "10.2.0.6",
+        "destination.address": "dbserver.cyberark.local",
+        "destination.domain": "dbserver.cyberark.local",
+        "destination.user.name": "Administrator2",
+        "event.action": "use password",
+        "event.category": [
+            "iam"
+        ],
+        "event.code": "308",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.outcome": "success",
+        "event.reason": "(Action: Connect)",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "event.type": [
+            "admin",
+            "access"
+        ],
+        "file.path": "Root\\Operating System-WIN-SERVER-LOCAL-dbserver.cyberark.local-Administrator2",
+        "fileset.name": "audit",
+        "input.type": "log",
+        "log.offset": 0,
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.6.0000",
+        "related.ip": [
+            "10.2.0.6",
+            "10.2.0.3"
+        ],
+        "related.user": [
+            "adm2",
+            "Administrator2"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "10.2.0.6",
+        "source.ip": "10.2.0.6",
+        "source.user.name": "adm2",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ],
+        "user.name": "adm2"
+    },
+    {
+        "@timestamp": "2021-03-11T17:38:12.000Z",
+        "cyberarkpas.audit.action": "Use Password",
+        "cyberarkpas.audit.ca_properties.address": "34.123.103.115",
+        "cyberarkpas.audit.ca_properties.creation_method": "PVWA",
+        "cyberarkpas.audit.ca_properties.device_type": "Operating System",
+        "cyberarkpas.audit.ca_properties.policy_id": "UnixSSHKeys",
+        "cyberarkpas.audit.ca_properties.user_name": "adrian",
+        "cyberarkpas.audit.desc": "Use Password",
+        "cyberarkpas.audit.file": "Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian",
+        "cyberarkpas.audit.gateway_station": "81.32.170.205",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-11T17:38:12Z",
+        "cyberarkpas.audit.issuer": "Administrator",
+        "cyberarkpas.audit.message": "Use Password",
+        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 09:38:12</Timestamp>\n    <IsoTimestamp>2021-03-11T17:38:12Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>308</MessageID>\n    <Desc>Use Password</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Use Password</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>PSM</Safe>\n    <File>Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian</File>\n    <Station>127.0.0.1</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason>fun and profit</Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Use Password</Message>\n    <GatewayStation>81.32.170.205</GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSHKeys\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"adrian\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>",
+        "cyberarkpas.audit.reason": "fun and profit",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.safe": "PSM",
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.station": "127.0.0.1",
+        "cyberarkpas.audit.timestamp": "Mar 11 09:38:12",
+        "destination.address": "34.123.103.115",
+        "destination.geo.city_name": "Council Bluffs",
+        "destination.geo.continent_name": "North America",
+        "destination.geo.country_iso_code": "US",
+        "destination.geo.country_name": "United States",
+        "destination.geo.location.lat": 41.2591,
+        "destination.geo.location.lon": -95.8517,
+        "destination.geo.region_iso_code": "US-IA",
+        "destination.geo.region_name": "Iowa",
+        "destination.ip": "34.123.103.115",
+        "destination.user.name": "adrian",
+        "event.action": "use password",
+        "event.category": [
+            "iam"
+        ],
+        "event.code": "308",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.reason": "fun and profit",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "event.type": [
+            "admin",
+            "access"
+        ],
+        "file.path": "Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian",
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 2883,
+        "log.syslog.priority": "5",
+        "network.direction": "outbound",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "127.0.0.1",
+            "34.123.103.115",
+            "81.32.170.205"
+        ],
+        "related.user": [
+            "Administrator",
+            "adrian"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "127.0.0.1",
+        "source.ip": "127.0.0.1",
+        "source.user.name": "Administrator",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ],
+        "user.name": "Administrator"
+    },
+    {
+        "@timestamp": "2021-03-11T17:46:49.000Z",
+        "cyberarkpas.audit.action": "Use Password",
+        "cyberarkpas.audit.ca_properties.address": "34.123.103.115",
+        "cyberarkpas.audit.ca_properties.creation_method": "PVWA",
+        "cyberarkpas.audit.ca_properties.device_type": "Operating System",
+        "cyberarkpas.audit.ca_properties.policy_id": "UnixSSHKeys",
+        "cyberarkpas.audit.ca_properties.user_name": "adrian",
+        "cyberarkpas.audit.desc": "Use Password",
+        "cyberarkpas.audit.file": "Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian",
+        "cyberarkpas.audit.gateway_station": "81.32.170.205",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-11T17:46:49Z",
+        "cyberarkpas.audit.issuer": "Administrator",
+        "cyberarkpas.audit.message": "Use Password",
+        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 09:46:49</Timestamp>\n    <IsoTimestamp>2021-03-11T17:46:49Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>308</MessageID>\n    <Desc>Use Password</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Use Password</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>PSM</Safe>\n    <File>Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian</File>\n    <Station>127.0.0.1</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason>FOR FUN.</Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Use Password</Message>\n    <GatewayStation>81.32.170.205</GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSHKeys\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"adrian\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>",
+        "cyberarkpas.audit.reason": "FOR FUN.",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.safe": "PSM",
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.station": "127.0.0.1",
+        "cyberarkpas.audit.timestamp": "Mar 11 09:46:49",
+        "destination.address": "34.123.103.115",
+        "destination.geo.city_name": "Council Bluffs",
+        "destination.geo.continent_name": "North America",
+        "destination.geo.country_iso_code": "US",
+        "destination.geo.country_name": "United States",
+        "destination.geo.location.lat": 41.2591,
+        "destination.geo.location.lon": -95.8517,
+        "destination.geo.region_iso_code": "US-IA",
+        "destination.geo.region_name": "Iowa",
+        "destination.ip": "34.123.103.115",
+        "destination.user.name": "adrian",
+        "event.action": "use password",
+        "event.category": [
+            "iam"
+        ],
+        "event.code": "308",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.reason": "FOR FUN.",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "event.type": [
+            "admin",
+            "access"
+        ],
+        "file.path": "Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian",
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 5109,
+        "log.syslog.priority": "5",
+        "network.direction": "outbound",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "127.0.0.1",
+            "34.123.103.115",
+            "81.32.170.205"
+        ],
+        "related.user": [
+            "Administrator",
+            "adrian"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "127.0.0.1",
+        "source.ip": "127.0.0.1",
+        "source.user.name": "Administrator",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ],
+        "user.name": "Administrator"
+    },
+    {
+        "@timestamp": "2021-03-11T17:48:27.000Z",
+        "cyberarkpas.audit.action": "Use Password",
+        "cyberarkpas.audit.ca_properties.address": "34.123.103.115",
+        "cyberarkpas.audit.ca_properties.creation_method": "PVWA",
+        "cyberarkpas.audit.ca_properties.device_type": "Operating System",
+        "cyberarkpas.audit.ca_properties.policy_id": "UnixSSHKeys",
+        "cyberarkpas.audit.ca_properties.user_name": "adrian",
+        "cyberarkpas.audit.desc": "Use Password",
+        "cyberarkpas.audit.file": "Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian",
+        "cyberarkpas.audit.gateway_station": "81.32.170.205",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-11T17:48:27Z",
+        "cyberarkpas.audit.issuer": "Administrator",
+        "cyberarkpas.audit.message": "Use Password",
+        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 09:48:27</Timestamp>\n    <IsoTimestamp>2021-03-11T17:48:27Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>308</MessageID>\n    <Desc>Use Password</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Use Password</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>PSM</Safe>\n    <File>Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian</File>\n    <Station>10.0.2.2</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason>For fun and profit</Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Use Password</Message>\n    <GatewayStation>81.32.170.205</GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSHKeys\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"adrian\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>",
+        "cyberarkpas.audit.reason": "For fun and profit",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.safe": "PSM",
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.station": "10.0.2.2",
+        "cyberarkpas.audit.timestamp": "Mar 11 09:48:27",
+        "destination.address": "34.123.103.115",
+        "destination.geo.city_name": "Council Bluffs",
+        "destination.geo.continent_name": "North America",
+        "destination.geo.country_iso_code": "US",
+        "destination.geo.country_name": "United States",
+        "destination.geo.location.lat": 41.2591,
+        "destination.geo.location.lon": -95.8517,
+        "destination.geo.region_iso_code": "US-IA",
+        "destination.geo.region_name": "Iowa",
+        "destination.ip": "34.123.103.115",
+        "destination.user.name": "adrian",
+        "event.action": "use password",
+        "event.category": [
+            "iam"
+        ],
+        "event.code": "308",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.reason": "For fun and profit",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "event.type": [
+            "admin",
+            "access"
+        ],
+        "file.path": "Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian",
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 7323,
+        "log.syslog.priority": "5",
+        "network.direction": "outbound",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "10.0.2.2",
+            "34.123.103.115",
+            "81.32.170.205"
+        ],
+        "related.user": [
+            "Administrator",
+            "adrian"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "10.0.2.2",
+        "source.ip": "10.0.2.2",
+        "source.user.name": "Administrator",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ],
+        "user.name": "Administrator"
+    },
+    {
+        "@timestamp": "2021-03-11T17:54:49.000Z",
+        "cyberarkpas.audit.action": "Use Password",
+        "cyberarkpas.audit.ca_properties.address": "34.123.103.115",
+        "cyberarkpas.audit.ca_properties.creation_method": "PVWA",
+        "cyberarkpas.audit.ca_properties.device_type": "Operating System",
+        "cyberarkpas.audit.ca_properties.policy_id": "UnixSSHKeys",
+        "cyberarkpas.audit.ca_properties.user_name": "adrian",
+        "cyberarkpas.audit.desc": "Use Password",
+        "cyberarkpas.audit.file": "Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian",
+        "cyberarkpas.audit.gateway_station": "81.32.170.205",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-11T17:54:49Z",
+        "cyberarkpas.audit.issuer": "Administrator",
+        "cyberarkpas.audit.message": "Use Password",
+        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 09:54:49</Timestamp>\n    <IsoTimestamp>2021-03-11T17:54:49Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>308</MessageID>\n    <Desc>Use Password</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Use Password</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>PSM</Safe>\n    <File>Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian</File>\n    <Station>10.0.2.2</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason>Because I say so</Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Use Password</Message>\n    <GatewayStation>81.32.170.205</GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSHKeys\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"adrian\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>",
+        "cyberarkpas.audit.reason": "Because I say so",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.safe": "PSM",
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.station": "10.0.2.2",
+        "cyberarkpas.audit.timestamp": "Mar 11 09:54:49",
+        "destination.address": "34.123.103.115",
+        "destination.geo.city_name": "Council Bluffs",
+        "destination.geo.continent_name": "North America",
+        "destination.geo.country_iso_code": "US",
+        "destination.geo.country_name": "United States",
+        "destination.geo.location.lat": 41.2591,
+        "destination.geo.location.lon": -95.8517,
+        "destination.geo.region_iso_code": "US-IA",
+        "destination.geo.region_name": "Iowa",
+        "destination.ip": "34.123.103.115",
+        "destination.user.name": "adrian",
+        "event.action": "use password",
+        "event.category": [
+            "iam"
+        ],
+        "event.code": "308",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.reason": "Because I say so",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "event.type": [
+            "admin",
+            "access"
+        ],
+        "file.path": "Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian",
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 9555,
+        "log.syslog.priority": "5",
+        "network.direction": "outbound",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "10.0.2.2",
+            "34.123.103.115",
+            "81.32.170.205"
+        ],
+        "related.user": [
+            "Administrator",
+            "adrian"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "10.0.2.2",
+        "source.ip": "10.0.2.2",
+        "source.user.name": "Administrator",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ],
+        "user.name": "Administrator"
+    },
+    {
+        "@timestamp": "2021-03-11T17:56:30.000Z",
+        "cyberarkpas.audit.action": "Use Password",
+        "cyberarkpas.audit.ca_properties.address": "34.123.103.115",
+        "cyberarkpas.audit.ca_properties.creation_method": "PVWA",
+        "cyberarkpas.audit.ca_properties.device_type": "Operating System",
+        "cyberarkpas.audit.ca_properties.policy_id": "UnixSSHKeys",
+        "cyberarkpas.audit.ca_properties.user_name": "adrian",
+        "cyberarkpas.audit.desc": "Use Password",
+        "cyberarkpas.audit.file": "Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian",
+        "cyberarkpas.audit.gateway_station": "81.32.170.205",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-11T17:56:30Z",
+        "cyberarkpas.audit.issuer": "Administrator",
+        "cyberarkpas.audit.message": "Use Password",
+        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 09:56:30</Timestamp>\n    <IsoTimestamp>2021-03-11T17:56:30Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>308</MessageID>\n    <Desc>Use Password</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Use Password</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>PSM</Safe>\n    <File>Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian</File>\n    <Station>10.0.2.2</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason>for fun</Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Use Password</Message>\n    <GatewayStation>81.32.170.205</GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSHKeys\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"adrian\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>",
+        "cyberarkpas.audit.reason": "for fun",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.safe": "PSM",
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.station": "10.0.2.2",
+        "cyberarkpas.audit.timestamp": "Mar 11 09:56:30",
+        "destination.address": "34.123.103.115",
+        "destination.geo.city_name": "Council Bluffs",
+        "destination.geo.continent_name": "North America",
+        "destination.geo.country_iso_code": "US",
+        "destination.geo.country_name": "United States",
+        "destination.geo.location.lat": 41.2591,
+        "destination.geo.location.lon": -95.8517,
+        "destination.geo.region_iso_code": "US-IA",
+        "destination.geo.region_name": "Iowa",
+        "destination.ip": "34.123.103.115",
+        "destination.user.name": "adrian",
+        "event.action": "use password",
+        "event.category": [
+            "iam"
+        ],
+        "event.code": "308",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.reason": "for fun",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "event.type": [
+            "admin",
+            "access"
+        ],
+        "file.path": "Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian",
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 11783,
+        "log.syslog.priority": "5",
+        "network.direction": "outbound",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "10.0.2.2",
+            "34.123.103.115",
+            "81.32.170.205"
+        ],
+        "related.user": [
+            "Administrator",
+            "adrian"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "10.0.2.2",
+        "source.ip": "10.0.2.2",
+        "source.user.name": "Administrator",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ],
+        "user.name": "Administrator"
+    },
+    {
+        "@timestamp": "2021-03-11T20:23:17.000Z",
+        "cyberarkpas.audit.action": "Use Password",
+        "cyberarkpas.audit.ca_properties.address": "34.123.103.115",
+        "cyberarkpas.audit.ca_properties.creation_method": "PVWA",
+        "cyberarkpas.audit.ca_properties.device_type": "Operating System",
+        "cyberarkpas.audit.ca_properties.policy_id": "UnixSSHKeys",
+        "cyberarkpas.audit.ca_properties.user_name": "adrian",
+        "cyberarkpas.audit.desc": "Use Password",
+        "cyberarkpas.audit.file": "Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian",
+        "cyberarkpas.audit.gateway_station": "81.32.170.205",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-11T20:23:17Z",
+        "cyberarkpas.audit.issuer": "Administrator",
+        "cyberarkpas.audit.message": "Use Password",
+        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 12:23:17</Timestamp>\n    <IsoTimestamp>2021-03-11T20:23:17Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>308</MessageID>\n    <Desc>Use Password</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Use Password</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>PSM</Safe>\n    <File>Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian</File>\n    <Station>10.0.2.2</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason>testing</Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Use Password</Message>\n    <GatewayStation>81.32.170.205</GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSHKeys\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"adrian\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>",
+        "cyberarkpas.audit.reason": "testing",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.safe": "PSM",
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.station": "10.0.2.2",
+        "cyberarkpas.audit.timestamp": "Mar 11 12:23:17",
+        "destination.address": "34.123.103.115",
+        "destination.geo.city_name": "Council Bluffs",
+        "destination.geo.continent_name": "North America",
+        "destination.geo.country_iso_code": "US",
+        "destination.geo.country_name": "United States",
+        "destination.geo.location.lat": 41.2591,
+        "destination.geo.location.lon": -95.8517,
+        "destination.geo.region_iso_code": "US-IA",
+        "destination.geo.region_name": "Iowa",
+        "destination.ip": "34.123.103.115",
+        "destination.user.name": "adrian",
+        "event.action": "use password",
+        "event.category": [
+            "iam"
+        ],
+        "event.code": "308",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.reason": "testing",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "event.type": [
+            "admin",
+            "access"
+        ],
+        "file.path": "Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian",
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 13993,
+        "log.syslog.priority": "5",
+        "network.direction": "outbound",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "10.0.2.2",
+            "34.123.103.115",
+            "81.32.170.205"
+        ],
+        "related.user": [
+            "Administrator",
+            "adrian"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "10.0.2.2",
+        "source.ip": "10.0.2.2",
+        "source.user.name": "Administrator",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ],
+        "user.name": "Administrator"
+    },
+    {
+        "@timestamp": "2021-03-14T13:49:35.000Z",
+        "cyberarkpas.audit.action": "Use Password",
+        "cyberarkpas.audit.ca_properties.address": "34.123.103.115",
+        "cyberarkpas.audit.ca_properties.cpm_error_details": "First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031",
+        "cyberarkpas.audit.ca_properties.cpm_status": "failure",
+        "cyberarkpas.audit.ca_properties.creation_method": "PVWA",
+        "cyberarkpas.audit.ca_properties.device_type": "Operating System",
+        "cyberarkpas.audit.ca_properties.last_fail_date": "1615729572",
+        "cyberarkpas.audit.ca_properties.last_task": "ReconcileTask",
+        "cyberarkpas.audit.ca_properties.policy_id": "UnixSSH",
+        "cyberarkpas.audit.ca_properties.reset_immediately": "ReconcileTask",
+        "cyberarkpas.audit.ca_properties.retries_count": "0",
+        "cyberarkpas.audit.ca_properties.user_name": "testark",
+        "cyberarkpas.audit.desc": "Use Password",
+        "cyberarkpas.audit.file": "Root\\Operating System-UnixSSH-34.123.103.115-testark",
+        "cyberarkpas.audit.gateway_station": "34.71.250.247",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-14T13:49:35Z",
+        "cyberarkpas.audit.issuer": "Administrator",
+        "cyberarkpas.audit.message": "Use Password",
+        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 14 06:49:35</Timestamp>\n    <IsoTimestamp>2021-03-14T13:49:35Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>308</MessageID>\n    <Desc>Use Password</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Use Password</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Operating System-UnixSSH-34.123.103.115-testark</File>\n    <Station>81.32.170.205</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Use Password</Message>\n    <GatewayStation>34.71.250.247</GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSH\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"testark\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"ResetImmediately\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"failure\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"0\"></CAProperty>\n      <CAProperty Name=\"LastFailDate\" Value=\"1615729572\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"CPMErrorDetails\" Value=\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.safe": "partner",
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.station": "81.32.170.205",
+        "cyberarkpas.audit.timestamp": "Mar 14 06:49:35",
+        "destination.address": "34.123.103.115",
+        "destination.geo.city_name": "Council Bluffs",
+        "destination.geo.continent_name": "North America",
+        "destination.geo.country_iso_code": "US",
+        "destination.geo.country_name": "United States",
+        "destination.geo.location.lat": 41.2591,
+        "destination.geo.location.lon": -95.8517,
+        "destination.geo.region_iso_code": "US-IA",
+        "destination.geo.region_name": "Iowa",
+        "destination.ip": "34.123.103.115",
+        "destination.user.name": "testark",
+        "event.action": "use password",
+        "event.category": [
+            "iam"
+        ],
+        "event.code": "308",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.outcome": "failure",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "event.type": [
+            "admin",
+            "access"
+        ],
+        "file.path": "Root\\Operating System-UnixSSH-34.123.103.115-testark",
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 16203,
+        "log.syslog.priority": "5",
+        "network.direction": "external",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "81.32.170.205",
+            "34.123.103.115",
+            "34.71.250.247"
+        ],
+        "related.user": [
+            "Administrator",
+            "testark"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "81.32.170.205",
+        "source.geo.city_name": "Barcelona",
+        "source.geo.continent_name": "Europe",
+        "source.geo.country_iso_code": "ES",
+        "source.geo.country_name": "Spain",
+        "source.geo.location.lat": 41.387,
+        "source.geo.location.lon": 2.1701,
+        "source.geo.region_iso_code": "ES-B",
+        "source.geo.region_name": "Barcelona",
+        "source.ip": "81.32.170.205",
+        "source.user.name": "Administrator",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ],
+        "user.name": "Administrator"
+    },
+    {
+        "@timestamp": "2021-03-15T10:31:54.000Z",
+        "cyberarkpas.audit.action": "Use Password",
+        "cyberarkpas.audit.ca_properties.address": "34.123.103.115",
+        "cyberarkpas.audit.ca_properties.cpm_status": "success",
+        "cyberarkpas.audit.ca_properties.creation_method": "PVWA",
+        "cyberarkpas.audit.ca_properties.device_type": "Operating System",
+        "cyberarkpas.audit.ca_properties.last_success_verification": "1615803764",
+        "cyberarkpas.audit.ca_properties.last_task": "VerifyTask",
+        "cyberarkpas.audit.ca_properties.policy_id": "UnixSSH",
+        "cyberarkpas.audit.ca_properties.retries_count": "-1",
+        "cyberarkpas.audit.ca_properties.user_name": "testark",
+        "cyberarkpas.audit.desc": "Use Password",
+        "cyberarkpas.audit.file": "Root\\Operating System-UnixSSH-34.123.103.115-testark",
+        "cyberarkpas.audit.gateway_station": "34.71.250.247",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-15T10:31:54Z",
+        "cyberarkpas.audit.issuer": "Administrator",
+        "cyberarkpas.audit.message": "Use Password",
+        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 15 03:31:54</Timestamp>\n    <IsoTimestamp>2021-03-15T10:31:54Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>308</MessageID>\n    <Desc>Use Password</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Use Password</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Operating System-UnixSSH-34.123.103.115-testark</File>\n    <Station>81.32.170.205</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Use Password</Message>\n    <GatewayStation>34.71.250.247</GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSH\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"testark\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"success\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"-1\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"VerifyTask\"></CAProperty>\n      <CAProperty Name=\"LastSuccessVerification\" Value=\"1615803764\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.safe": "partner",
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.station": "81.32.170.205",
+        "cyberarkpas.audit.timestamp": "Mar 15 03:31:54",
+        "destination.address": "34.123.103.115",
+        "destination.geo.city_name": "Council Bluffs",
+        "destination.geo.continent_name": "North America",
+        "destination.geo.country_iso_code": "US",
+        "destination.geo.country_name": "United States",
+        "destination.geo.location.lat": 41.2591,
+        "destination.geo.location.lon": -95.8517,
+        "destination.geo.region_iso_code": "US-IA",
+        "destination.geo.region_name": "Iowa",
+        "destination.ip": "34.123.103.115",
+        "destination.user.name": "testark",
+        "event.action": "use password",
+        "event.category": [
+            "iam"
+        ],
+        "event.code": "308",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.outcome": "success",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "event.type": [
+            "admin",
+            "access"
+        ],
+        "file.path": "Root\\Operating System-UnixSSH-34.123.103.115-testark",
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 19395,
+        "log.syslog.priority": "5",
+        "network.direction": "external",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "81.32.170.205",
+            "34.123.103.115",
+            "34.71.250.247"
+        ],
+        "related.user": [
+            "Administrator",
+            "testark"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "81.32.170.205",
+        "source.geo.city_name": "Barcelona",
+        "source.geo.continent_name": "Europe",
+        "source.geo.country_iso_code": "ES",
+        "source.geo.country_name": "Spain",
+        "source.geo.location.lat": 41.387,
+        "source.geo.location.lon": 2.1701,
+        "source.geo.region_iso_code": "ES-B",
+        "source.geo.region_name": "Barcelona",
+        "source.ip": "81.32.170.205",
+        "source.user.name": "Administrator",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ],
+        "user.name": "Administrator"
+    },
+    {
+        "@timestamp": "2021-03-15T14:08:26.000Z",
+        "cyberarkpas.audit.action": "Use Password",
+        "cyberarkpas.audit.ca_properties.address": "34.123.103.115",
+        "cyberarkpas.audit.ca_properties.cpm_error_details": "First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031",
+        "cyberarkpas.audit.ca_properties.cpm_status": "failure",
+        "cyberarkpas.audit.ca_properties.creation_method": "PVWA",
+        "cyberarkpas.audit.ca_properties.device_type": "Operating System",
+        "cyberarkpas.audit.ca_properties.last_fail_date": "1615814025",
+        "cyberarkpas.audit.ca_properties.last_success_verification": "1615803764",
+        "cyberarkpas.audit.ca_properties.last_task": "ReconcileTask",
+        "cyberarkpas.audit.ca_properties.policy_id": "UnixSSH",
+        "cyberarkpas.audit.ca_properties.reset_immediately": "ReconcileTask",
+        "cyberarkpas.audit.ca_properties.retries_count": "0",
+        "cyberarkpas.audit.ca_properties.use_sudo_on_reconcile": "Yes",
+        "cyberarkpas.audit.ca_properties.user_name": "testark",
+        "cyberarkpas.audit.desc": "Use Password",
+        "cyberarkpas.audit.file": "Root\\Operating System-UnixSSH-34.123.103.115-testark",
+        "cyberarkpas.audit.gateway_station": "34.71.250.247",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-15T14:08:26Z",
+        "cyberarkpas.audit.issuer": "Administrator",
+        "cyberarkpas.audit.message": "Use Password",
+        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 15 07:08:26</Timestamp>\n    <IsoTimestamp>2021-03-15T14:08:26Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>308</MessageID>\n    <Desc>Use Password</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Use Password</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Operating System-UnixSSH-34.123.103.115-testark</File>\n    <Station>81.32.170.205</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Use Password</Message>\n    <GatewayStation>34.71.250.247</GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSH\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"testark\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"ResetImmediately\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"failure\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"0\"></CAProperty>\n      <CAProperty Name=\"LastFailDate\" Value=\"1615814025\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"LastSuccessVerification\" Value=\"1615803764\"></CAProperty>\n      <CAProperty Name=\"CPMErrorDetails\" Value=\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n      <CAProperty Name=\"UseSudoOnReconcile\" Value=\"Yes\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.safe": "partner",
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.station": "81.32.170.205",
+        "cyberarkpas.audit.timestamp": "Mar 15 07:08:26",
+        "destination.address": "34.123.103.115",
+        "destination.geo.city_name": "Council Bluffs",
+        "destination.geo.continent_name": "North America",
+        "destination.geo.country_iso_code": "US",
+        "destination.geo.country_name": "United States",
+        "destination.geo.location.lat": 41.2591,
+        "destination.geo.location.lon": -95.8517,
+        "destination.geo.region_iso_code": "US-IA",
+        "destination.geo.region_name": "Iowa",
+        "destination.ip": "34.123.103.115",
+        "destination.user.name": "testark",
+        "event.action": "use password",
+        "event.category": [
+            "iam"
+        ],
+        "event.code": "308",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.outcome": "failure",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "event.type": [
+            "admin",
+            "access"
+        ],
+        "file.path": "Root\\Operating System-UnixSSH-34.123.103.115-testark",
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 22067,
+        "log.syslog.priority": "5",
+        "network.direction": "external",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "81.32.170.205",
+            "34.123.103.115",
+            "34.71.250.247"
+        ],
+        "related.user": [
+            "Administrator",
+            "testark"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "81.32.170.205",
+        "source.geo.city_name": "Barcelona",
+        "source.geo.continent_name": "Europe",
+        "source.geo.country_iso_code": "ES",
+        "source.geo.country_name": "Spain",
+        "source.geo.location.lat": 41.387,
+        "source.geo.location.lon": 2.1701,
+        "source.geo.region_iso_code": "ES-B",
+        "source.geo.region_name": "Barcelona",
+        "source.ip": "81.32.170.205",
+        "source.user.name": "Administrator",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ],
+        "user.name": "Administrator"
+    },
+    {
+        "@timestamp": "2021-03-16T10:04:49.000Z",
+        "cyberarkpas.audit.action": "Use Password",
+        "cyberarkpas.audit.ca_properties.address": "34.123.103.115",
+        "cyberarkpas.audit.ca_properties.cpm_error_details": "First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031",
+        "cyberarkpas.audit.ca_properties.cpm_status": "failure",
+        "cyberarkpas.audit.ca_properties.creation_method": "PVWA",
+        "cyberarkpas.audit.ca_properties.device_type": "Operating System",
+        "cyberarkpas.audit.ca_properties.last_fail_date": "1615888216",
+        "cyberarkpas.audit.ca_properties.last_success_verification": "1615803764",
+        "cyberarkpas.audit.ca_properties.last_task": "ReconcileTask",
+        "cyberarkpas.audit.ca_properties.policy_id": "UnixSSH",
+        "cyberarkpas.audit.ca_properties.reset_immediately": "ReconcileTask",
+        "cyberarkpas.audit.ca_properties.retries_count": "4",
+        "cyberarkpas.audit.ca_properties.use_sudo_on_reconcile": "Yes",
+        "cyberarkpas.audit.ca_properties.user_name": "testark",
+        "cyberarkpas.audit.desc": "Use Password",
+        "cyberarkpas.audit.file": "Root\\Operating System-UnixSSH-34.123.103.115-testark",
+        "cyberarkpas.audit.gateway_station": "34.71.250.247",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-16T10:04:49Z",
+        "cyberarkpas.audit.issuer": "Administrator",
+        "cyberarkpas.audit.message": "Use Password",
+        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 16 03:04:49</Timestamp>\n    <IsoTimestamp>2021-03-16T10:04:49Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>308</MessageID>\n    <Desc>Use Password</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Use Password</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Operating System-UnixSSH-34.123.103.115-testark</File>\n    <Station>81.32.170.205</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Use Password</Message>\n    <GatewayStation>34.71.250.247</GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSH\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"testark\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"ResetImmediately\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"failure\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"4\"></CAProperty>\n      <CAProperty Name=\"LastFailDate\" Value=\"1615888216\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"LastSuccessVerification\" Value=\"1615803764\"></CAProperty>\n      <CAProperty Name=\"CPMErrorDetails\" Value=\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n      <CAProperty Name=\"UseSudoOnReconcile\" Value=\"Yes\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.safe": "partner",
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.station": "81.32.170.205",
+        "cyberarkpas.audit.timestamp": "Mar 16 03:04:49",
+        "destination.address": "34.123.103.115",
+        "destination.geo.city_name": "Council Bluffs",
+        "destination.geo.continent_name": "North America",
+        "destination.geo.country_iso_code": "US",
+        "destination.geo.country_name": "United States",
+        "destination.geo.location.lat": 41.2591,
+        "destination.geo.location.lon": -95.8517,
+        "destination.geo.region_iso_code": "US-IA",
+        "destination.geo.region_name": "Iowa",
+        "destination.ip": "34.123.103.115",
+        "destination.user.name": "testark",
+        "event.action": "use password",
+        "event.category": [
+            "iam"
+        ],
+        "event.code": "308",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.outcome": "failure",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "event.type": [
+            "admin",
+            "access"
+        ],
+        "file.path": "Root\\Operating System-UnixSSH-34.123.103.115-testark",
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 25521,
+        "log.syslog.priority": "5",
+        "network.direction": "external",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "81.32.170.205",
+            "34.123.103.115",
+            "34.71.250.247"
+        ],
+        "related.user": [
+            "Administrator",
+            "testark"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "81.32.170.205",
+        "source.geo.city_name": "Barcelona",
+        "source.geo.continent_name": "Europe",
+        "source.geo.country_iso_code": "ES",
+        "source.geo.country_name": "Spain",
+        "source.geo.location.lat": 41.387,
+        "source.geo.location.lon": 2.1701,
+        "source.geo.region_iso_code": "ES-B",
+        "source.geo.region_name": "Barcelona",
+        "source.ip": "81.32.170.205",
+        "source.user.name": "Administrator",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ],
+        "user.name": "Administrator"
+    }
+]
\ No newline at end of file
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/309_undefined_user_logon.log b/x-pack/filebeat/module/cyberarkpas/audit/test/309_undefined_user_logon.log
new file mode 100644
index 00000000000..18c5b7e67fb
--- /dev/null
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/309_undefined_user_logon.log
@@ -0,0 +1,5 @@
+<7>1 2021-03-08T18:31:52Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 08 10:31:52","IsoTimestamp":"2021-03-08T18:31:52Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"309","Desc":"Undefined User Logon","Severity":"Error","Issuer":"adriansr","Action":"Undefined User Logon","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"127.0.0.1","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Undefined User Logon","GatewayStation":"10.0.1.20"}}}
+<7>1 2021-03-08T18:32:03Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 08 10:32:03","IsoTimestamp":"2021-03-08T18:32:03Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"309","Desc":"Undefined User Logon","Severity":"Error","Issuer":"adriansra","Action":"Undefined User Logon","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"127.0.0.1","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Undefined User Logon","GatewayStation":"10.0.1.20"}}}
+<7>1 2021-03-11T16:43:26Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 08:43:26</Timestamp>\n    <IsoTimestamp>2021-03-11T16:43:26Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>309</MessageID>\n    <Desc>Undefined User Logon</Desc>\n    <Severity>Error</Severity>\n    <Issuer>PSMAdmin</Issuer>\n    <Action>Undefined User Logon</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe></Safe>\n    <File></File>\n    <Station>81.32.170.205</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Undefined User Logon</Message>\n    <GatewayStation></GatewayStation>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 08:43:26","IsoTimestamp":"2021-03-11T16:43:26Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"309","Desc":"Undefined User Logon","Severity":"Error","Issuer":"PSMAdmin","Action":"Undefined User Logon","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Undefined User Logon","GatewayStation":""}}}
+<7>1 2021-03-11T17:46:28Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 09:46:28</Timestamp>\n    <IsoTimestamp>2021-03-11T17:46:28Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>309</MessageID>\n    <Desc>Undefined User Logon</Desc>\n    <Severity>Error</Severity>\n    <Issuer>adrian</Issuer>\n    <Action>Undefined User Logon</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe></Safe>\n    <File></File>\n    <Station>127.0.0.1</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Undefined User Logon</Message>\n    <GatewayStation>81.32.170.205</GatewayStation>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 09:46:28","IsoTimestamp":"2021-03-11T17:46:28Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"309","Desc":"Undefined User Logon","Severity":"Error","Issuer":"adrian","Action":"Undefined User Logon","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"127.0.0.1","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Undefined User Logon","GatewayStation":"81.32.170.205"}}}
+<7>1 2021-03-14T13:28:00Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 14 06:28:00</Timestamp>\n    <IsoTimestamp>2021-03-14T13:28:00Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>309</MessageID>\n    <Desc>Undefined User Logon</Desc>\n    <Severity>Error</Severity>\n    <Issuer>testark</Issuer>\n    <Action>Undefined User Logon</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe></Safe>\n    <File></File>\n    <Station>81.32.170.205</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Undefined User Logon</Message>\n    <GatewayStation>34.71.250.247</GatewayStation>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 06:28:00","IsoTimestamp":"2021-03-14T13:28:00Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"309","Desc":"Undefined User Logon","Severity":"Error","Issuer":"testark","Action":"Undefined User Logon","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Undefined User Logon","GatewayStation":"34.71.250.247"}}}
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/309_undefined_user_logon.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/309_undefined_user_logon.log-expected.json
new file mode 100644
index 00000000000..30198346cee
--- /dev/null
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/309_undefined_user_logon.log-expected.json
@@ -0,0 +1,302 @@
+[
+    {
+        "@timestamp": "2021-03-08T18:31:52.000Z",
+        "cyberarkpas.audit.action": "Undefined User Logon",
+        "cyberarkpas.audit.desc": "Undefined User Logon",
+        "cyberarkpas.audit.gateway_station": "10.0.1.20",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-08T18:31:52Z",
+        "cyberarkpas.audit.issuer": "adriansr",
+        "cyberarkpas.audit.message": "Undefined User Logon",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.severity": "Error",
+        "cyberarkpas.audit.station": "127.0.0.1",
+        "cyberarkpas.audit.timestamp": "Mar 08 10:31:52",
+        "destination.address": "10.0.1.20",
+        "destination.ip": "10.0.1.20",
+        "event.action": "authentication_failure",
+        "event.category": [
+            "authentication"
+        ],
+        "event.code": "309",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.outcome": "failure",
+        "event.severity": 7,
+        "event.timezone": "-02:00",
+        "event.type": [
+            "error"
+        ],
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 0,
+        "log.syslog.priority": "7",
+        "network.direction": "internal",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "127.0.0.1",
+            "10.0.1.20"
+        ],
+        "related.user": [
+            "adriansr"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "127.0.0.1",
+        "source.ip": "127.0.0.1",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ],
+        "user.name": "adriansr"
+    },
+    {
+        "@timestamp": "2021-03-08T18:32:03.000Z",
+        "cyberarkpas.audit.action": "Undefined User Logon",
+        "cyberarkpas.audit.desc": "Undefined User Logon",
+        "cyberarkpas.audit.gateway_station": "10.0.1.20",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-08T18:32:03Z",
+        "cyberarkpas.audit.issuer": "adriansra",
+        "cyberarkpas.audit.message": "Undefined User Logon",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.severity": "Error",
+        "cyberarkpas.audit.station": "127.0.0.1",
+        "cyberarkpas.audit.timestamp": "Mar 08 10:32:03",
+        "destination.address": "10.0.1.20",
+        "destination.ip": "10.0.1.20",
+        "event.action": "authentication_failure",
+        "event.category": [
+            "authentication"
+        ],
+        "event.code": "309",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.outcome": "failure",
+        "event.severity": 7,
+        "event.timezone": "-02:00",
+        "event.type": [
+            "error"
+        ],
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 589,
+        "log.syslog.priority": "7",
+        "network.direction": "internal",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "127.0.0.1",
+            "10.0.1.20"
+        ],
+        "related.user": [
+            "adriansra"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "127.0.0.1",
+        "source.ip": "127.0.0.1",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ],
+        "user.name": "adriansra"
+    },
+    {
+        "@timestamp": "2021-03-11T16:43:26.000Z",
+        "cyberarkpas.audit.action": "Undefined User Logon",
+        "cyberarkpas.audit.desc": "Undefined User Logon",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-11T16:43:26Z",
+        "cyberarkpas.audit.issuer": "PSMAdmin",
+        "cyberarkpas.audit.message": "Undefined User Logon",
+        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 08:43:26</Timestamp>\n    <IsoTimestamp>2021-03-11T16:43:26Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>309</MessageID>\n    <Desc>Undefined User Logon</Desc>\n    <Severity>Error</Severity>\n    <Issuer>PSMAdmin</Issuer>\n    <Action>Undefined User Logon</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe></Safe>\n    <File></File>\n    <Station>81.32.170.205</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Undefined User Logon</Message>\n    <GatewayStation></GatewayStation>\n  </audit_record>\n\n</syslog>",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.severity": "Error",
+        "cyberarkpas.audit.station": "81.32.170.205",
+        "cyberarkpas.audit.timestamp": "Mar 11 08:43:26",
+        "event.action": "authentication_failure",
+        "event.category": [
+            "authentication"
+        ],
+        "event.code": "309",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.outcome": "failure",
+        "event.severity": 7,
+        "event.timezone": "-02:00",
+        "event.type": [
+            "error"
+        ],
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 1179,
+        "log.syslog.priority": "7",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "81.32.170.205"
+        ],
+        "related.user": [
+            "PSMAdmin"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "81.32.170.205",
+        "source.geo.city_name": "Barcelona",
+        "source.geo.continent_name": "Europe",
+        "source.geo.country_iso_code": "ES",
+        "source.geo.country_name": "Spain",
+        "source.geo.location.lat": 41.387,
+        "source.geo.location.lon": 2.1701,
+        "source.geo.region_iso_code": "ES-B",
+        "source.geo.region_name": "Barcelona",
+        "source.ip": "81.32.170.205",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ],
+        "user.name": "PSMAdmin"
+    },
+    {
+        "@timestamp": "2021-03-11T17:46:28.000Z",
+        "cyberarkpas.audit.action": "Undefined User Logon",
+        "cyberarkpas.audit.desc": "Undefined User Logon",
+        "cyberarkpas.audit.gateway_station": "81.32.170.205",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-11T17:46:28Z",
+        "cyberarkpas.audit.issuer": "adrian",
+        "cyberarkpas.audit.message": "Undefined User Logon",
+        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 09:46:28</Timestamp>\n    <IsoTimestamp>2021-03-11T17:46:28Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>309</MessageID>\n    <Desc>Undefined User Logon</Desc>\n    <Severity>Error</Severity>\n    <Issuer>adrian</Issuer>\n    <Action>Undefined User Logon</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe></Safe>\n    <File></File>\n    <Station>127.0.0.1</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Undefined User Logon</Message>\n    <GatewayStation>81.32.170.205</GatewayStation>\n  </audit_record>\n\n</syslog>",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.severity": "Error",
+        "cyberarkpas.audit.station": "127.0.0.1",
+        "cyberarkpas.audit.timestamp": "Mar 11 09:46:28",
+        "destination.address": "81.32.170.205",
+        "destination.geo.city_name": "Barcelona",
+        "destination.geo.continent_name": "Europe",
+        "destination.geo.country_iso_code": "ES",
+        "destination.geo.country_name": "Spain",
+        "destination.geo.location.lat": 41.387,
+        "destination.geo.location.lon": 2.1701,
+        "destination.geo.region_iso_code": "ES-B",
+        "destination.geo.region_name": "Barcelona",
+        "destination.ip": "81.32.170.205",
+        "event.action": "authentication_failure",
+        "event.category": [
+            "authentication"
+        ],
+        "event.code": "309",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.outcome": "failure",
+        "event.severity": 7,
+        "event.timezone": "-02:00",
+        "event.type": [
+            "error"
+        ],
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 2627,
+        "log.syslog.priority": "7",
+        "network.direction": "outbound",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "127.0.0.1",
+            "81.32.170.205"
+        ],
+        "related.user": [
+            "adrian"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "127.0.0.1",
+        "source.ip": "127.0.0.1",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ],
+        "user.name": "adrian"
+    },
+    {
+        "@timestamp": "2021-03-14T13:28:00.000Z",
+        "cyberarkpas.audit.action": "Undefined User Logon",
+        "cyberarkpas.audit.desc": "Undefined User Logon",
+        "cyberarkpas.audit.gateway_station": "34.71.250.247",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-14T13:28:00Z",
+        "cyberarkpas.audit.issuer": "testark",
+        "cyberarkpas.audit.message": "Undefined User Logon",
+        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 14 06:28:00</Timestamp>\n    <IsoTimestamp>2021-03-14T13:28:00Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>309</MessageID>\n    <Desc>Undefined User Logon</Desc>\n    <Severity>Error</Severity>\n    <Issuer>testark</Issuer>\n    <Action>Undefined User Logon</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe></Safe>\n    <File></File>\n    <Station>81.32.170.205</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Undefined User Logon</Message>\n    <GatewayStation>34.71.250.247</GatewayStation>\n  </audit_record>\n\n</syslog>",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.severity": "Error",
+        "cyberarkpas.audit.station": "81.32.170.205",
+        "cyberarkpas.audit.timestamp": "Mar 14 06:28:00",
+        "destination.address": "34.71.250.247",
+        "destination.geo.city_name": "Council Bluffs",
+        "destination.geo.continent_name": "North America",
+        "destination.geo.country_iso_code": "US",
+        "destination.geo.country_name": "United States",
+        "destination.geo.location.lat": 41.2591,
+        "destination.geo.location.lon": -95.8517,
+        "destination.geo.region_iso_code": "US-IA",
+        "destination.geo.region_name": "Iowa",
+        "destination.ip": "34.71.250.247",
+        "event.action": "authentication_failure",
+        "event.category": [
+            "authentication"
+        ],
+        "event.code": "309",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.outcome": "failure",
+        "event.severity": 7,
+        "event.timezone": "-02:00",
+        "event.type": [
+            "error"
+        ],
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 4089,
+        "log.syslog.priority": "7",
+        "network.direction": "external",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "81.32.170.205",
+            "34.71.250.247"
+        ],
+        "related.user": [
+            "testark"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "81.32.170.205",
+        "source.geo.city_name": "Barcelona",
+        "source.geo.continent_name": "Europe",
+        "source.geo.country_iso_code": "ES",
+        "source.geo.country_name": "Spain",
+        "source.geo.location.lat": 41.387,
+        "source.geo.location.lon": 2.1701,
+        "source.geo.region_iso_code": "ES-B",
+        "source.geo.region_name": "Barcelona",
+        "source.ip": "81.32.170.205",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ],
+        "user.name": "testark"
+    }
+]
\ No newline at end of file
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/310_monitor_dr_replication_start.log b/x-pack/filebeat/module/cyberarkpas/audit/test/310_monitor_dr_replication_start.log
new file mode 100644
index 00000000000..f2577708d06
--- /dev/null
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/310_monitor_dr_replication_start.log
@@ -0,0 +1,2 @@
+<5>1 2021-03-04T19:10:01Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 04 11:10:01","IsoTimestamp":"2021-03-04T19:10:01Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"310","Desc":"Monitor DR Replication start","Severity":"Info","Issuer":"Batch","Action":"Monitor DR Replication start","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"0.0.0.0","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Monitor DR Replication start","GatewayStation":""}}}
+Mar 08 02:48:07 VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"no","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"310","Desc":"Monitor DR Replication start","Severity":"Info","Issuer":"Batch","Action":"Monitor DR Replication start","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"0.0.0.0","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Monitor DR Replication start","GatewayStation":""}}}
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/310_monitor_dr_replication_start.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/310_monitor_dr_replication_start.log-expected.json
new file mode 100644
index 00000000000..5b958288c53
--- /dev/null
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/310_monitor_dr_replication_start.log-expected.json
@@ -0,0 +1,75 @@
+[
+    {
+        "@timestamp": "2021-03-04T19:10:01.000Z",
+        "cyberarkpas.audit.action": "Monitor DR Replication start",
+        "cyberarkpas.audit.desc": "Monitor DR Replication start",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-04T19:10:01Z",
+        "cyberarkpas.audit.issuer": "Batch",
+        "cyberarkpas.audit.message": "Monitor DR Replication start",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.station": "0.0.0.0",
+        "cyberarkpas.audit.timestamp": "Mar 04 11:10:01",
+        "event.action": "monitor dr replication start",
+        "event.code": "310",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 0,
+        "log.syslog.priority": "5",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "0.0.0.0"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "0.0.0.0",
+        "source.ip": "0.0.0.0",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ]
+    },
+    {
+        "@timestamp": "2021-03-08T02:48:07.000-02:00",
+        "cyberarkpas.audit.action": "Monitor DR Replication start",
+        "cyberarkpas.audit.desc": "Monitor DR Replication start",
+        "cyberarkpas.audit.issuer": "Batch",
+        "cyberarkpas.audit.message": "Monitor DR Replication start",
+        "cyberarkpas.audit.rfc5424": false,
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.station": "0.0.0.0",
+        "event.action": "monitor dr replication start",
+        "event.code": "310",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 598,
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "0.0.0.0"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "0.0.0.0",
+        "source.ip": "0.0.0.0",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ]
+    }
+]
\ No newline at end of file
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/311_monitor_dr_replication_end.log b/x-pack/filebeat/module/cyberarkpas/audit/test/311_monitor_dr_replication_end.log
new file mode 100644
index 00000000000..1e3812c2a8b
--- /dev/null
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/311_monitor_dr_replication_end.log
@@ -0,0 +1,2 @@
+<5>1 2021-03-04T19:10:01Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 04 11:10:01","IsoTimestamp":"2021-03-04T19:10:01Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"311","Desc":"Monitor DR Replication end","Severity":"Info","Issuer":"Batch","Action":"Monitor DR Replication end","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"0.0.0.0","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Monitor DR Replication end","GatewayStation":""}}}
+Mar 08 02:48:07 VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"no","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"311","Desc":"Monitor DR Replication end","Severity":"Info","Issuer":"Batch","Action":"Monitor DR Replication end","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"0.0.0.0","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Monitor DR Replication end","GatewayStation":""}}}
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/311_monitor_dr_replication_end.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/311_monitor_dr_replication_end.log-expected.json
new file mode 100644
index 00000000000..e4999439bea
--- /dev/null
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/311_monitor_dr_replication_end.log-expected.json
@@ -0,0 +1,75 @@
+[
+    {
+        "@timestamp": "2021-03-04T19:10:01.000Z",
+        "cyberarkpas.audit.action": "Monitor DR Replication end",
+        "cyberarkpas.audit.desc": "Monitor DR Replication end",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-04T19:10:01Z",
+        "cyberarkpas.audit.issuer": "Batch",
+        "cyberarkpas.audit.message": "Monitor DR Replication end",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.station": "0.0.0.0",
+        "cyberarkpas.audit.timestamp": "Mar 04 11:10:01",
+        "event.action": "monitor dr replication end",
+        "event.code": "311",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 0,
+        "log.syslog.priority": "5",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "0.0.0.0"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "0.0.0.0",
+        "source.ip": "0.0.0.0",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ]
+    },
+    {
+        "@timestamp": "2021-03-08T02:48:07.000-02:00",
+        "cyberarkpas.audit.action": "Monitor DR Replication end",
+        "cyberarkpas.audit.desc": "Monitor DR Replication end",
+        "cyberarkpas.audit.issuer": "Batch",
+        "cyberarkpas.audit.message": "Monitor DR Replication end",
+        "cyberarkpas.audit.rfc5424": false,
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.station": "0.0.0.0",
+        "event.action": "monitor dr replication end",
+        "event.code": "311",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 592,
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "0.0.0.0"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "0.0.0.0",
+        "source.ip": "0.0.0.0",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ]
+    }
+]
\ No newline at end of file
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/316_reset_user_password_detailed_information.log b/x-pack/filebeat/module/cyberarkpas/audit/test/316_reset_user_password_detailed_information.log
new file mode 100644
index 00000000000..41f67cb2add
--- /dev/null
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/316_reset_user_password_detailed_information.log
@@ -0,0 +1 @@
+<5>1 2021-03-10T18:16:45Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 10:16:45","IsoTimestamp":"2021-03-10T18:16:45Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"316","Desc":"Reset User Password Detailed Information","Severity":"Info","Issuer":"Administrator","Action":"Reset User Password Detailed Information","SourceUser":"PSMGw_VAGRANT","TargetUser":"","Safe":"","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"Password changed","ExtraDetails":"","Message":"Reset User Password Detailed Information","GatewayStation":""}}}
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/316_reset_user_password_detailed_information.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/316_reset_user_password_detailed_information.log-expected.json
new file mode 100644
index 00000000000..69d0c37dab4
--- /dev/null
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/316_reset_user_password_detailed_information.log-expected.json
@@ -0,0 +1,50 @@
+[
+    {
+        "@timestamp": "2021-03-10T18:16:45.000Z",
+        "cyberarkpas.audit.action": "Reset User Password Detailed Information",
+        "cyberarkpas.audit.desc": "Reset User Password Detailed Information",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-10T18:16:45Z",
+        "cyberarkpas.audit.issuer": "Administrator",
+        "cyberarkpas.audit.message": "Reset User Password Detailed Information",
+        "cyberarkpas.audit.reason": "Password changed",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.source_user": "PSMGw_VAGRANT",
+        "cyberarkpas.audit.station": "81.32.170.205",
+        "cyberarkpas.audit.timestamp": "Mar 10 10:16:45",
+        "event.action": "reset user password detailed information",
+        "event.code": "316",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 0,
+        "log.syslog.priority": "5",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "81.32.170.205"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "81.32.170.205",
+        "source.geo.city_name": "Barcelona",
+        "source.geo.continent_name": "Europe",
+        "source.geo.country_iso_code": "ES",
+        "source.geo.country_name": "Spain",
+        "source.geo.location.lat": 41.387,
+        "source.geo.location.lon": 2.1701,
+        "source.geo.region_iso_code": "ES-B",
+        "source.geo.region_name": "Barcelona",
+        "source.ip": "81.32.170.205",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ]
+    }
+]
\ No newline at end of file
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/317_reset_user_password.log b/x-pack/filebeat/module/cyberarkpas/audit/test/317_reset_user_password.log
new file mode 100644
index 00000000000..f52711e43b9
--- /dev/null
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/317_reset_user_password.log
@@ -0,0 +1 @@
+<5>1 2021-03-10T18:16:45Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 10:16:45","IsoTimestamp":"2021-03-10T18:16:45Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"317","Desc":"Reset User Password","Severity":"Info","Issuer":"Administrator","Action":"Reset User Password","SourceUser":"PSMGw_VAGRANT","TargetUser":"","Safe":"","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Reset User Password","GatewayStation":""}}}
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/317_reset_user_password.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/317_reset_user_password.log-expected.json
new file mode 100644
index 00000000000..4a37960e278
--- /dev/null
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/317_reset_user_password.log-expected.json
@@ -0,0 +1,49 @@
+[
+    {
+        "@timestamp": "2021-03-10T18:16:45.000Z",
+        "cyberarkpas.audit.action": "Reset User Password",
+        "cyberarkpas.audit.desc": "Reset User Password",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-10T18:16:45Z",
+        "cyberarkpas.audit.issuer": "Administrator",
+        "cyberarkpas.audit.message": "Reset User Password",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.source_user": "PSMGw_VAGRANT",
+        "cyberarkpas.audit.station": "81.32.170.205",
+        "cyberarkpas.audit.timestamp": "Mar 10 10:16:45",
+        "event.action": "reset user password",
+        "event.code": "317",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 0,
+        "log.syslog.priority": "5",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "81.32.170.205"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "81.32.170.205",
+        "source.geo.city_name": "Barcelona",
+        "source.geo.continent_name": "Europe",
+        "source.geo.country_iso_code": "ES",
+        "source.geo.country_name": "Spain",
+        "source.geo.location.lat": 41.387,
+        "source.geo.location.lon": 2.1701,
+        "source.geo.region_iso_code": "ES-B",
+        "source.geo.region_name": "Barcelona",
+        "source.ip": "81.32.170.205",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ]
+    }
+]
\ No newline at end of file
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/31_cpm_reconcile_password.log b/x-pack/filebeat/module/cyberarkpas/audit/test/31_cpm_reconcile_password.log
new file mode 100644
index 00000000000..ec268677c60
--- /dev/null
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/31_cpm_reconcile_password.log
@@ -0,0 +1 @@
+{"format":"elastic","version":"1.0","raw":"<syslog>\n  <audit_record>\n    <Rfc5424>no</Rfc5424>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.6.0000</Version>\n    <MessageID>31</MessageID>\n    <Desc>CPM Reconcile Password</Desc>\n    <Severity>Info</Severity>\n    <Issuer>PasswordManager</Issuer>\n    <Action>CPM Reconcile Password</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>Windows</Safe>\n    <File>Root\\Operating System-WIN-SERVER-LOCAL-dbserver.cyberark.local-Administrator2</File>\n    <Station>10.2.0.4</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason>ImmediateTask</Reason>\n    <ExtraDetails>address=dbserver.cyberark.local;username=Administrator2;</ExtraDetails>\n    <Message>CPM Reconcile Password</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"WIN-SERVER-LOCAL\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"Administrator2\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"dbserver.cyberark.local\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n      <CAProperty Name=\"LogonDomain\" Value=\"DBServer\"></CAProperty>\n      <CAProperty Name=\"SequenceID\" Value=\"1\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"-1\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"success\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"LastSuccessReconciliation\" Value=\"1604944215\"></CAProperty>\n      <CAProperty Name=\"Customer\" Value=\"EvilCorp\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n</syslog>","syslog":{"audit_record":{"Rfc5424":"no","Vendor":"Cyber-Ark","Product":"Vault","IsoTimestamp":"2021-03-16T15:01:00Z","Version":"11.6.0000","MessageID":"31","Desc":"CPM Reconcile Password","Severity":"Info","Issuer":"PasswordManager","Action":"CPM Reconcile Password","SourceUser":"","TargetUser":"","Safe":"Windows","File":"Root\\Operating System-WIN-SERVER-LOCAL-dbserver.cyberark.local-Administrator2","Station":"10.2.0.4","Location":"","Category":"","RequestId":"","Reason":"ImmediateTask","ExtraDetails":"address=dbserver.cyberark.local;username=Administrator2;","Message":"CPM Reconcile Password","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"WIN-SERVER-LOCAL"},{"Name":"UserName","Value":"Administrator2"},{"Name":"Address","Value":"dbserver.cyberark.local"},{"Name":"DeviceType","Value":"Operating System"},{"Name":"LogonDomain","Value":"DBServer"},{"Name":"SequenceID","Value":"1"},{"Name":"RetriesCount","Value":"-1"},{"Name":"LastTask","Value":"ReconcileTask"},{"Name":"CPMStatus","Value":"success"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"LastSuccessReconciliation","Value":"1604944215"},{"Name":"Customer","Value":"EvilCorp"}]}}}}
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/31_cpm_reconcile_password.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/31_cpm_reconcile_password.log-expected.json
new file mode 100644
index 00000000000..60aaf45b24e
--- /dev/null
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/31_cpm_reconcile_password.log-expected.json
@@ -0,0 +1,71 @@
+[
+    {
+        "@timestamp": "2021-03-16T15:01:00.000Z",
+        "cyberarkpas.audit.action": "CPM Reconcile Password",
+        "cyberarkpas.audit.ca_properties.address": "dbserver.cyberark.local",
+        "cyberarkpas.audit.ca_properties.cpm_status": "success",
+        "cyberarkpas.audit.ca_properties.creation_method": "PVWA",
+        "cyberarkpas.audit.ca_properties.customer": "EvilCorp",
+        "cyberarkpas.audit.ca_properties.device_type": "Operating System",
+        "cyberarkpas.audit.ca_properties.last_success_reconciliation": "1604944215",
+        "cyberarkpas.audit.ca_properties.last_task": "ReconcileTask",
+        "cyberarkpas.audit.ca_properties.logon_domain": "DBServer",
+        "cyberarkpas.audit.ca_properties.policy_id": "WIN-SERVER-LOCAL",
+        "cyberarkpas.audit.ca_properties.retries_count": "-1",
+        "cyberarkpas.audit.ca_properties.sequence_id": "1",
+        "cyberarkpas.audit.ca_properties.user_name": "Administrator2",
+        "cyberarkpas.audit.desc": "CPM Reconcile Password",
+        "cyberarkpas.audit.extra_details.address": "dbserver.cyberark.local",
+        "cyberarkpas.audit.extra_details.username": "Administrator2",
+        "cyberarkpas.audit.file": "Root\\Operating System-WIN-SERVER-LOCAL-dbserver.cyberark.local-Administrator2",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-16T15:01:00Z",
+        "cyberarkpas.audit.issuer": "PasswordManager",
+        "cyberarkpas.audit.message": "CPM Reconcile Password",
+        "cyberarkpas.audit.raw": "<syslog>\n  <audit_record>\n    <Rfc5424>no</Rfc5424>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.6.0000</Version>\n    <MessageID>31</MessageID>\n    <Desc>CPM Reconcile Password</Desc>\n    <Severity>Info</Severity>\n    <Issuer>PasswordManager</Issuer>\n    <Action>CPM Reconcile Password</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>Windows</Safe>\n    <File>Root\\Operating System-WIN-SERVER-LOCAL-dbserver.cyberark.local-Administrator2</File>\n    <Station>10.2.0.4</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason>ImmediateTask</Reason>\n    <ExtraDetails>address=dbserver.cyberark.local;username=Administrator2;</ExtraDetails>\n    <Message>CPM Reconcile Password</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"WIN-SERVER-LOCAL\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"Administrator2\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"dbserver.cyberark.local\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n      <CAProperty Name=\"LogonDomain\" Value=\"DBServer\"></CAProperty>\n      <CAProperty Name=\"SequenceID\" Value=\"1\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"-1\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"success\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"LastSuccessReconciliation\" Value=\"1604944215\"></CAProperty>\n      <CAProperty Name=\"Customer\" Value=\"EvilCorp\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n</syslog>",
+        "cyberarkpas.audit.reason": "ImmediateTask",
+        "cyberarkpas.audit.rfc5424": false,
+        "cyberarkpas.audit.safe": "Windows",
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.station": "10.2.0.4",
+        "destination.address": "dbserver.cyberark.local",
+        "destination.domain": "dbserver.cyberark.local",
+        "event.action": "cpm reconcile password",
+        "event.category": [
+            "iam"
+        ],
+        "event.code": "31",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.outcome": "success",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "event.type": [
+            "user",
+            "change"
+        ],
+        "file.path": "Root\\Operating System-WIN-SERVER-LOCAL-dbserver.cyberark.local-Administrator2",
+        "fileset.name": "audit",
+        "input.type": "log",
+        "log.offset": 0,
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.6.0000",
+        "related.ip": [
+            "10.2.0.4"
+        ],
+        "related.user": [
+            "PasswordManager",
+            "Administrator2"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "10.2.0.4",
+        "source.ip": "10.2.0.4",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ],
+        "user.name": "PasswordManager",
+        "user.target.name": "Administrator2"
+    }
+]
\ No newline at end of file
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/326_cpm_auto_detection_start.log b/x-pack/filebeat/module/cyberarkpas/audit/test/326_cpm_auto_detection_start.log
new file mode 100644
index 00000000000..e58b64d6750
--- /dev/null
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/326_cpm_auto_detection_start.log
@@ -0,0 +1 @@
+<5>1 2021-03-11T16:21:37Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 08:21:37</Timestamp>\n    <IsoTimestamp>2021-03-11T16:21:37Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>326</MessageID>\n    <Desc>CPM Auto-detection Start</Desc>\n    <Severity>Info</Severity>\n    <Issuer>PasswordManager</Issuer>\n    <Action>CPM Auto-detection Start</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>PasswordManager_info</Safe>\n    <File> </File>\n    <Station>10.0.1.20</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason> </Reason>\n    <ExtraDetails>ADProcessID=2b2d3024-be5a-4b57-9f64-3813fb56e9b9;ADProcessName=LDAP Based Windows Local Administrator Account Provisioning;</ExtraDetails>\n    <Message>CPM Auto-detection Start</Message>\n    <GatewayStation></GatewayStation>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 08:21:37","IsoTimestamp":"2021-03-11T16:21:37Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"326","Desc":"CPM Auto-detection Start","Severity":"Info","Issuer":"PasswordManager","Action":"CPM Auto-detection Start","SourceUser":"","TargetUser":"","Safe":"PasswordManager_info","File":" ","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":" ","ExtraDetails":"ADProcessID=2b2d3024-be5a-4b57-9f64-3813fb56e9b9;ADProcessName=LDAP Based Windows Local Administrator Account Provisioning;","Message":"CPM Auto-detection Start","GatewayStation":""}}}
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/326_cpm_auto_detection_start.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/326_cpm_auto_detection_start.log-expected.json
new file mode 100644
index 00000000000..c488fa9349d
--- /dev/null
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/326_cpm_auto_detection_start.log-expected.json
@@ -0,0 +1,47 @@
+[
+    {
+        "@timestamp": "2021-03-11T16:21:37.000Z",
+        "cyberarkpas.audit.action": "CPM Auto-detection Start",
+        "cyberarkpas.audit.desc": "CPM Auto-detection Start",
+        "cyberarkpas.audit.extra_details.ad_process_id": "2b2d3024-be5a-4b57-9f64-3813fb56e9b9",
+        "cyberarkpas.audit.extra_details.ad_process_name": "LDAP Based Windows Local Administrator Account Provisioning",
+        "cyberarkpas.audit.file": " ",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-11T16:21:37Z",
+        "cyberarkpas.audit.issuer": "PasswordManager",
+        "cyberarkpas.audit.message": "CPM Auto-detection Start",
+        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 08:21:37</Timestamp>\n    <IsoTimestamp>2021-03-11T16:21:37Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>326</MessageID>\n    <Desc>CPM Auto-detection Start</Desc>\n    <Severity>Info</Severity>\n    <Issuer>PasswordManager</Issuer>\n    <Action>CPM Auto-detection Start</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>PasswordManager_info</Safe>\n    <File> </File>\n    <Station>10.0.1.20</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason> </Reason>\n    <ExtraDetails>ADProcessID=2b2d3024-be5a-4b57-9f64-3813fb56e9b9;ADProcessName=LDAP Based Windows Local Administrator Account Provisioning;</ExtraDetails>\n    <Message>CPM Auto-detection Start</Message>\n    <GatewayStation></GatewayStation>\n  </audit_record>\n\n</syslog>",
+        "cyberarkpas.audit.reason": " ",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.safe": "PasswordManager_info",
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.station": "10.0.1.20",
+        "cyberarkpas.audit.timestamp": "Mar 11 08:21:37",
+        "event.action": "cpm auto-detection start",
+        "event.code": "326",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "file.path": " ",
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 0,
+        "log.syslog.priority": "5",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "10.0.1.20"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "10.0.1.20",
+        "source.ip": "10.0.1.20",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ]
+    }
+]
\ No newline at end of file
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/327_cpm_auto_detection_end.log b/x-pack/filebeat/module/cyberarkpas/audit/test/327_cpm_auto_detection_end.log
new file mode 100644
index 00000000000..8055d656a08
--- /dev/null
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/327_cpm_auto_detection_end.log
@@ -0,0 +1 @@
+<5>1 2021-03-11T16:21:37Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 08:21:37</Timestamp>\n    <IsoTimestamp>2021-03-11T16:21:37Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>327</MessageID>\n    <Desc>CPM Auto-detection End</Desc>\n    <Severity>Info</Severity>\n    <Issuer>PasswordManager</Issuer>\n    <Action>CPM Auto-detection End</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>PasswordManager_info</Safe>\n    <File> </File>\n    <Station>10.0.1.20</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason> </Reason>\n    <ExtraDetails>ADProcessID=2b2d3024-be5a-4b57-9f64-3813fb56e9b9;ADProcessName=LDAP Based Windows Local Administrator Account Provisioning;</ExtraDetails>\n    <Message>CPM Auto-detection End</Message>\n    <GatewayStation></GatewayStation>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 08:21:37","IsoTimestamp":"2021-03-11T16:21:37Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"327","Desc":"CPM Auto-detection End","Severity":"Info","Issuer":"PasswordManager","Action":"CPM Auto-detection End","SourceUser":"","TargetUser":"","Safe":"PasswordManager_info","File":" ","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":" ","ExtraDetails":"ADProcessID=2b2d3024-be5a-4b57-9f64-3813fb56e9b9;ADProcessName=LDAP Based Windows Local Administrator Account Provisioning;","Message":"CPM Auto-detection End","GatewayStation":""}}}
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/327_cpm_auto_detection_end.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/327_cpm_auto_detection_end.log-expected.json
new file mode 100644
index 00000000000..5c67acde9f2
--- /dev/null
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/327_cpm_auto_detection_end.log-expected.json
@@ -0,0 +1,47 @@
+[
+    {
+        "@timestamp": "2021-03-11T16:21:37.000Z",
+        "cyberarkpas.audit.action": "CPM Auto-detection End",
+        "cyberarkpas.audit.desc": "CPM Auto-detection End",
+        "cyberarkpas.audit.extra_details.ad_process_id": "2b2d3024-be5a-4b57-9f64-3813fb56e9b9",
+        "cyberarkpas.audit.extra_details.ad_process_name": "LDAP Based Windows Local Administrator Account Provisioning",
+        "cyberarkpas.audit.file": " ",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-11T16:21:37Z",
+        "cyberarkpas.audit.issuer": "PasswordManager",
+        "cyberarkpas.audit.message": "CPM Auto-detection End",
+        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 08:21:37</Timestamp>\n    <IsoTimestamp>2021-03-11T16:21:37Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>327</MessageID>\n    <Desc>CPM Auto-detection End</Desc>\n    <Severity>Info</Severity>\n    <Issuer>PasswordManager</Issuer>\n    <Action>CPM Auto-detection End</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>PasswordManager_info</Safe>\n    <File> </File>\n    <Station>10.0.1.20</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason> </Reason>\n    <ExtraDetails>ADProcessID=2b2d3024-be5a-4b57-9f64-3813fb56e9b9;ADProcessName=LDAP Based Windows Local Administrator Account Provisioning;</ExtraDetails>\n    <Message>CPM Auto-detection End</Message>\n    <GatewayStation></GatewayStation>\n  </audit_record>\n\n</syslog>",
+        "cyberarkpas.audit.reason": " ",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.safe": "PasswordManager_info",
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.station": "10.0.1.20",
+        "cyberarkpas.audit.timestamp": "Mar 11 08:21:37",
+        "event.action": "cpm auto-detection end",
+        "event.code": "327",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "file.path": " ",
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 0,
+        "log.syslog.priority": "5",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "10.0.1.20"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "10.0.1.20",
+        "source.ip": "10.0.1.20",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ]
+    }
+]
\ No newline at end of file
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/32_add_owner.log b/x-pack/filebeat/module/cyberarkpas/audit/test/32_add_owner.log
new file mode 100644
index 00000000000..6aee911c509
--- /dev/null
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/32_add_owner.log
@@ -0,0 +1,16 @@
+<5>1 2021-03-10T09:11:20Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:20","IsoTimestamp":"2021-03-10T09:11:20Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"32","Desc":"Add Owner","Severity":"Info","Issuer":"Administrator","Action":"Add Owner","SourceUser":"Master","TargetUser":"","Safe":"PSMPConf","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Owner","GatewayStation":""}}}
+<5>1 2021-03-10T09:11:20Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:20","IsoTimestamp":"2021-03-10T09:11:20Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"32","Desc":"Add Owner","Severity":"Info","Issuer":"Administrator","Action":"Add Owner","SourceUser":"Administrator","TargetUser":"","Safe":"PSMPConf","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Owner","GatewayStation":""}}}
+<5>1 2021-03-10T09:11:20Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:20","IsoTimestamp":"2021-03-10T09:11:20Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"32","Desc":"Add Owner","Severity":"Info","Issuer":"Administrator","Action":"Add Owner","SourceUser":"Batch","TargetUser":"","Safe":"PSMPConf","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Owner","GatewayStation":""}}}
+<5>1 2021-03-10T09:11:20Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:20","IsoTimestamp":"2021-03-10T09:11:20Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"32","Desc":"Add Owner","Severity":"Info","Issuer":"Administrator","Action":"Add Owner","SourceUser":"Operators","TargetUser":"","Safe":"PSMPConf","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Owner","GatewayStation":""}}}
+<5>1 2021-03-10T09:11:20Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:20","IsoTimestamp":"2021-03-10T09:11:20Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"32","Desc":"Add Owner","Severity":"Info","Issuer":"Administrator","Action":"Add Owner","SourceUser":"Backup Users","TargetUser":"","Safe":"PSMPConf","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Owner","GatewayStation":""}}}
+<5>1 2021-03-10T09:11:20Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:20","IsoTimestamp":"2021-03-10T09:11:20Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"32","Desc":"Add Owner","Severity":"Info","Issuer":"Administrator","Action":"Add Owner","SourceUser":"Auditors","TargetUser":"","Safe":"PSMPConf","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Owner","GatewayStation":""}}}
+<5>1 2021-03-10T09:11:20Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:20","IsoTimestamp":"2021-03-10T09:11:20Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"32","Desc":"Add Owner","Severity":"Info","Issuer":"Administrator","Action":"Add Owner","SourceUser":"DR Users","TargetUser":"","Safe":"PSMPConf","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Owner","GatewayStation":""}}}
+<5>1 2021-03-10T09:11:20Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:20","IsoTimestamp":"2021-03-10T09:11:20Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"32","Desc":"Add Owner","Severity":"Info","Issuer":"Administrator","Action":"Add Owner","SourceUser":"Notification Engines","TargetUser":"","Safe":"PSMPConf","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Owner","GatewayStation":""}}}
+<5>1 2021-03-10T09:11:22Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:22","IsoTimestamp":"2021-03-10T09:11:22Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"32","Desc":"Add Owner","Severity":"Info","Issuer":"Administrator","Action":"Add Owner","SourceUser":"PSMPApp_localhost.localdomain","TargetUser":"","Safe":"PVWAConfig","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Owner","GatewayStation":""}}}
+<5>1 2021-03-10T09:11:23Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:23","IsoTimestamp":"2021-03-10T09:11:23Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"32","Desc":"Add Owner","Severity":"Info","Issuer":"Administrator","Action":"Add Owner","SourceUser":"PSMAppUsers","TargetUser":"","Safe":"PSMPLiveSessions","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Owner","GatewayStation":""}}}
+<5>1 2021-03-10T09:11:23Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:23","IsoTimestamp":"2021-03-10T09:11:23Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"32","Desc":"Add Owner","Severity":"Info","Issuer":"Administrator","Action":"Add Owner","SourceUser":"Vault Admins","TargetUser":"","Safe":"PSMPConf","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Owner","GatewayStation":""}}}
+<5>1 2021-03-10T09:11:23Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:23","IsoTimestamp":"2021-03-10T09:11:23Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"32","Desc":"Add Owner","Severity":"Info","Issuer":"Administrator","Action":"Add Owner","SourceUser":"PVWAAppUsers","TargetUser":"","Safe":"PSMPLiveSessions","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Owner","GatewayStation":""}}}
+<5>1 2021-03-10T09:11:36Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:36","IsoTimestamp":"2021-03-10T09:11:36Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"32","Desc":"Add Owner","Severity":"Info","Issuer":"Administrator","Action":"Add Owner","SourceUser":"PVWAGWAccounts","TargetUser":"","Safe":"PSMPADBUserProfile","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Owner","GatewayStation":""}}}
+<5>1 2021-03-10T09:11:37Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:37","IsoTimestamp":"2021-03-10T09:11:37Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"32","Desc":"Add Owner","Severity":"Info","Issuer":"Administrator","Action":"Add Owner","SourceUser":"PSMP_ADB_localhost.localdomain","TargetUser":"","Safe":"PSMPADBridgeConf","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Owner","GatewayStation":""}}}
+<5>1 2021-03-10T09:11:38Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:38","IsoTimestamp":"2021-03-10T09:11:38Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"32","Desc":"Add Owner","Severity":"Info","Issuer":"Administrator","Action":"Add Owner","SourceUser":"PSMP_ADB_AppUsers","TargetUser":"","Safe":"PSMPADBridgeCustom","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Owner","GatewayStation":""}}}
+<5>1 2021-03-10T17:59:32Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 09:59:32","IsoTimestamp":"2021-03-10T17:59:32Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"32","Desc":"Add Owner","Severity":"Info","Issuer":"Administrator","Action":"Add Owner","SourceUser":"PSMApp_VAGRANT","TargetUser":"","Safe":"PVWAConfig","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Owner","GatewayStation":""}}}
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/32_add_owner.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/32_add_owner.log-expected.json
new file mode 100644
index 00000000000..67f6151c5f9
--- /dev/null
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/32_add_owner.log-expected.json
@@ -0,0 +1,993 @@
+[
+    {
+        "@timestamp": "2021-03-10T09:11:20.000Z",
+        "cyberarkpas.audit.action": "Add Owner",
+        "cyberarkpas.audit.desc": "Add Owner",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-10T09:11:20Z",
+        "cyberarkpas.audit.issuer": "Administrator",
+        "cyberarkpas.audit.message": "Add Owner",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.safe": "PSMPConf",
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.source_user": "Master",
+        "cyberarkpas.audit.station": "81.32.170.205",
+        "cyberarkpas.audit.timestamp": "Mar 10 01:11:20",
+        "event.action": "add owner",
+        "event.category": [
+            "iam"
+        ],
+        "event.code": "32",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.outcome": "success",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "event.type": [
+            "admin",
+            "change"
+        ],
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 0,
+        "log.syslog.priority": "5",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "81.32.170.205"
+        ],
+        "related.user": [
+            "Administrator",
+            "Master"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "81.32.170.205",
+        "source.geo.city_name": "Barcelona",
+        "source.geo.continent_name": "Europe",
+        "source.geo.country_iso_code": "ES",
+        "source.geo.country_name": "Spain",
+        "source.geo.location.lat": 41.387,
+        "source.geo.location.lon": 2.1701,
+        "source.geo.region_iso_code": "ES-B",
+        "source.geo.region_name": "Barcelona",
+        "source.ip": "81.32.170.205",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ],
+        "user.name": "Administrator",
+        "user.target.name": "Master"
+    },
+    {
+        "@timestamp": "2021-03-10T09:11:20.000Z",
+        "cyberarkpas.audit.action": "Add Owner",
+        "cyberarkpas.audit.desc": "Add Owner",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-10T09:11:20Z",
+        "cyberarkpas.audit.issuer": "Administrator",
+        "cyberarkpas.audit.message": "Add Owner",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.safe": "PSMPConf",
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.source_user": "Administrator",
+        "cyberarkpas.audit.station": "81.32.170.205",
+        "cyberarkpas.audit.timestamp": "Mar 10 01:11:20",
+        "event.action": "add owner",
+        "event.category": [
+            "iam"
+        ],
+        "event.code": "32",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.outcome": "success",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "event.type": [
+            "admin",
+            "change"
+        ],
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 568,
+        "log.syslog.priority": "5",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "81.32.170.205"
+        ],
+        "related.user": [
+            "Administrator"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "81.32.170.205",
+        "source.geo.city_name": "Barcelona",
+        "source.geo.continent_name": "Europe",
+        "source.geo.country_iso_code": "ES",
+        "source.geo.country_name": "Spain",
+        "source.geo.location.lat": 41.387,
+        "source.geo.location.lon": 2.1701,
+        "source.geo.region_iso_code": "ES-B",
+        "source.geo.region_name": "Barcelona",
+        "source.ip": "81.32.170.205",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ],
+        "user.name": "Administrator",
+        "user.target.name": "Administrator"
+    },
+    {
+        "@timestamp": "2021-03-10T09:11:20.000Z",
+        "cyberarkpas.audit.action": "Add Owner",
+        "cyberarkpas.audit.desc": "Add Owner",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-10T09:11:20Z",
+        "cyberarkpas.audit.issuer": "Administrator",
+        "cyberarkpas.audit.message": "Add Owner",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.safe": "PSMPConf",
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.source_user": "Batch",
+        "cyberarkpas.audit.station": "81.32.170.205",
+        "cyberarkpas.audit.timestamp": "Mar 10 01:11:20",
+        "event.action": "add owner",
+        "event.category": [
+            "iam"
+        ],
+        "event.code": "32",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.outcome": "success",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "event.type": [
+            "admin",
+            "change"
+        ],
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 1143,
+        "log.syslog.priority": "5",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "81.32.170.205"
+        ],
+        "related.user": [
+            "Administrator",
+            "Batch"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "81.32.170.205",
+        "source.geo.city_name": "Barcelona",
+        "source.geo.continent_name": "Europe",
+        "source.geo.country_iso_code": "ES",
+        "source.geo.country_name": "Spain",
+        "source.geo.location.lat": 41.387,
+        "source.geo.location.lon": 2.1701,
+        "source.geo.region_iso_code": "ES-B",
+        "source.geo.region_name": "Barcelona",
+        "source.ip": "81.32.170.205",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ],
+        "user.name": "Administrator",
+        "user.target.name": "Batch"
+    },
+    {
+        "@timestamp": "2021-03-10T09:11:20.000Z",
+        "cyberarkpas.audit.action": "Add Owner",
+        "cyberarkpas.audit.desc": "Add Owner",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-10T09:11:20Z",
+        "cyberarkpas.audit.issuer": "Administrator",
+        "cyberarkpas.audit.message": "Add Owner",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.safe": "PSMPConf",
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.source_user": "Operators",
+        "cyberarkpas.audit.station": "81.32.170.205",
+        "cyberarkpas.audit.timestamp": "Mar 10 01:11:20",
+        "event.action": "add owner",
+        "event.category": [
+            "iam"
+        ],
+        "event.code": "32",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.outcome": "success",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "event.type": [
+            "admin",
+            "change"
+        ],
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 1710,
+        "log.syslog.priority": "5",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "81.32.170.205"
+        ],
+        "related.user": [
+            "Administrator",
+            "Operators"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "81.32.170.205",
+        "source.geo.city_name": "Barcelona",
+        "source.geo.continent_name": "Europe",
+        "source.geo.country_iso_code": "ES",
+        "source.geo.country_name": "Spain",
+        "source.geo.location.lat": 41.387,
+        "source.geo.location.lon": 2.1701,
+        "source.geo.region_iso_code": "ES-B",
+        "source.geo.region_name": "Barcelona",
+        "source.ip": "81.32.170.205",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ],
+        "user.name": "Administrator",
+        "user.target.name": "Operators"
+    },
+    {
+        "@timestamp": "2021-03-10T09:11:20.000Z",
+        "cyberarkpas.audit.action": "Add Owner",
+        "cyberarkpas.audit.desc": "Add Owner",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-10T09:11:20Z",
+        "cyberarkpas.audit.issuer": "Administrator",
+        "cyberarkpas.audit.message": "Add Owner",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.safe": "PSMPConf",
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.source_user": "Backup Users",
+        "cyberarkpas.audit.station": "81.32.170.205",
+        "cyberarkpas.audit.timestamp": "Mar 10 01:11:20",
+        "event.action": "add owner",
+        "event.category": [
+            "iam"
+        ],
+        "event.code": "32",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.outcome": "success",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "event.type": [
+            "admin",
+            "change"
+        ],
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 2281,
+        "log.syslog.priority": "5",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "81.32.170.205"
+        ],
+        "related.user": [
+            "Administrator",
+            "Backup Users"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "81.32.170.205",
+        "source.geo.city_name": "Barcelona",
+        "source.geo.continent_name": "Europe",
+        "source.geo.country_iso_code": "ES",
+        "source.geo.country_name": "Spain",
+        "source.geo.location.lat": 41.387,
+        "source.geo.location.lon": 2.1701,
+        "source.geo.region_iso_code": "ES-B",
+        "source.geo.region_name": "Barcelona",
+        "source.ip": "81.32.170.205",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ],
+        "user.name": "Administrator",
+        "user.target.name": "Backup Users"
+    },
+    {
+        "@timestamp": "2021-03-10T09:11:20.000Z",
+        "cyberarkpas.audit.action": "Add Owner",
+        "cyberarkpas.audit.desc": "Add Owner",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-10T09:11:20Z",
+        "cyberarkpas.audit.issuer": "Administrator",
+        "cyberarkpas.audit.message": "Add Owner",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.safe": "PSMPConf",
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.source_user": "Auditors",
+        "cyberarkpas.audit.station": "81.32.170.205",
+        "cyberarkpas.audit.timestamp": "Mar 10 01:11:20",
+        "event.action": "add owner",
+        "event.category": [
+            "iam"
+        ],
+        "event.code": "32",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.outcome": "success",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "event.type": [
+            "admin",
+            "change"
+        ],
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 2855,
+        "log.syslog.priority": "5",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "81.32.170.205"
+        ],
+        "related.user": [
+            "Administrator",
+            "Auditors"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "81.32.170.205",
+        "source.geo.city_name": "Barcelona",
+        "source.geo.continent_name": "Europe",
+        "source.geo.country_iso_code": "ES",
+        "source.geo.country_name": "Spain",
+        "source.geo.location.lat": 41.387,
+        "source.geo.location.lon": 2.1701,
+        "source.geo.region_iso_code": "ES-B",
+        "source.geo.region_name": "Barcelona",
+        "source.ip": "81.32.170.205",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ],
+        "user.name": "Administrator",
+        "user.target.name": "Auditors"
+    },
+    {
+        "@timestamp": "2021-03-10T09:11:20.000Z",
+        "cyberarkpas.audit.action": "Add Owner",
+        "cyberarkpas.audit.desc": "Add Owner",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-10T09:11:20Z",
+        "cyberarkpas.audit.issuer": "Administrator",
+        "cyberarkpas.audit.message": "Add Owner",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.safe": "PSMPConf",
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.source_user": "DR Users",
+        "cyberarkpas.audit.station": "81.32.170.205",
+        "cyberarkpas.audit.timestamp": "Mar 10 01:11:20",
+        "event.action": "add owner",
+        "event.category": [
+            "iam"
+        ],
+        "event.code": "32",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.outcome": "success",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "event.type": [
+            "admin",
+            "change"
+        ],
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 3425,
+        "log.syslog.priority": "5",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "81.32.170.205"
+        ],
+        "related.user": [
+            "Administrator",
+            "DR Users"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "81.32.170.205",
+        "source.geo.city_name": "Barcelona",
+        "source.geo.continent_name": "Europe",
+        "source.geo.country_iso_code": "ES",
+        "source.geo.country_name": "Spain",
+        "source.geo.location.lat": 41.387,
+        "source.geo.location.lon": 2.1701,
+        "source.geo.region_iso_code": "ES-B",
+        "source.geo.region_name": "Barcelona",
+        "source.ip": "81.32.170.205",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ],
+        "user.name": "Administrator",
+        "user.target.name": "DR Users"
+    },
+    {
+        "@timestamp": "2021-03-10T09:11:20.000Z",
+        "cyberarkpas.audit.action": "Add Owner",
+        "cyberarkpas.audit.desc": "Add Owner",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-10T09:11:20Z",
+        "cyberarkpas.audit.issuer": "Administrator",
+        "cyberarkpas.audit.message": "Add Owner",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.safe": "PSMPConf",
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.source_user": "Notification Engines",
+        "cyberarkpas.audit.station": "81.32.170.205",
+        "cyberarkpas.audit.timestamp": "Mar 10 01:11:20",
+        "event.action": "add owner",
+        "event.category": [
+            "iam"
+        ],
+        "event.code": "32",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.outcome": "success",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "event.type": [
+            "admin",
+            "change"
+        ],
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 3995,
+        "log.syslog.priority": "5",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "81.32.170.205"
+        ],
+        "related.user": [
+            "Administrator",
+            "Notification Engines"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "81.32.170.205",
+        "source.geo.city_name": "Barcelona",
+        "source.geo.continent_name": "Europe",
+        "source.geo.country_iso_code": "ES",
+        "source.geo.country_name": "Spain",
+        "source.geo.location.lat": 41.387,
+        "source.geo.location.lon": 2.1701,
+        "source.geo.region_iso_code": "ES-B",
+        "source.geo.region_name": "Barcelona",
+        "source.ip": "81.32.170.205",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ],
+        "user.name": "Administrator",
+        "user.target.name": "Notification Engines"
+    },
+    {
+        "@timestamp": "2021-03-10T09:11:22.000Z",
+        "cyberarkpas.audit.action": "Add Owner",
+        "cyberarkpas.audit.desc": "Add Owner",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-10T09:11:22Z",
+        "cyberarkpas.audit.issuer": "Administrator",
+        "cyberarkpas.audit.message": "Add Owner",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.safe": "PVWAConfig",
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.source_user": "PSMPApp_localhost.localdomain",
+        "cyberarkpas.audit.station": "81.32.170.205",
+        "cyberarkpas.audit.timestamp": "Mar 10 01:11:22",
+        "event.action": "add owner",
+        "event.category": [
+            "iam"
+        ],
+        "event.code": "32",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.outcome": "success",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "event.type": [
+            "admin",
+            "change"
+        ],
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 4577,
+        "log.syslog.priority": "5",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "81.32.170.205"
+        ],
+        "related.user": [
+            "Administrator",
+            "PSMPApp_localhost.localdomain"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "81.32.170.205",
+        "source.geo.city_name": "Barcelona",
+        "source.geo.continent_name": "Europe",
+        "source.geo.country_iso_code": "ES",
+        "source.geo.country_name": "Spain",
+        "source.geo.location.lat": 41.387,
+        "source.geo.location.lon": 2.1701,
+        "source.geo.region_iso_code": "ES-B",
+        "source.geo.region_name": "Barcelona",
+        "source.ip": "81.32.170.205",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ],
+        "user.name": "Administrator",
+        "user.target.name": "PSMPApp_localhost.localdomain"
+    },
+    {
+        "@timestamp": "2021-03-10T09:11:23.000Z",
+        "cyberarkpas.audit.action": "Add Owner",
+        "cyberarkpas.audit.desc": "Add Owner",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-10T09:11:23Z",
+        "cyberarkpas.audit.issuer": "Administrator",
+        "cyberarkpas.audit.message": "Add Owner",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.safe": "PSMPLiveSessions",
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.source_user": "PSMAppUsers",
+        "cyberarkpas.audit.station": "81.32.170.205",
+        "cyberarkpas.audit.timestamp": "Mar 10 01:11:23",
+        "event.action": "add owner",
+        "event.category": [
+            "iam"
+        ],
+        "event.code": "32",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.outcome": "success",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "event.type": [
+            "admin",
+            "change"
+        ],
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 5170,
+        "log.syslog.priority": "5",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "81.32.170.205"
+        ],
+        "related.user": [
+            "Administrator",
+            "PSMAppUsers"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "81.32.170.205",
+        "source.geo.city_name": "Barcelona",
+        "source.geo.continent_name": "Europe",
+        "source.geo.country_iso_code": "ES",
+        "source.geo.country_name": "Spain",
+        "source.geo.location.lat": 41.387,
+        "source.geo.location.lon": 2.1701,
+        "source.geo.region_iso_code": "ES-B",
+        "source.geo.region_name": "Barcelona",
+        "source.ip": "81.32.170.205",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ],
+        "user.name": "Administrator",
+        "user.target.name": "PSMAppUsers"
+    },
+    {
+        "@timestamp": "2021-03-10T09:11:23.000Z",
+        "cyberarkpas.audit.action": "Add Owner",
+        "cyberarkpas.audit.desc": "Add Owner",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-10T09:11:23Z",
+        "cyberarkpas.audit.issuer": "Administrator",
+        "cyberarkpas.audit.message": "Add Owner",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.safe": "PSMPConf",
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.source_user": "Vault Admins",
+        "cyberarkpas.audit.station": "81.32.170.205",
+        "cyberarkpas.audit.timestamp": "Mar 10 01:11:23",
+        "event.action": "add owner",
+        "event.category": [
+            "iam"
+        ],
+        "event.code": "32",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.outcome": "success",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "event.type": [
+            "admin",
+            "change"
+        ],
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 5751,
+        "log.syslog.priority": "5",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "81.32.170.205"
+        ],
+        "related.user": [
+            "Administrator",
+            "Vault Admins"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "81.32.170.205",
+        "source.geo.city_name": "Barcelona",
+        "source.geo.continent_name": "Europe",
+        "source.geo.country_iso_code": "ES",
+        "source.geo.country_name": "Spain",
+        "source.geo.location.lat": 41.387,
+        "source.geo.location.lon": 2.1701,
+        "source.geo.region_iso_code": "ES-B",
+        "source.geo.region_name": "Barcelona",
+        "source.ip": "81.32.170.205",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ],
+        "user.name": "Administrator",
+        "user.target.name": "Vault Admins"
+    },
+    {
+        "@timestamp": "2021-03-10T09:11:23.000Z",
+        "cyberarkpas.audit.action": "Add Owner",
+        "cyberarkpas.audit.desc": "Add Owner",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-10T09:11:23Z",
+        "cyberarkpas.audit.issuer": "Administrator",
+        "cyberarkpas.audit.message": "Add Owner",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.safe": "PSMPLiveSessions",
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.source_user": "PVWAAppUsers",
+        "cyberarkpas.audit.station": "81.32.170.205",
+        "cyberarkpas.audit.timestamp": "Mar 10 01:11:23",
+        "event.action": "add owner",
+        "event.category": [
+            "iam"
+        ],
+        "event.code": "32",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.outcome": "success",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "event.type": [
+            "admin",
+            "change"
+        ],
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 6325,
+        "log.syslog.priority": "5",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "81.32.170.205"
+        ],
+        "related.user": [
+            "Administrator",
+            "PVWAAppUsers"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "81.32.170.205",
+        "source.geo.city_name": "Barcelona",
+        "source.geo.continent_name": "Europe",
+        "source.geo.country_iso_code": "ES",
+        "source.geo.country_name": "Spain",
+        "source.geo.location.lat": 41.387,
+        "source.geo.location.lon": 2.1701,
+        "source.geo.region_iso_code": "ES-B",
+        "source.geo.region_name": "Barcelona",
+        "source.ip": "81.32.170.205",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ],
+        "user.name": "Administrator",
+        "user.target.name": "PVWAAppUsers"
+    },
+    {
+        "@timestamp": "2021-03-10T09:11:36.000Z",
+        "cyberarkpas.audit.action": "Add Owner",
+        "cyberarkpas.audit.desc": "Add Owner",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-10T09:11:36Z",
+        "cyberarkpas.audit.issuer": "Administrator",
+        "cyberarkpas.audit.message": "Add Owner",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.safe": "PSMPADBUserProfile",
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.source_user": "PVWAGWAccounts",
+        "cyberarkpas.audit.station": "81.32.170.205",
+        "cyberarkpas.audit.timestamp": "Mar 10 01:11:36",
+        "event.action": "add owner",
+        "event.category": [
+            "iam"
+        ],
+        "event.code": "32",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.outcome": "success",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "event.type": [
+            "admin",
+            "change"
+        ],
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 6907,
+        "log.syslog.priority": "5",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "81.32.170.205"
+        ],
+        "related.user": [
+            "Administrator",
+            "PVWAGWAccounts"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "81.32.170.205",
+        "source.geo.city_name": "Barcelona",
+        "source.geo.continent_name": "Europe",
+        "source.geo.country_iso_code": "ES",
+        "source.geo.country_name": "Spain",
+        "source.geo.location.lat": 41.387,
+        "source.geo.location.lon": 2.1701,
+        "source.geo.region_iso_code": "ES-B",
+        "source.geo.region_name": "Barcelona",
+        "source.ip": "81.32.170.205",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ],
+        "user.name": "Administrator",
+        "user.target.name": "PVWAGWAccounts"
+    },
+    {
+        "@timestamp": "2021-03-10T09:11:37.000Z",
+        "cyberarkpas.audit.action": "Add Owner",
+        "cyberarkpas.audit.desc": "Add Owner",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-10T09:11:37Z",
+        "cyberarkpas.audit.issuer": "Administrator",
+        "cyberarkpas.audit.message": "Add Owner",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.safe": "PSMPADBridgeConf",
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.source_user": "PSMP_ADB_localhost.localdomain",
+        "cyberarkpas.audit.station": "81.32.170.205",
+        "cyberarkpas.audit.timestamp": "Mar 10 01:11:37",
+        "event.action": "add owner",
+        "event.category": [
+            "iam"
+        ],
+        "event.code": "32",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.outcome": "success",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "event.type": [
+            "admin",
+            "change"
+        ],
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 7493,
+        "log.syslog.priority": "5",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "81.32.170.205"
+        ],
+        "related.user": [
+            "Administrator",
+            "PSMP_ADB_localhost.localdomain"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "81.32.170.205",
+        "source.geo.city_name": "Barcelona",
+        "source.geo.continent_name": "Europe",
+        "source.geo.country_iso_code": "ES",
+        "source.geo.country_name": "Spain",
+        "source.geo.location.lat": 41.387,
+        "source.geo.location.lon": 2.1701,
+        "source.geo.region_iso_code": "ES-B",
+        "source.geo.region_name": "Barcelona",
+        "source.ip": "81.32.170.205",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ],
+        "user.name": "Administrator",
+        "user.target.name": "PSMP_ADB_localhost.localdomain"
+    },
+    {
+        "@timestamp": "2021-03-10T09:11:38.000Z",
+        "cyberarkpas.audit.action": "Add Owner",
+        "cyberarkpas.audit.desc": "Add Owner",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-10T09:11:38Z",
+        "cyberarkpas.audit.issuer": "Administrator",
+        "cyberarkpas.audit.message": "Add Owner",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.safe": "PSMPADBridgeCustom",
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.source_user": "PSMP_ADB_AppUsers",
+        "cyberarkpas.audit.station": "81.32.170.205",
+        "cyberarkpas.audit.timestamp": "Mar 10 01:11:38",
+        "event.action": "add owner",
+        "event.category": [
+            "iam"
+        ],
+        "event.code": "32",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.outcome": "success",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "event.type": [
+            "admin",
+            "change"
+        ],
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 8093,
+        "log.syslog.priority": "5",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "81.32.170.205"
+        ],
+        "related.user": [
+            "Administrator",
+            "PSMP_ADB_AppUsers"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "81.32.170.205",
+        "source.geo.city_name": "Barcelona",
+        "source.geo.continent_name": "Europe",
+        "source.geo.country_iso_code": "ES",
+        "source.geo.country_name": "Spain",
+        "source.geo.location.lat": 41.387,
+        "source.geo.location.lon": 2.1701,
+        "source.geo.region_iso_code": "ES-B",
+        "source.geo.region_name": "Barcelona",
+        "source.ip": "81.32.170.205",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ],
+        "user.name": "Administrator",
+        "user.target.name": "PSMP_ADB_AppUsers"
+    },
+    {
+        "@timestamp": "2021-03-10T17:59:32.000Z",
+        "cyberarkpas.audit.action": "Add Owner",
+        "cyberarkpas.audit.desc": "Add Owner",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-10T17:59:32Z",
+        "cyberarkpas.audit.issuer": "Administrator",
+        "cyberarkpas.audit.message": "Add Owner",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.safe": "PVWAConfig",
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.source_user": "PSMApp_VAGRANT",
+        "cyberarkpas.audit.station": "81.32.170.205",
+        "cyberarkpas.audit.timestamp": "Mar 10 09:59:32",
+        "event.action": "add owner",
+        "event.category": [
+            "iam"
+        ],
+        "event.code": "32",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.outcome": "success",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "event.type": [
+            "admin",
+            "change"
+        ],
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 8682,
+        "log.syslog.priority": "5",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "81.32.170.205"
+        ],
+        "related.user": [
+            "Administrator",
+            "PSMApp_VAGRANT"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "81.32.170.205",
+        "source.geo.city_name": "Barcelona",
+        "source.geo.continent_name": "Europe",
+        "source.geo.country_iso_code": "ES",
+        "source.geo.country_name": "Spain",
+        "source.geo.location.lat": 41.387,
+        "source.geo.location.lon": 2.1701,
+        "source.geo.region_iso_code": "ES-B",
+        "source.geo.region_name": "Barcelona",
+        "source.ip": "81.32.170.205",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ],
+        "user.name": "Administrator",
+        "user.target.name": "PSMApp_VAGRANT"
+    }
+]
\ No newline at end of file
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/33_update_owner.log b/x-pack/filebeat/module/cyberarkpas/audit/test/33_update_owner.log
new file mode 100644
index 00000000000..16ec40c4f3c
--- /dev/null
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/33_update_owner.log
@@ -0,0 +1,7 @@
+<5>1 2021-03-10T18:16:49Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 10:16:49","IsoTimestamp":"2021-03-10T18:16:49Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"33","Desc":"Update Owner","Severity":"Info","Issuer":"Administrator","Action":"Update Owner","SourceUser":"PVWAAppUsers","TargetUser":"","Safe":"PSM","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Update Owner","GatewayStation":""}}}
+<5>1 2021-03-10T18:16:50Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 10:16:50","IsoTimestamp":"2021-03-10T18:16:50Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"33","Desc":"Update Owner","Severity":"Info","Issuer":"Administrator","Action":"Update Owner","SourceUser":"PSMApp_VAGRANT","TargetUser":"","Safe":"PVWAConfig","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Update Owner","GatewayStation":""}}}
+<5>1 2021-03-10T18:16:51Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 10:16:51","IsoTimestamp":"2021-03-10T18:16:51Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"33","Desc":"Update Owner","Severity":"Info","Issuer":"Administrator","Action":"Update Owner","SourceUser":"PSMAppUsers","TargetUser":"","Safe":"PSM","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Update Owner","GatewayStation":""}}}
+<5>1 2021-03-10T18:16:51Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 10:16:51","IsoTimestamp":"2021-03-10T18:16:51Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"33","Desc":"Update Owner","Severity":"Info","Issuer":"Administrator","Action":"Update Owner","SourceUser":"PSMMaster","TargetUser":"","Safe":"PSM","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Update Owner","GatewayStation":""}}}
+<5>1 2021-03-10T18:16:53Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 10:16:53","IsoTimestamp":"2021-03-10T18:16:53Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"33","Desc":"Update Owner","Severity":"Info","Issuer":"Administrator","Action":"Update Owner","SourceUser":"Vault Admins","TargetUser":"","Safe":"PSMUniversalConnectors","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Update Owner","GatewayStation":""}}}
+<5>1 2021-03-10T22:19:18Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 14:19:18","IsoTimestamp":"2021-03-10T22:19:18Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"33","Desc":"Update Owner","Severity":"Info","Issuer":"Administrator","Action":"Update Owner","SourceUser":"PVWAAppUsers","TargetUser":"","Safe":"PSM","File":"","Station":"35.192.121.42","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Update Owner","GatewayStation":""}}}
+<5>1 2021-03-11T17:38:14Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 09:38:14</Timestamp>\n    <IsoTimestamp>2021-03-11T17:38:14Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>33</MessageID>\n    <Desc>Update Owner</Desc>\n    <Severity>Info</Severity>\n    <Issuer>PSMPApp_VAGRANT</Issuer>\n    <Action>Update Owner</Action>\n    <SourceUser>Auditors</SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>PSMRecordings</Safe>\n    <File></File>\n    <Station>81.32.170.205</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Update Owner</Message>\n    <GatewayStation></GatewayStation>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 09:38:14","IsoTimestamp":"2021-03-11T17:38:14Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"33","Desc":"Update Owner","Severity":"Info","Issuer":"PSMPApp_VAGRANT","Action":"Update Owner","SourceUser":"Auditors","TargetUser":"","Safe":"PSMRecordings","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Update Owner","GatewayStation":""}}}
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/33_update_owner.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/33_update_owner.log-expected.json
new file mode 100644
index 00000000000..e39878f6e40
--- /dev/null
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/33_update_owner.log-expected.json
@@ -0,0 +1,437 @@
+[
+    {
+        "@timestamp": "2021-03-10T18:16:49.000Z",
+        "cyberarkpas.audit.action": "Update Owner",
+        "cyberarkpas.audit.desc": "Update Owner",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-10T18:16:49Z",
+        "cyberarkpas.audit.issuer": "Administrator",
+        "cyberarkpas.audit.message": "Update Owner",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.safe": "PSM",
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.source_user": "PVWAAppUsers",
+        "cyberarkpas.audit.station": "81.32.170.205",
+        "cyberarkpas.audit.timestamp": "Mar 10 10:16:49",
+        "event.action": "update owner",
+        "event.category": [
+            "iam"
+        ],
+        "event.code": "33",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.outcome": "success",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "event.type": [
+            "admin",
+            "change"
+        ],
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 0,
+        "log.syslog.priority": "5",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "81.32.170.205"
+        ],
+        "related.user": [
+            "Administrator",
+            "PVWAAppUsers"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "81.32.170.205",
+        "source.geo.city_name": "Barcelona",
+        "source.geo.continent_name": "Europe",
+        "source.geo.country_iso_code": "ES",
+        "source.geo.country_name": "Spain",
+        "source.geo.location.lat": 41.387,
+        "source.geo.location.lon": 2.1701,
+        "source.geo.region_iso_code": "ES-B",
+        "source.geo.region_name": "Barcelona",
+        "source.ip": "81.32.170.205",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ],
+        "user.name": "Administrator",
+        "user.target.name": "PVWAAppUsers"
+    },
+    {
+        "@timestamp": "2021-03-10T18:16:50.000Z",
+        "cyberarkpas.audit.action": "Update Owner",
+        "cyberarkpas.audit.desc": "Update Owner",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-10T18:16:50Z",
+        "cyberarkpas.audit.issuer": "Administrator",
+        "cyberarkpas.audit.message": "Update Owner",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.safe": "PVWAConfig",
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.source_user": "PSMApp_VAGRANT",
+        "cyberarkpas.audit.station": "81.32.170.205",
+        "cyberarkpas.audit.timestamp": "Mar 10 10:16:50",
+        "event.action": "update owner",
+        "event.category": [
+            "iam"
+        ],
+        "event.code": "33",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.outcome": "success",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "event.type": [
+            "admin",
+            "change"
+        ],
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 578,
+        "log.syslog.priority": "5",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "81.32.170.205"
+        ],
+        "related.user": [
+            "Administrator",
+            "PSMApp_VAGRANT"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "81.32.170.205",
+        "source.geo.city_name": "Barcelona",
+        "source.geo.continent_name": "Europe",
+        "source.geo.country_iso_code": "ES",
+        "source.geo.country_name": "Spain",
+        "source.geo.location.lat": 41.387,
+        "source.geo.location.lon": 2.1701,
+        "source.geo.region_iso_code": "ES-B",
+        "source.geo.region_name": "Barcelona",
+        "source.ip": "81.32.170.205",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ],
+        "user.name": "Administrator",
+        "user.target.name": "PSMApp_VAGRANT"
+    },
+    {
+        "@timestamp": "2021-03-10T18:16:51.000Z",
+        "cyberarkpas.audit.action": "Update Owner",
+        "cyberarkpas.audit.desc": "Update Owner",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-10T18:16:51Z",
+        "cyberarkpas.audit.issuer": "Administrator",
+        "cyberarkpas.audit.message": "Update Owner",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.safe": "PSM",
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.source_user": "PSMAppUsers",
+        "cyberarkpas.audit.station": "81.32.170.205",
+        "cyberarkpas.audit.timestamp": "Mar 10 10:16:51",
+        "event.action": "update owner",
+        "event.category": [
+            "iam"
+        ],
+        "event.code": "33",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.outcome": "success",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "event.type": [
+            "admin",
+            "change"
+        ],
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 1165,
+        "log.syslog.priority": "5",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "81.32.170.205"
+        ],
+        "related.user": [
+            "Administrator",
+            "PSMAppUsers"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "81.32.170.205",
+        "source.geo.city_name": "Barcelona",
+        "source.geo.continent_name": "Europe",
+        "source.geo.country_iso_code": "ES",
+        "source.geo.country_name": "Spain",
+        "source.geo.location.lat": 41.387,
+        "source.geo.location.lon": 2.1701,
+        "source.geo.region_iso_code": "ES-B",
+        "source.geo.region_name": "Barcelona",
+        "source.ip": "81.32.170.205",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ],
+        "user.name": "Administrator",
+        "user.target.name": "PSMAppUsers"
+    },
+    {
+        "@timestamp": "2021-03-10T18:16:51.000Z",
+        "cyberarkpas.audit.action": "Update Owner",
+        "cyberarkpas.audit.desc": "Update Owner",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-10T18:16:51Z",
+        "cyberarkpas.audit.issuer": "Administrator",
+        "cyberarkpas.audit.message": "Update Owner",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.safe": "PSM",
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.source_user": "PSMMaster",
+        "cyberarkpas.audit.station": "81.32.170.205",
+        "cyberarkpas.audit.timestamp": "Mar 10 10:16:51",
+        "event.action": "update owner",
+        "event.category": [
+            "iam"
+        ],
+        "event.code": "33",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.outcome": "success",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "event.type": [
+            "admin",
+            "change"
+        ],
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 1742,
+        "log.syslog.priority": "5",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "81.32.170.205"
+        ],
+        "related.user": [
+            "Administrator",
+            "PSMMaster"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "81.32.170.205",
+        "source.geo.city_name": "Barcelona",
+        "source.geo.continent_name": "Europe",
+        "source.geo.country_iso_code": "ES",
+        "source.geo.country_name": "Spain",
+        "source.geo.location.lat": 41.387,
+        "source.geo.location.lon": 2.1701,
+        "source.geo.region_iso_code": "ES-B",
+        "source.geo.region_name": "Barcelona",
+        "source.ip": "81.32.170.205",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ],
+        "user.name": "Administrator",
+        "user.target.name": "PSMMaster"
+    },
+    {
+        "@timestamp": "2021-03-10T18:16:53.000Z",
+        "cyberarkpas.audit.action": "Update Owner",
+        "cyberarkpas.audit.desc": "Update Owner",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-10T18:16:53Z",
+        "cyberarkpas.audit.issuer": "Administrator",
+        "cyberarkpas.audit.message": "Update Owner",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.safe": "PSMUniversalConnectors",
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.source_user": "Vault Admins",
+        "cyberarkpas.audit.station": "81.32.170.205",
+        "cyberarkpas.audit.timestamp": "Mar 10 10:16:53",
+        "event.action": "update owner",
+        "event.category": [
+            "iam"
+        ],
+        "event.code": "33",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.outcome": "success",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "event.type": [
+            "admin",
+            "change"
+        ],
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 2317,
+        "log.syslog.priority": "5",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "81.32.170.205"
+        ],
+        "related.user": [
+            "Administrator",
+            "Vault Admins"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "81.32.170.205",
+        "source.geo.city_name": "Barcelona",
+        "source.geo.continent_name": "Europe",
+        "source.geo.country_iso_code": "ES",
+        "source.geo.country_name": "Spain",
+        "source.geo.location.lat": 41.387,
+        "source.geo.location.lon": 2.1701,
+        "source.geo.region_iso_code": "ES-B",
+        "source.geo.region_name": "Barcelona",
+        "source.ip": "81.32.170.205",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ],
+        "user.name": "Administrator",
+        "user.target.name": "Vault Admins"
+    },
+    {
+        "@timestamp": "2021-03-10T22:19:18.000Z",
+        "cyberarkpas.audit.action": "Update Owner",
+        "cyberarkpas.audit.desc": "Update Owner",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-10T22:19:18Z",
+        "cyberarkpas.audit.issuer": "Administrator",
+        "cyberarkpas.audit.message": "Update Owner",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.safe": "PSM",
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.source_user": "PVWAAppUsers",
+        "cyberarkpas.audit.station": "35.192.121.42",
+        "cyberarkpas.audit.timestamp": "Mar 10 14:19:18",
+        "event.action": "update owner",
+        "event.category": [
+            "iam"
+        ],
+        "event.code": "33",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.outcome": "success",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "event.type": [
+            "admin",
+            "change"
+        ],
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 2914,
+        "log.syslog.priority": "5",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "35.192.121.42"
+        ],
+        "related.user": [
+            "Administrator",
+            "PVWAAppUsers"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "35.192.121.42",
+        "source.geo.city_name": "Council Bluffs",
+        "source.geo.continent_name": "North America",
+        "source.geo.country_iso_code": "US",
+        "source.geo.country_name": "United States",
+        "source.geo.location.lat": 41.2591,
+        "source.geo.location.lon": -95.8517,
+        "source.geo.region_iso_code": "US-IA",
+        "source.geo.region_name": "Iowa",
+        "source.ip": "35.192.121.42",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ],
+        "user.name": "Administrator",
+        "user.target.name": "PVWAAppUsers"
+    },
+    {
+        "@timestamp": "2021-03-11T17:38:14.000Z",
+        "cyberarkpas.audit.action": "Update Owner",
+        "cyberarkpas.audit.desc": "Update Owner",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-11T17:38:14Z",
+        "cyberarkpas.audit.issuer": "PSMPApp_VAGRANT",
+        "cyberarkpas.audit.message": "Update Owner",
+        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 09:38:14</Timestamp>\n    <IsoTimestamp>2021-03-11T17:38:14Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>33</MessageID>\n    <Desc>Update Owner</Desc>\n    <Severity>Info</Severity>\n    <Issuer>PSMPApp_VAGRANT</Issuer>\n    <Action>Update Owner</Action>\n    <SourceUser>Auditors</SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>PSMRecordings</Safe>\n    <File></File>\n    <Station>81.32.170.205</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Update Owner</Message>\n    <GatewayStation></GatewayStation>\n  </audit_record>\n\n</syslog>",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.safe": "PSMRecordings",
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.source_user": "Auditors",
+        "cyberarkpas.audit.station": "81.32.170.205",
+        "cyberarkpas.audit.timestamp": "Mar 11 09:38:14",
+        "event.action": "update owner",
+        "event.category": [
+            "iam"
+        ],
+        "event.code": "33",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.outcome": "success",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "event.type": [
+            "admin",
+            "change"
+        ],
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 3492,
+        "log.syslog.priority": "5",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "81.32.170.205"
+        ],
+        "related.user": [
+            "PSMPApp_VAGRANT",
+            "Auditors"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "81.32.170.205",
+        "source.geo.city_name": "Barcelona",
+        "source.geo.continent_name": "Europe",
+        "source.geo.country_iso_code": "ES",
+        "source.geo.country_name": "Spain",
+        "source.geo.location.lat": 41.387,
+        "source.geo.location.lon": 2.1701,
+        "source.geo.region_iso_code": "ES-B",
+        "source.geo.region_name": "Barcelona",
+        "source.ip": "81.32.170.205",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ],
+        "user.name": "PSMPApp_VAGRANT",
+        "user.target.name": "Auditors"
+    }
+]
\ No newline at end of file
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/355_monitor_license_expiration_date_start.log b/x-pack/filebeat/module/cyberarkpas/audit/test/355_monitor_license_expiration_date_start.log
new file mode 100644
index 00000000000..726201faa4d
--- /dev/null
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/355_monitor_license_expiration_date_start.log
@@ -0,0 +1 @@
+<5>1 2021-03-09T10:17:54Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 09 02:17:54","IsoTimestamp":"2021-03-09T10:17:54Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"355","Desc":"Monitor License Expiration Date start","Severity":"Info","Issuer":"Batch","Action":"Monitor License Expiration Date start","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"0.0.0.0","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Monitor License Expiration Date start","GatewayStation":""}}}
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/355_monitor_license_expiration_date_start.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/355_monitor_license_expiration_date_start.log-expected.json
new file mode 100644
index 00000000000..4cecbceb396
--- /dev/null
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/355_monitor_license_expiration_date_start.log-expected.json
@@ -0,0 +1,40 @@
+[
+    {
+        "@timestamp": "2021-03-09T10:17:54.000Z",
+        "cyberarkpas.audit.action": "Monitor License Expiration Date start",
+        "cyberarkpas.audit.desc": "Monitor License Expiration Date start",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-09T10:17:54Z",
+        "cyberarkpas.audit.issuer": "Batch",
+        "cyberarkpas.audit.message": "Monitor License Expiration Date start",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.station": "0.0.0.0",
+        "cyberarkpas.audit.timestamp": "Mar 09 02:17:54",
+        "event.action": "monitor license expiration date start",
+        "event.code": "355",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 0,
+        "log.syslog.priority": "5",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "0.0.0.0"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "0.0.0.0",
+        "source.ip": "0.0.0.0",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ]
+    }
+]
\ No newline at end of file
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/356_monitor_license_expiration_date_end.log b/x-pack/filebeat/module/cyberarkpas/audit/test/356_monitor_license_expiration_date_end.log
new file mode 100644
index 00000000000..a5ed2fa3bef
--- /dev/null
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/356_monitor_license_expiration_date_end.log
@@ -0,0 +1 @@
+<5>1 2021-03-09T10:17:54Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 09 02:17:54","IsoTimestamp":"2021-03-09T10:17:54Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"356","Desc":"Monitor License Expiration Date end","Severity":"Info","Issuer":"Batch","Action":"Monitor License Expiration Date end","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"0.0.0.0","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Monitor License Expiration Date end","GatewayStation":""}}}
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/356_monitor_license_expiration_date_end.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/356_monitor_license_expiration_date_end.log-expected.json
new file mode 100644
index 00000000000..181d9a733e7
--- /dev/null
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/356_monitor_license_expiration_date_end.log-expected.json
@@ -0,0 +1,40 @@
+[
+    {
+        "@timestamp": "2021-03-09T10:17:54.000Z",
+        "cyberarkpas.audit.action": "Monitor License Expiration Date end",
+        "cyberarkpas.audit.desc": "Monitor License Expiration Date end",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-09T10:17:54Z",
+        "cyberarkpas.audit.issuer": "Batch",
+        "cyberarkpas.audit.message": "Monitor License Expiration Date end",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.station": "0.0.0.0",
+        "cyberarkpas.audit.timestamp": "Mar 09 02:17:54",
+        "event.action": "monitor license expiration date end",
+        "event.code": "356",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 0,
+        "log.syslog.priority": "5",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "0.0.0.0"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "0.0.0.0",
+        "source.ip": "0.0.0.0",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ]
+    }
+]
\ No newline at end of file
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/357_monitor_fw_rules_start.log b/x-pack/filebeat/module/cyberarkpas/audit/test/357_monitor_fw_rules_start.log
new file mode 100644
index 00000000000..50743ea86e7
--- /dev/null
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/357_monitor_fw_rules_start.log
@@ -0,0 +1,2 @@
+<5>1 2021-03-04T19:10:01Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 04 11:10:01","IsoTimestamp":"2021-03-04T19:10:01Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"357","Desc":"Monitor FW rules start","Severity":"Info","Issuer":"Batch","Action":"Monitor FW rules start","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"0.0.0.0","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Monitor FW rules start","GatewayStation":""}}}
+Mar 08 02:32:56 VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"no","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"357","Desc":"Monitor FW rules start","Severity":"Info","Issuer":"Batch","Action":"Monitor FW rules start","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"0.0.0.0","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Monitor FW rules start","GatewayStation":""}}}
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/357_monitor_fw_rules_start.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/357_monitor_fw_rules_start.log-expected.json
new file mode 100644
index 00000000000..a3b04bd34cf
--- /dev/null
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/357_monitor_fw_rules_start.log-expected.json
@@ -0,0 +1,75 @@
+[
+    {
+        "@timestamp": "2021-03-04T19:10:01.000Z",
+        "cyberarkpas.audit.action": "Monitor FW rules start",
+        "cyberarkpas.audit.desc": "Monitor FW rules start",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-04T19:10:01Z",
+        "cyberarkpas.audit.issuer": "Batch",
+        "cyberarkpas.audit.message": "Monitor FW rules start",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.station": "0.0.0.0",
+        "cyberarkpas.audit.timestamp": "Mar 04 11:10:01",
+        "event.action": "monitor fw rules start",
+        "event.code": "357",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 0,
+        "log.syslog.priority": "5",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "0.0.0.0"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "0.0.0.0",
+        "source.ip": "0.0.0.0",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ]
+    },
+    {
+        "@timestamp": "2021-03-08T02:32:56.000-02:00",
+        "cyberarkpas.audit.action": "Monitor FW rules start",
+        "cyberarkpas.audit.desc": "Monitor FW rules start",
+        "cyberarkpas.audit.issuer": "Batch",
+        "cyberarkpas.audit.message": "Monitor FW rules start",
+        "cyberarkpas.audit.rfc5424": false,
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.station": "0.0.0.0",
+        "event.action": "monitor fw rules start",
+        "event.code": "357",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 580,
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "0.0.0.0"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "0.0.0.0",
+        "source.ip": "0.0.0.0",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ]
+    }
+]
\ No newline at end of file
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/358_monitor_fw_rules_end.log b/x-pack/filebeat/module/cyberarkpas/audit/test/358_monitor_fw_rules_end.log
new file mode 100644
index 00000000000..cbda469d1fc
--- /dev/null
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/358_monitor_fw_rules_end.log
@@ -0,0 +1,2 @@
+<5>1 2021-03-04T19:10:01Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 04 11:10:01","IsoTimestamp":"2021-03-04T19:10:01Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"358","Desc":"Monitor FW Rules end","Severity":"Info","Issuer":"Batch","Action":"Monitor FW Rules end","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"0.0.0.0","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Monitor FW Rules end","GatewayStation":""}}}
+Mar 08 02:32:56 VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"no","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"358","Desc":"Monitor FW Rules end","Severity":"Info","Issuer":"Batch","Action":"Monitor FW Rules end","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"0.0.0.0","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Monitor FW Rules end","GatewayStation":""}}}
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/358_monitor_fw_rules_end.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/358_monitor_fw_rules_end.log-expected.json
new file mode 100644
index 00000000000..a5af60dcea0
--- /dev/null
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/358_monitor_fw_rules_end.log-expected.json
@@ -0,0 +1,75 @@
+[
+    {
+        "@timestamp": "2021-03-04T19:10:01.000Z",
+        "cyberarkpas.audit.action": "Monitor FW Rules end",
+        "cyberarkpas.audit.desc": "Monitor FW Rules end",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-04T19:10:01Z",
+        "cyberarkpas.audit.issuer": "Batch",
+        "cyberarkpas.audit.message": "Monitor FW Rules end",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.station": "0.0.0.0",
+        "cyberarkpas.audit.timestamp": "Mar 04 11:10:01",
+        "event.action": "monitor fw rules end",
+        "event.code": "358",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 0,
+        "log.syslog.priority": "5",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "0.0.0.0"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "0.0.0.0",
+        "source.ip": "0.0.0.0",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ]
+    },
+    {
+        "@timestamp": "2021-03-08T02:32:56.000-02:00",
+        "cyberarkpas.audit.action": "Monitor FW Rules end",
+        "cyberarkpas.audit.desc": "Monitor FW Rules end",
+        "cyberarkpas.audit.issuer": "Batch",
+        "cyberarkpas.audit.message": "Monitor FW Rules end",
+        "cyberarkpas.audit.rfc5424": false,
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.station": "0.0.0.0",
+        "event.action": "monitor fw rules end",
+        "event.code": "358",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 574,
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "0.0.0.0"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "0.0.0.0",
+        "source.ip": "0.0.0.0",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ]
+    }
+]
\ No newline at end of file
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/359_sql_command.log b/x-pack/filebeat/module/cyberarkpas/audit/test/359_sql_command.log
new file mode 100644
index 00000000000..3006cd28bbd
--- /dev/null
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/359_sql_command.log
@@ -0,0 +1,10 @@
+<5>1 2021-03-25T14:56:44Z VLT01 {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 25 10:56:44</Timestamp>\n    <IsoTimestamp>2021-03-25T14:56:44Z</IsoTimestamp>\n    <Hostname>VLT01</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>12.0.0000</Version>\n    <MessageID>359</MessageID>\n    <Desc>SQL Command</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>SQL Command</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>Oracle</Safe>\n    <File>Root\\Database-Oracle-oracle.cybr.com-HR</File>\n    <Station>10.0.0.15</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails>Command=SELECT USER FROM DUAL;ConnectionComponentId=PSM-SQLPlus;DataBase=XE;DstHost=oracle.cybr.com;Protocol=SQLNet;PSMID=PSMServer;SessionID=0887c643-42f2-4a4f-806e-58c1689de0e6;SQLOffset=69B;SrcHost=127.0.0.1;User=HR;VIDOffset=4T;</ExtraDetails>\n    <Message>SQL Command</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"Oracle\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"HR\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"oracle.cybr.com\"></CAProperty>\n      <CAProperty Name=\"Database\" Value=\"XE\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Database\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"success\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"-1\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"VerifyTask\"></CAProperty>\n      <CAProperty Name=\"LastSuccessVerification\" Value=\"1616580248\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"Port\" Value=\"1521\"></CAProperty>\n      <CAProperty Name=\"LastSuccessChange\" Value=\"1616011984\"></CAProperty>\n      <CAProperty Name=\"Tags\" Value=\"Oracle;DB\"></CAProperty>\n      <CAProperty Name=\"Privcloud\" Value=\"privcloud\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 25 10:56:44","IsoTimestamp":"2021-03-25T14:56:44Z","Hostname":"VLT01","Vendor":"Cyber-Ark","Product":"Vault","Version":"12.0.0000","MessageID":"359","Desc":"SQL Command","Severity":"Info","Issuer":"Administrator","Action":"SQL Command","SourceUser":"","TargetUser":"","Safe":"Oracle","File":"Root\\Database-Oracle-oracle.cybr.com-HR","Station":"10.0.0.15","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"Command=SELECT USER FROM DUAL;ConnectionComponentId=PSM-SQLPlus;DataBase=XE;DstHost=oracle.cybr.com;Protocol=SQLNet;PSMID=PSMServer;SessionID=0887c643-42f2-4a4f-806e-58c1689de0e6;SQLOffset=69B;SrcHost=127.0.0.1;User=HR;VIDOffset=4T;","Message":"SQL Command","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"Oracle"},{"Name":"UserName","Value":"HR"},{"Name":"Address","Value":"oracle.cybr.com"},{"Name":"Database","Value":"XE"},{"Name":"DeviceType","Value":"Database"},{"Name":"CPMStatus","Value":"success"},{"Name":"RetriesCount","Value":"-1"},{"Name":"LastTask","Value":"VerifyTask"},{"Name":"LastSuccessVerification","Value":"1616580248"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"Port","Value":"1521"},{"Name":"LastSuccessChange","Value":"1616011984"},{"Name":"Tags","Value":"Oracle;DB"},{"Name":"Privcloud","Value":"privcloud"}]}}}}
+<5>1 2021-03-25T14:56:44Z VLT01 {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 25 10:56:44</Timestamp>\n    <IsoTimestamp>2021-03-25T14:56:44Z</IsoTimestamp>\n    <Hostname>VLT01</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>12.0.0000</Version>\n    <MessageID>359</MessageID>\n    <Desc>SQL Command</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>SQL Command</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>Oracle</Safe>\n    <File>Root\\Database-Oracle-oracle.cybr.com-HR</File>\n    <Station>10.0.0.15</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails>Command=BEGIN DBMS_OUTPUT.DISABLE\\; END\\;;ConnectionComponentId=PSM-SQLPlus;DataBase=XE;DstHost=oracle.cybr.com;Protocol=SQLNet;PSMID=PSMServer;SessionID=0887c643-42f2-4a4f-806e-58c1689de0e6;SQLOffset=123B;SrcHost=127.0.0.1;User=HR;VIDOffset=4T;</ExtraDetails>\n    <Message>SQL Command</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"Oracle\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"HR\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"oracle.cybr.com\"></CAProperty>\n      <CAProperty Name=\"Database\" Value=\"XE\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Database\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"success\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"-1\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"VerifyTask\"></CAProperty>\n      <CAProperty Name=\"LastSuccessVerification\" Value=\"1616580248\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"Port\" Value=\"1521\"></CAProperty>\n      <CAProperty Name=\"LastSuccessChange\" Value=\"1616011984\"></CAProperty>\n      <CAProperty Name=\"Tags\" Value=\"Oracle;DB\"></CAProperty>\n      <CAProperty Name=\"Privcloud\" Value=\"privcloud\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 25 10:56:44","IsoTimestamp":"2021-03-25T14:56:44Z","Hostname":"VLT01","Vendor":"Cyber-Ark","Product":"Vault","Version":"12.0.0000","MessageID":"359","Desc":"SQL Command","Severity":"Info","Issuer":"Administrator","Action":"SQL Command","SourceUser":"","TargetUser":"","Safe":"Oracle","File":"Root\\Database-Oracle-oracle.cybr.com-HR","Station":"10.0.0.15","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"Command=BEGIN DBMS_OUTPUT.DISABLE\\; END\\;;ConnectionComponentId=PSM-SQLPlus;DataBase=XE;DstHost=oracle.cybr.com;Protocol=SQLNet;PSMID=PSMServer;SessionID=0887c643-42f2-4a4f-806e-58c1689de0e6;SQLOffset=123B;SrcHost=127.0.0.1;User=HR;VIDOffset=4T;","Message":"SQL Command","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"Oracle"},{"Name":"UserName","Value":"HR"},{"Name":"Address","Value":"oracle.cybr.com"},{"Name":"Database","Value":"XE"},{"Name":"DeviceType","Value":"Database"},{"Name":"CPMStatus","Value":"success"},{"Name":"RetriesCount","Value":"-1"},{"Name":"LastTask","Value":"VerifyTask"},{"Name":"LastSuccessVerification","Value":"1616580248"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"Port","Value":"1521"},{"Name":"LastSuccessChange","Value":"1616011984"},{"Name":"Tags","Value":"Oracle;DB"},{"Name":"Privcloud","Value":"privcloud"}]}}}}
+<5>1 2021-03-25T14:56:44Z VLT01 {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 25 10:56:44</Timestamp>\n    <IsoTimestamp>2021-03-25T14:56:44Z</IsoTimestamp>\n    <Hostname>VLT01</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>12.0.0000</Version>\n    <MessageID>359</MessageID>\n    <Desc>SQL Command</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>SQL Command</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>Oracle</Safe>\n    <File>Root\\Database-Oracle-oracle.cybr.com-HR</File>\n    <Station>10.0.0.15</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails>Command=SELECT ATTRIBUTE,SCOPE,NUMERIC_VALUE,CHAR_VALUE,DATE_VALUE FROM SYSTEM.PRODUCT_PRIVS WHERE (UPPER('SQL*Plus') LIKE UPPER(PRODUCT)) AND (UPPER(USER) LIKE USERID);ConnectionComponentId=PSM-SQLPlus;DataBase=XE;DstHost=oracle.cybr.com;Protocol=SQLNet;PSMID=PSMServer;SessionID=0887c643-42f2-4a4f-806e-58c1689de0e6;SQLOffset=187B;SrcHost=127.0.0.1;User=HR;VIDOffset=4T;</ExtraDetails>\n    <Message>SQL Command</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"Oracle\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"HR\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"oracle.cybr.com\"></CAProperty>\n      <CAProperty Name=\"Database\" Value=\"XE\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Database\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"success\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"-1\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"VerifyTask\"></CAProperty>\n      <CAProperty Name=\"LastSuccessVerification\" Value=\"1616580248\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"Port\" Value=\"1521\"></CAProperty>\n      <CAProperty Name=\"LastSuccessChange\" Value=\"1616011984\"></CAProperty>\n      <CAProperty Name=\"Tags\" Value=\"Oracle;DB\"></CAProperty>\n      <CAProperty Name=\"Privcloud\" Value=\"privcloud\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 25 10:56:44","IsoTimestamp":"2021-03-25T14:56:44Z","Hostname":"VLT01","Vendor":"Cyber-Ark","Product":"Vault","Version":"12.0.0000","MessageID":"359","Desc":"SQL Command","Severity":"Info","Issuer":"Administrator","Action":"SQL Command","SourceUser":"","TargetUser":"","Safe":"Oracle","File":"Root\\Database-Oracle-oracle.cybr.com-HR","Station":"10.0.0.15","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"Command=SELECT ATTRIBUTE,SCOPE,NUMERIC_VALUE,CHAR_VALUE,DATE_VALUE FROM SYSTEM.PRODUCT_PRIVS WHERE (UPPER('SQL*Plus') LIKE UPPER(PRODUCT)) AND (UPPER(USER) LIKE USERID);ConnectionComponentId=PSM-SQLPlus;DataBase=XE;DstHost=oracle.cybr.com;Protocol=SQLNet;PSMID=PSMServer;SessionID=0887c643-42f2-4a4f-806e-58c1689de0e6;SQLOffset=187B;SrcHost=127.0.0.1;User=HR;VIDOffset=4T;","Message":"SQL Command","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"Oracle"},{"Name":"UserName","Value":"HR"},{"Name":"Address","Value":"oracle.cybr.com"},{"Name":"Database","Value":"XE"},{"Name":"DeviceType","Value":"Database"},{"Name":"CPMStatus","Value":"success"},{"Name":"RetriesCount","Value":"-1"},{"Name":"LastTask","Value":"VerifyTask"},{"Name":"LastSuccessVerification","Value":"1616580248"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"Port","Value":"1521"},{"Name":"LastSuccessChange","Value":"1616011984"},{"Name":"Tags","Value":"Oracle;DB"},{"Name":"Privcloud","Value":"privcloud"}]}}}}
+<5>1 2021-03-25T14:56:44Z VLT01 {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 25 10:56:44</Timestamp>\n    <IsoTimestamp>2021-03-25T14:56:44Z</IsoTimestamp>\n    <Hostname>VLT01</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>12.0.0000</Version>\n    <MessageID>359</MessageID>\n    <Desc>SQL Command</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>SQL Command</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>Oracle</Safe>\n    <File>Root\\Database-Oracle-oracle.cybr.com-HR</File>\n    <Station>10.0.0.15</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails>Command=SELECT CHAR_VALUE FROM SYSTEM.PRODUCT_PRIVS WHERE   (UPPER('SQL*Plus') LIKE UPPER(PRODUCT)) AND   ((UPPER(USER) LIKE USERID) OR (USERID \\= 'PUBLIC')) AND   (UPPER(ATTRIBUTE) \\= 'ROLES');ConnectionComponentId=PSM-SQLPlus;DataBase=XE;DstHost=oracle.cybr.com;Protocol=SQLNet;PSMID=PSMServer;SessionID=0887c643-42f2-4a4f-806e-58c1689de0e6;SQLOffset=380B;SrcHost=127.0.0.1;User=HR;VIDOffset=4T;</ExtraDetails>\n    <Message>SQL Command</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"Oracle\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"HR\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"oracle.cybr.com\"></CAProperty>\n      <CAProperty Name=\"Database\" Value=\"XE\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Database\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"success\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"-1\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"VerifyTask\"></CAProperty>\n      <CAProperty Name=\"LastSuccessVerification\" Value=\"1616580248\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"Port\" Value=\"1521\"></CAProperty>\n      <CAProperty Name=\"LastSuccessChange\" Value=\"1616011984\"></CAProperty>\n      <CAProperty Name=\"Tags\" Value=\"Oracle;DB\"></CAProperty>\n      <CAProperty Name=\"Privcloud\" Value=\"privcloud\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 25 10:56:44","IsoTimestamp":"2021-03-25T14:56:44Z","Hostname":"VLT01","Vendor":"Cyber-Ark","Product":"Vault","Version":"12.0.0000","MessageID":"359","Desc":"SQL Command","Severity":"Info","Issuer":"Administrator","Action":"SQL Command","SourceUser":"","TargetUser":"","Safe":"Oracle","File":"Root\\Database-Oracle-oracle.cybr.com-HR","Station":"10.0.0.15","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"Command=SELECT CHAR_VALUE FROM SYSTEM.PRODUCT_PRIVS WHERE   (UPPER('SQL*Plus') LIKE UPPER(PRODUCT)) AND   ((UPPER(USER) LIKE USERID) OR (USERID \\= 'PUBLIC')) AND   (UPPER(ATTRIBUTE) \\= 'ROLES');ConnectionComponentId=PSM-SQLPlus;DataBase=XE;DstHost=oracle.cybr.com;Protocol=SQLNet;PSMID=PSMServer;SessionID=0887c643-42f2-4a4f-806e-58c1689de0e6;SQLOffset=380B;SrcHost=127.0.0.1;User=HR;VIDOffset=4T;","Message":"SQL Command","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"Oracle"},{"Name":"UserName","Value":"HR"},{"Name":"Address","Value":"oracle.cybr.com"},{"Name":"Database","Value":"XE"},{"Name":"DeviceType","Value":"Database"},{"Name":"CPMStatus","Value":"success"},{"Name":"RetriesCount","Value":"-1"},{"Name":"LastTask","Value":"VerifyTask"},{"Name":"LastSuccessVerification","Value":"1616580248"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"Port","Value":"1521"},{"Name":"LastSuccessChange","Value":"1616011984"},{"Name":"Tags","Value":"Oracle;DB"},{"Name":"Privcloud","Value":"privcloud"}]}}}}
+<5>1 2021-03-25T14:56:44Z VLT01 {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 25 10:56:44</Timestamp>\n    <IsoTimestamp>2021-03-25T14:56:44Z</IsoTimestamp>\n    <Hostname>VLT01</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>12.0.0000</Version>\n    <MessageID>359</MessageID>\n    <Desc>SQL Command</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>SQL Command</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>Oracle</Safe>\n    <File>Root\\Database-Oracle-oracle.cybr.com-HR</File>\n    <Station>10.0.0.15</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails>Command=BEGIN DBMS_APPLICATION_INFO.SET_MODULE(:1,NULL)\\; END\\; (Parameters bound by position: 1\\=[SQL*Plus]);ConnectionComponentId=PSM-SQLPlus;DataBase=XE;DstHost=oracle.cybr.com;Protocol=SQLNet;PSMID=PSMServer;SessionID=0887c643-42f2-4a4f-806e-58c1689de0e6;SQLOffset=596B;SrcHost=127.0.0.1;User=HR;VIDOffset=4T;</ExtraDetails>\n    <Message>SQL Command</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"Oracle\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"HR\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"oracle.cybr.com\"></CAProperty>\n      <CAProperty Name=\"Database\" Value=\"XE\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Database\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"success\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"-1\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"VerifyTask\"></CAProperty>\n      <CAProperty Name=\"LastSuccessVerification\" Value=\"1616580248\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"Port\" Value=\"1521\"></CAProperty>\n      <CAProperty Name=\"LastSuccessChange\" Value=\"1616011984\"></CAProperty>\n      <CAProperty Name=\"Tags\" Value=\"Oracle;DB\"></CAProperty>\n      <CAProperty Name=\"Privcloud\" Value=\"privcloud\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 25 10:56:44","IsoTimestamp":"2021-03-25T14:56:44Z","Hostname":"VLT01","Vendor":"Cyber-Ark","Product":"Vault","Version":"12.0.0000","MessageID":"359","Desc":"SQL Command","Severity":"Info","Issuer":"Administrator","Action":"SQL Command","SourceUser":"","TargetUser":"","Safe":"Oracle","File":"Root\\Database-Oracle-oracle.cybr.com-HR","Station":"10.0.0.15","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"Command=BEGIN DBMS_APPLICATION_INFO.SET_MODULE(:1,NULL)\\; END\\; (Parameters bound by position: 1\\=[SQL*Plus]);ConnectionComponentId=PSM-SQLPlus;DataBase=XE;DstHost=oracle.cybr.com;Protocol=SQLNet;PSMID=PSMServer;SessionID=0887c643-42f2-4a4f-806e-58c1689de0e6;SQLOffset=596B;SrcHost=127.0.0.1;User=HR;VIDOffset=4T;","Message":"SQL Command","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"Oracle"},{"Name":"UserName","Value":"HR"},{"Name":"Address","Value":"oracle.cybr.com"},{"Name":"Database","Value":"XE"},{"Name":"DeviceType","Value":"Database"},{"Name":"CPMStatus","Value":"success"},{"Name":"RetriesCount","Value":"-1"},{"Name":"LastTask","Value":"VerifyTask"},{"Name":"LastSuccessVerification","Value":"1616580248"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"Port","Value":"1521"},{"Name":"LastSuccessChange","Value":"1616011984"},{"Name":"Tags","Value":"Oracle;DB"},{"Name":"Privcloud","Value":"privcloud"}]}}}}
+<5>1 2021-03-25T14:56:45Z VLT01 {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 25 10:56:45</Timestamp>\n    <IsoTimestamp>2021-03-25T14:56:45Z</IsoTimestamp>\n    <Hostname>VLT01</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>12.0.0000</Version>\n    <MessageID>359</MessageID>\n    <Desc>SQL Command</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>SQL Command</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>Oracle</Safe>\n    <File>Root\\Database-Oracle-oracle.cybr.com-HR</File>\n    <Station>10.0.0.15</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails>Command=SELECT DECODE('A','A','1','2') FROM DUAL;ConnectionComponentId=PSM-SQLPlus;DataBase=XE;DstHost=oracle.cybr.com;Protocol=SQLNet;PSMID=PSMServer;SessionID=0887c643-42f2-4a4f-806e-58c1689de0e6;SQLOffset=727B;SrcHost=127.0.0.1;User=HR;VIDOffset=5T;</ExtraDetails>\n    <Message>SQL Command</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"Oracle\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"HR\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"oracle.cybr.com\"></CAProperty>\n      <CAProperty Name=\"Database\" Value=\"XE\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Database\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"success\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"-1\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"VerifyTask\"></CAProperty>\n      <CAProperty Name=\"LastSuccessVerification\" Value=\"1616580248\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"Port\" Value=\"1521\"></CAProperty>\n      <CAProperty Name=\"LastSuccessChange\" Value=\"1616011984\"></CAProperty>\n      <CAProperty Name=\"Tags\" Value=\"Oracle;DB\"></CAProperty>\n      <CAProperty Name=\"Privcloud\" Value=\"privcloud\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 25 10:56:45","IsoTimestamp":"2021-03-25T14:56:45Z","Hostname":"VLT01","Vendor":"Cyber-Ark","Product":"Vault","Version":"12.0.0000","MessageID":"359","Desc":"SQL Command","Severity":"Info","Issuer":"Administrator","Action":"SQL Command","SourceUser":"","TargetUser":"","Safe":"Oracle","File":"Root\\Database-Oracle-oracle.cybr.com-HR","Station":"10.0.0.15","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"Command=SELECT DECODE('A','A','1','2') FROM DUAL;ConnectionComponentId=PSM-SQLPlus;DataBase=XE;DstHost=oracle.cybr.com;Protocol=SQLNet;PSMID=PSMServer;SessionID=0887c643-42f2-4a4f-806e-58c1689de0e6;SQLOffset=727B;SrcHost=127.0.0.1;User=HR;VIDOffset=5T;","Message":"SQL Command","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"Oracle"},{"Name":"UserName","Value":"HR"},{"Name":"Address","Value":"oracle.cybr.com"},{"Name":"Database","Value":"XE"},{"Name":"DeviceType","Value":"Database"},{"Name":"CPMStatus","Value":"success"},{"Name":"RetriesCount","Value":"-1"},{"Name":"LastTask","Value":"VerifyTask"},{"Name":"LastSuccessVerification","Value":"1616580248"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"Port","Value":"1521"},{"Name":"LastSuccessChange","Value":"1616011984"},{"Name":"Tags","Value":"Oracle;DB"},{"Name":"Privcloud","Value":"privcloud"}]}}}}
+<5>1 2021-03-25T14:56:54Z VLT01 {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 25 10:56:54</Timestamp>\n    <IsoTimestamp>2021-03-25T14:56:54Z</IsoTimestamp>\n    <Hostname>VLT01</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>12.0.0000</Version>\n    <MessageID>359</MessageID>\n    <Desc>SQL Command</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>SQL Command</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>Oracle</Safe>\n    <File>Root\\Database-Oracle-oracle.cybr.com-HR</File>\n    <Station>10.0.0.15</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails>Command=SELECT INFO FROM SYSTEM.HELP WHERE UPPER(TOPIC) LIKE :1 ORDER BY TOPIC,SEQ (Parameters bound by position: 1\\=[HELP]);ConnectionComponentId=PSM-SQLPlus;DataBase=XE;DstHost=oracle.cybr.com;Protocol=SQLNet;PSMID=PSMServer;SessionID=0887c643-42f2-4a4f-806e-58c1689de0e6;SQLOffset=800B;SrcHost=127.0.0.1;User=HR;VIDOffset=14T;</ExtraDetails>\n    <Message>SQL Command</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"Oracle\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"HR\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"oracle.cybr.com\"></CAProperty>\n      <CAProperty Name=\"Database\" Value=\"XE\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Database\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"success\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"-1\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"VerifyTask\"></CAProperty>\n      <CAProperty Name=\"LastSuccessVerification\" Value=\"1616580248\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"Port\" Value=\"1521\"></CAProperty>\n      <CAProperty Name=\"LastSuccessChange\" Value=\"1616011984\"></CAProperty>\n      <CAProperty Name=\"Tags\" Value=\"Oracle;DB\"></CAProperty>\n      <CAProperty Name=\"Privcloud\" Value=\"privcloud\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 25 10:56:54","IsoTimestamp":"2021-03-25T14:56:54Z","Hostname":"VLT01","Vendor":"Cyber-Ark","Product":"Vault","Version":"12.0.0000","MessageID":"359","Desc":"SQL Command","Severity":"Info","Issuer":"Administrator","Action":"SQL Command","SourceUser":"","TargetUser":"","Safe":"Oracle","File":"Root\\Database-Oracle-oracle.cybr.com-HR","Station":"10.0.0.15","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"Command=SELECT INFO FROM SYSTEM.HELP WHERE UPPER(TOPIC) LIKE :1 ORDER BY TOPIC,SEQ (Parameters bound by position: 1\\=[HELP]);ConnectionComponentId=PSM-SQLPlus;DataBase=XE;DstHost=oracle.cybr.com;Protocol=SQLNet;PSMID=PSMServer;SessionID=0887c643-42f2-4a4f-806e-58c1689de0e6;SQLOffset=800B;SrcHost=127.0.0.1;User=HR;VIDOffset=14T;","Message":"SQL Command","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"Oracle"},{"Name":"UserName","Value":"HR"},{"Name":"Address","Value":"oracle.cybr.com"},{"Name":"Database","Value":"XE"},{"Name":"DeviceType","Value":"Database"},{"Name":"CPMStatus","Value":"success"},{"Name":"RetriesCount","Value":"-1"},{"Name":"LastTask","Value":"VerifyTask"},{"Name":"LastSuccessVerification","Value":"1616580248"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"Port","Value":"1521"},{"Name":"LastSuccessChange","Value":"1616011984"},{"Name":"Tags","Value":"Oracle;DB"},{"Name":"Privcloud","Value":"privcloud"}]}}}}
+<5>1 2021-03-25T14:58:02Z VLT01 {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 25 10:58:02</Timestamp>\n    <IsoTimestamp>2021-03-25T14:58:02Z</IsoTimestamp>\n    <Hostname>VLT01</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>12.0.0000</Version>\n    <MessageID>359</MessageID>\n    <Desc>SQL Command</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>SQL Command</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>Oracle</Safe>\n    <File>Root\\Database-Oracle-oracle.cybr.com-HR</File>\n    <Station>10.0.0.15</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails>Command=SELECT * FROM DBA_USERS;ConnectionComponentId=PSM-SQLPlus;DataBase=XE;DstHost=oracle.cybr.com;Protocol=SQLNet;PSMID=PSMServer;SessionID=0887c643-42f2-4a4f-806e-58c1689de0e6;SQLOffset=1097B;SrcHost=127.0.0.1;User=HR;VIDOffset=82T;</ExtraDetails>\n    <Message>SQL Command</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"Oracle\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"HR\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"oracle.cybr.com\"></CAProperty>\n      <CAProperty Name=\"Database\" Value=\"XE\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Database\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"success\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"-1\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"VerifyTask\"></CAProperty>\n      <CAProperty Name=\"LastSuccessVerification\" Value=\"1616580248\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"Port\" Value=\"1521\"></CAProperty>\n      <CAProperty Name=\"LastSuccessChange\" Value=\"1616011984\"></CAProperty>\n      <CAProperty Name=\"Tags\" Value=\"Oracle;DB\"></CAProperty>\n      <CAProperty Name=\"Privcloud\" Value=\"privcloud\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 25 10:58:02","IsoTimestamp":"2021-03-25T14:58:02Z","Hostname":"VLT01","Vendor":"Cyber-Ark","Product":"Vault","Version":"12.0.0000","MessageID":"359","Desc":"SQL Command","Severity":"Info","Issuer":"Administrator","Action":"SQL Command","SourceUser":"","TargetUser":"","Safe":"Oracle","File":"Root\\Database-Oracle-oracle.cybr.com-HR","Station":"10.0.0.15","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"Command=SELECT * FROM DBA_USERS;ConnectionComponentId=PSM-SQLPlus;DataBase=XE;DstHost=oracle.cybr.com;Protocol=SQLNet;PSMID=PSMServer;SessionID=0887c643-42f2-4a4f-806e-58c1689de0e6;SQLOffset=1097B;SrcHost=127.0.0.1;User=HR;VIDOffset=82T;","Message":"SQL Command","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"Oracle"},{"Name":"UserName","Value":"HR"},{"Name":"Address","Value":"oracle.cybr.com"},{"Name":"Database","Value":"XE"},{"Name":"DeviceType","Value":"Database"},{"Name":"CPMStatus","Value":"success"},{"Name":"RetriesCount","Value":"-1"},{"Name":"LastTask","Value":"VerifyTask"},{"Name":"LastSuccessVerification","Value":"1616580248"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"Port","Value":"1521"},{"Name":"LastSuccessChange","Value":"1616011984"},{"Name":"Tags","Value":"Oracle;DB"},{"Name":"Privcloud","Value":"privcloud"}]}}}}
+<5>1 2021-03-25T14:57:05Z VLT01 {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 25 10:57:05</Timestamp>\n    <IsoTimestamp>2021-03-25T14:57:05Z</IsoTimestamp>\n    <Hostname>VLT01</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>12.0.0000</Version>\n    <MessageID>359</MessageID>\n    <Desc>SQL Command</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>SQL Command</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>Oracle</Safe>\n    <File>Root\\Database-Oracle-oracle.cybr.com-HR</File>\n    <Station>10.0.0.15</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails>Command=SELECT INFO FROM SYSTEM.HELP WHERE UPPER(TOPIC) LIKE :1 ORDER BY TOPIC,SEQ (Parameters bound by position: 1\\=[SHOW%]);ConnectionComponentId=PSM-SQLPlus;DataBase=XE;DstHost=oracle.cybr.com;Protocol=SQLNet;PSMID=PSMServer;SessionID=0887c643-42f2-4a4f-806e-58c1689de0e6;SQLOffset=948B;SrcHost=127.0.0.1;User=HR;VIDOffset=25T;</ExtraDetails>\n    <Message>SQL Command</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"Oracle\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"HR\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"oracle.cybr.com\"></CAProperty>\n      <CAProperty Name=\"Database\" Value=\"XE\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Database\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"success\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"-1\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"VerifyTask\"></CAProperty>\n      <CAProperty Name=\"LastSuccessVerification\" Value=\"1616580248\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"Port\" Value=\"1521\"></CAProperty>\n      <CAProperty Name=\"LastSuccessChange\" Value=\"1616011984\"></CAProperty>\n      <CAProperty Name=\"Tags\" Value=\"Oracle;DB\"></CAProperty>\n      <CAProperty Name=\"Privcloud\" Value=\"privcloud\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 25 10:57:05","IsoTimestamp":"2021-03-25T14:57:05Z","Hostname":"VLT01","Vendor":"Cyber-Ark","Product":"Vault","Version":"12.0.0000","MessageID":"359","Desc":"SQL Command","Severity":"Info","Issuer":"Administrator","Action":"SQL Command","SourceUser":"","TargetUser":"","Safe":"Oracle","File":"Root\\Database-Oracle-oracle.cybr.com-HR","Station":"10.0.0.15","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"Command=SELECT INFO FROM SYSTEM.HELP WHERE UPPER(TOPIC) LIKE :1 ORDER BY TOPIC,SEQ (Parameters bound by position: 1\\=[SHOW%]);ConnectionComponentId=PSM-SQLPlus;DataBase=XE;DstHost=oracle.cybr.com;Protocol=SQLNet;PSMID=PSMServer;SessionID=0887c643-42f2-4a4f-806e-58c1689de0e6;SQLOffset=948B;SrcHost=127.0.0.1;User=HR;VIDOffset=25T;","Message":"SQL Command","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"Oracle"},{"Name":"UserName","Value":"HR"},{"Name":"Address","Value":"oracle.cybr.com"},{"Name":"Database","Value":"XE"},{"Name":"DeviceType","Value":"Database"},{"Name":"CPMStatus","Value":"success"},{"Name":"RetriesCount","Value":"-1"},{"Name":"LastTask","Value":"VerifyTask"},{"Name":"LastSuccessVerification","Value":"1616580248"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"Port","Value":"1521"},{"Name":"LastSuccessChange","Value":"1616011984"},{"Name":"Tags","Value":"Oracle;DB"},{"Name":"Privcloud","Value":"privcloud"}]}}}}
+<5>1 2021-03-25T14:58:44Z VLT01 {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 25 10:58:44</Timestamp>\n    <IsoTimestamp>2021-03-25T14:58:44Z</IsoTimestamp>\n    <Hostname>VLT01</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>12.0.0000</Version>\n    <MessageID>359</MessageID>\n    <Desc>SQL Command</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>SQL Command</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>Oracle</Safe>\n    <File>Root\\Database-Oracle-oracle.cybr.com-HR</File>\n    <Station>10.0.0.15</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails>Command=select distinct owner from all_objects;ConnectionComponentId=PSM-SQLPlus;DataBase=XE;DstHost=oracle.cybr.com;Protocol=SQLNet;PSMID=PSMServer;SessionID=0887c643-42f2-4a4f-806e-58c1689de0e6;SQLOffset=1153B;SrcHost=127.0.0.1;User=HR;VIDOffset=124T;</ExtraDetails>\n    <Message>SQL Command</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"Oracle\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"HR\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"oracle.cybr.com\"></CAProperty>\n      <CAProperty Name=\"Database\" Value=\"XE\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Database\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"success\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"-1\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"VerifyTask\"></CAProperty>\n      <CAProperty Name=\"LastSuccessVerification\" Value=\"1616580248\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"Port\" Value=\"1521\"></CAProperty>\n      <CAProperty Name=\"LastSuccessChange\" Value=\"1616011984\"></CAProperty>\n      <CAProperty Name=\"Tags\" Value=\"Oracle;DB\"></CAProperty>\n      <CAProperty Name=\"Privcloud\" Value=\"privcloud\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 25 10:58:44","IsoTimestamp":"2021-03-25T14:58:44Z","Hostname":"VLT01","Vendor":"Cyber-Ark","Product":"Vault","Version":"12.0.0000","MessageID":"359","Desc":"SQL Command","Severity":"Info","Issuer":"Administrator","Action":"SQL Command","SourceUser":"","TargetUser":"","Safe":"Oracle","File":"Root\\Database-Oracle-oracle.cybr.com-HR","Station":"10.0.0.15","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"Command=select distinct owner from all_objects;ConnectionComponentId=PSM-SQLPlus;DataBase=XE;DstHost=oracle.cybr.com;Protocol=SQLNet;PSMID=PSMServer;SessionID=0887c643-42f2-4a4f-806e-58c1689de0e6;SQLOffset=1153B;SrcHost=127.0.0.1;User=HR;VIDOffset=124T;","Message":"SQL Command","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"Oracle"},{"Name":"UserName","Value":"HR"},{"Name":"Address","Value":"oracle.cybr.com"},{"Name":"Database","Value":"XE"},{"Name":"DeviceType","Value":"Database"},{"Name":"CPMStatus","Value":"success"},{"Name":"RetriesCount","Value":"-1"},{"Name":"LastTask","Value":"VerifyTask"},{"Name":"LastSuccessVerification","Value":"1616580248"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"Port","Value":"1521"},{"Name":"LastSuccessChange","Value":"1616011984"},{"Name":"Tags","Value":"Oracle;DB"},{"Name":"Privcloud","Value":"privcloud"}]}}}}
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/359_sql_command.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/359_sql_command.log-expected.json
new file mode 100644
index 00000000000..aae4123d3cb
--- /dev/null
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/359_sql_command.log-expected.json
@@ -0,0 +1,852 @@
+[
+    {
+        "@timestamp": "2021-03-25T14:56:44.000Z",
+        "cyberarkpas.audit.action": "SQL Command",
+        "cyberarkpas.audit.ca_properties.address": "oracle.cybr.com",
+        "cyberarkpas.audit.ca_properties.cpm_status": "success",
+        "cyberarkpas.audit.ca_properties.creation_method": "PVWA",
+        "cyberarkpas.audit.ca_properties.database": "XE",
+        "cyberarkpas.audit.ca_properties.device_type": "Database",
+        "cyberarkpas.audit.ca_properties.last_success_change": "1616011984",
+        "cyberarkpas.audit.ca_properties.last_success_verification": "1616580248",
+        "cyberarkpas.audit.ca_properties.last_task": "VerifyTask",
+        "cyberarkpas.audit.ca_properties.policy_id": "Oracle",
+        "cyberarkpas.audit.ca_properties.port": "1521",
+        "cyberarkpas.audit.ca_properties.privcloud": "privcloud",
+        "cyberarkpas.audit.ca_properties.retries_count": "-1",
+        "cyberarkpas.audit.ca_properties.tags": "Oracle;DB",
+        "cyberarkpas.audit.ca_properties.user_name": "HR",
+        "cyberarkpas.audit.desc": "SQL Command",
+        "cyberarkpas.audit.extra_details.command": "SELECT USER FROM DUAL",
+        "cyberarkpas.audit.extra_details.connection_component_id": "PSM-SQLPlus",
+        "cyberarkpas.audit.extra_details.data_base": "XE",
+        "cyberarkpas.audit.extra_details.dst_host": "oracle.cybr.com",
+        "cyberarkpas.audit.extra_details.protocol": "SQLNet",
+        "cyberarkpas.audit.extra_details.psmid": "PSMServer",
+        "cyberarkpas.audit.extra_details.session_id": "0887c643-42f2-4a4f-806e-58c1689de0e6",
+        "cyberarkpas.audit.extra_details.sql_offset": "69B",
+        "cyberarkpas.audit.extra_details.src_host": "127.0.0.1",
+        "cyberarkpas.audit.extra_details.user": "HR",
+        "cyberarkpas.audit.extra_details.vid_offset": "4T",
+        "cyberarkpas.audit.file": "Root\\Database-Oracle-oracle.cybr.com-HR",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-25T14:56:44Z",
+        "cyberarkpas.audit.issuer": "Administrator",
+        "cyberarkpas.audit.message": "SQL Command",
+        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 25 10:56:44</Timestamp>\n    <IsoTimestamp>2021-03-25T14:56:44Z</IsoTimestamp>\n    <Hostname>VLT01</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>12.0.0000</Version>\n    <MessageID>359</MessageID>\n    <Desc>SQL Command</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>SQL Command</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>Oracle</Safe>\n    <File>Root\\Database-Oracle-oracle.cybr.com-HR</File>\n    <Station>10.0.0.15</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails>Command=SELECT USER FROM DUAL;ConnectionComponentId=PSM-SQLPlus;DataBase=XE;DstHost=oracle.cybr.com;Protocol=SQLNet;PSMID=PSMServer;SessionID=0887c643-42f2-4a4f-806e-58c1689de0e6;SQLOffset=69B;SrcHost=127.0.0.1;User=HR;VIDOffset=4T;</ExtraDetails>\n    <Message>SQL Command</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"Oracle\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"HR\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"oracle.cybr.com\"></CAProperty>\n      <CAProperty Name=\"Database\" Value=\"XE\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Database\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"success\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"-1\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"VerifyTask\"></CAProperty>\n      <CAProperty Name=\"LastSuccessVerification\" Value=\"1616580248\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"Port\" Value=\"1521\"></CAProperty>\n      <CAProperty Name=\"LastSuccessChange\" Value=\"1616011984\"></CAProperty>\n      <CAProperty Name=\"Tags\" Value=\"Oracle;DB\"></CAProperty>\n      <CAProperty Name=\"Privcloud\" Value=\"privcloud\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.safe": "Oracle",
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.station": "10.0.0.15",
+        "cyberarkpas.audit.timestamp": "Mar 25 10:56:44",
+        "destination.address": "oracle.cybr.com",
+        "destination.domain": "oracle.cybr.com",
+        "destination.user.name": "HR",
+        "event.action": "sql command",
+        "event.category": [
+            "database"
+        ],
+        "event.code": "359",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.outcome": "success",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "event.type": [
+            "access"
+        ],
+        "file.path": "Root\\Database-Oracle-oracle.cybr.com-HR",
+        "fileset.name": "audit",
+        "host.name": "VLT01",
+        "input.type": "log",
+        "log.offset": 0,
+        "log.syslog.priority": "5",
+        "network.application": "sqlnet",
+        "observer.hostname": "VLT01",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "12.0.0000",
+        "related.ip": [
+            "127.0.0.1",
+            "10.0.0.15"
+        ],
+        "related.user": [
+            "Administrator",
+            "HR"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "127.0.0.1",
+        "source.ip": "127.0.0.1",
+        "source.user.name": "Administrator",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ],
+        "user.name": "Administrator"
+    },
+    {
+        "@timestamp": "2021-03-25T14:56:44.000Z",
+        "cyberarkpas.audit.action": "SQL Command",
+        "cyberarkpas.audit.ca_properties.address": "oracle.cybr.com",
+        "cyberarkpas.audit.ca_properties.cpm_status": "success",
+        "cyberarkpas.audit.ca_properties.creation_method": "PVWA",
+        "cyberarkpas.audit.ca_properties.database": "XE",
+        "cyberarkpas.audit.ca_properties.device_type": "Database",
+        "cyberarkpas.audit.ca_properties.last_success_change": "1616011984",
+        "cyberarkpas.audit.ca_properties.last_success_verification": "1616580248",
+        "cyberarkpas.audit.ca_properties.last_task": "VerifyTask",
+        "cyberarkpas.audit.ca_properties.policy_id": "Oracle",
+        "cyberarkpas.audit.ca_properties.port": "1521",
+        "cyberarkpas.audit.ca_properties.privcloud": "privcloud",
+        "cyberarkpas.audit.ca_properties.retries_count": "-1",
+        "cyberarkpas.audit.ca_properties.tags": "Oracle;DB",
+        "cyberarkpas.audit.ca_properties.user_name": "HR",
+        "cyberarkpas.audit.desc": "SQL Command",
+        "cyberarkpas.audit.extra_details.command": "BEGIN DBMS_OUTPUT.DISABLE\\; END\\;",
+        "cyberarkpas.audit.extra_details.connection_component_id": "PSM-SQLPlus",
+        "cyberarkpas.audit.extra_details.data_base": "XE",
+        "cyberarkpas.audit.extra_details.dst_host": "oracle.cybr.com",
+        "cyberarkpas.audit.extra_details.protocol": "SQLNet",
+        "cyberarkpas.audit.extra_details.psmid": "PSMServer",
+        "cyberarkpas.audit.extra_details.session_id": "0887c643-42f2-4a4f-806e-58c1689de0e6",
+        "cyberarkpas.audit.extra_details.sql_offset": "123B",
+        "cyberarkpas.audit.extra_details.src_host": "127.0.0.1",
+        "cyberarkpas.audit.extra_details.user": "HR",
+        "cyberarkpas.audit.extra_details.vid_offset": "4T",
+        "cyberarkpas.audit.file": "Root\\Database-Oracle-oracle.cybr.com-HR",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-25T14:56:44Z",
+        "cyberarkpas.audit.issuer": "Administrator",
+        "cyberarkpas.audit.message": "SQL Command",
+        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 25 10:56:44</Timestamp>\n    <IsoTimestamp>2021-03-25T14:56:44Z</IsoTimestamp>\n    <Hostname>VLT01</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>12.0.0000</Version>\n    <MessageID>359</MessageID>\n    <Desc>SQL Command</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>SQL Command</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>Oracle</Safe>\n    <File>Root\\Database-Oracle-oracle.cybr.com-HR</File>\n    <Station>10.0.0.15</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails>Command=BEGIN DBMS_OUTPUT.DISABLE\\; END\\;;ConnectionComponentId=PSM-SQLPlus;DataBase=XE;DstHost=oracle.cybr.com;Protocol=SQLNet;PSMID=PSMServer;SessionID=0887c643-42f2-4a4f-806e-58c1689de0e6;SQLOffset=123B;SrcHost=127.0.0.1;User=HR;VIDOffset=4T;</ExtraDetails>\n    <Message>SQL Command</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"Oracle\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"HR\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"oracle.cybr.com\"></CAProperty>\n      <CAProperty Name=\"Database\" Value=\"XE\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Database\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"success\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"-1\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"VerifyTask\"></CAProperty>\n      <CAProperty Name=\"LastSuccessVerification\" Value=\"1616580248\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"Port\" Value=\"1521\"></CAProperty>\n      <CAProperty Name=\"LastSuccessChange\" Value=\"1616011984\"></CAProperty>\n      <CAProperty Name=\"Tags\" Value=\"Oracle;DB\"></CAProperty>\n      <CAProperty Name=\"Privcloud\" Value=\"privcloud\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.safe": "Oracle",
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.station": "10.0.0.15",
+        "cyberarkpas.audit.timestamp": "Mar 25 10:56:44",
+        "destination.address": "oracle.cybr.com",
+        "destination.domain": "oracle.cybr.com",
+        "destination.user.name": "HR",
+        "event.action": "sql command",
+        "event.category": [
+            "database"
+        ],
+        "event.code": "359",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.outcome": "success",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "event.type": [
+            "access"
+        ],
+        "file.path": "Root\\Database-Oracle-oracle.cybr.com-HR",
+        "fileset.name": "audit",
+        "host.name": "VLT01",
+        "input.type": "log",
+        "log.offset": 3579,
+        "log.syslog.priority": "5",
+        "network.application": "sqlnet",
+        "observer.hostname": "VLT01",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "12.0.0000",
+        "related.ip": [
+            "127.0.0.1",
+            "10.0.0.15"
+        ],
+        "related.user": [
+            "Administrator",
+            "HR"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "127.0.0.1",
+        "source.ip": "127.0.0.1",
+        "source.user.name": "Administrator",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ],
+        "user.name": "Administrator"
+    },
+    {
+        "@timestamp": "2021-03-25T14:56:44.000Z",
+        "cyberarkpas.audit.action": "SQL Command",
+        "cyberarkpas.audit.ca_properties.address": "oracle.cybr.com",
+        "cyberarkpas.audit.ca_properties.cpm_status": "success",
+        "cyberarkpas.audit.ca_properties.creation_method": "PVWA",
+        "cyberarkpas.audit.ca_properties.database": "XE",
+        "cyberarkpas.audit.ca_properties.device_type": "Database",
+        "cyberarkpas.audit.ca_properties.last_success_change": "1616011984",
+        "cyberarkpas.audit.ca_properties.last_success_verification": "1616580248",
+        "cyberarkpas.audit.ca_properties.last_task": "VerifyTask",
+        "cyberarkpas.audit.ca_properties.policy_id": "Oracle",
+        "cyberarkpas.audit.ca_properties.port": "1521",
+        "cyberarkpas.audit.ca_properties.privcloud": "privcloud",
+        "cyberarkpas.audit.ca_properties.retries_count": "-1",
+        "cyberarkpas.audit.ca_properties.tags": "Oracle;DB",
+        "cyberarkpas.audit.ca_properties.user_name": "HR",
+        "cyberarkpas.audit.desc": "SQL Command",
+        "cyberarkpas.audit.extra_details.command": "SELECT ATTRIBUTE,SCOPE,NUMERIC_VALUE,CHAR_VALUE,DATE_VALUE FROM SYSTEM.PRODUCT_PRIVS WHERE (UPPER('SQL*Plus') LIKE UPPER(PRODUCT)) AND (UPPER(USER) LIKE USERID)",
+        "cyberarkpas.audit.extra_details.connection_component_id": "PSM-SQLPlus",
+        "cyberarkpas.audit.extra_details.data_base": "XE",
+        "cyberarkpas.audit.extra_details.dst_host": "oracle.cybr.com",
+        "cyberarkpas.audit.extra_details.protocol": "SQLNet",
+        "cyberarkpas.audit.extra_details.psmid": "PSMServer",
+        "cyberarkpas.audit.extra_details.session_id": "0887c643-42f2-4a4f-806e-58c1689de0e6",
+        "cyberarkpas.audit.extra_details.sql_offset": "187B",
+        "cyberarkpas.audit.extra_details.src_host": "127.0.0.1",
+        "cyberarkpas.audit.extra_details.user": "HR",
+        "cyberarkpas.audit.extra_details.vid_offset": "4T",
+        "cyberarkpas.audit.file": "Root\\Database-Oracle-oracle.cybr.com-HR",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-25T14:56:44Z",
+        "cyberarkpas.audit.issuer": "Administrator",
+        "cyberarkpas.audit.message": "SQL Command",
+        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 25 10:56:44</Timestamp>\n    <IsoTimestamp>2021-03-25T14:56:44Z</IsoTimestamp>\n    <Hostname>VLT01</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>12.0.0000</Version>\n    <MessageID>359</MessageID>\n    <Desc>SQL Command</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>SQL Command</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>Oracle</Safe>\n    <File>Root\\Database-Oracle-oracle.cybr.com-HR</File>\n    <Station>10.0.0.15</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails>Command=SELECT ATTRIBUTE,SCOPE,NUMERIC_VALUE,CHAR_VALUE,DATE_VALUE FROM SYSTEM.PRODUCT_PRIVS WHERE (UPPER('SQL*Plus') LIKE UPPER(PRODUCT)) AND (UPPER(USER) LIKE USERID);ConnectionComponentId=PSM-SQLPlus;DataBase=XE;DstHost=oracle.cybr.com;Protocol=SQLNet;PSMID=PSMServer;SessionID=0887c643-42f2-4a4f-806e-58c1689de0e6;SQLOffset=187B;SrcHost=127.0.0.1;User=HR;VIDOffset=4T;</ExtraDetails>\n    <Message>SQL Command</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"Oracle\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"HR\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"oracle.cybr.com\"></CAProperty>\n      <CAProperty Name=\"Database\" Value=\"XE\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Database\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"success\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"-1\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"VerifyTask\"></CAProperty>\n      <CAProperty Name=\"LastSuccessVerification\" Value=\"1616580248\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"Port\" Value=\"1521\"></CAProperty>\n      <CAProperty Name=\"LastSuccessChange\" Value=\"1616011984\"></CAProperty>\n      <CAProperty Name=\"Tags\" Value=\"Oracle;DB\"></CAProperty>\n      <CAProperty Name=\"Privcloud\" Value=\"privcloud\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.safe": "Oracle",
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.station": "10.0.0.15",
+        "cyberarkpas.audit.timestamp": "Mar 25 10:56:44",
+        "destination.address": "oracle.cybr.com",
+        "destination.domain": "oracle.cybr.com",
+        "destination.user.name": "HR",
+        "event.action": "sql command",
+        "event.category": [
+            "database"
+        ],
+        "event.code": "359",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.outcome": "success",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "event.type": [
+            "access"
+        ],
+        "file.path": "Root\\Database-Oracle-oracle.cybr.com-HR",
+        "fileset.name": "audit",
+        "host.name": "VLT01",
+        "input.type": "log",
+        "log.offset": 7188,
+        "log.syslog.priority": "5",
+        "network.application": "sqlnet",
+        "observer.hostname": "VLT01",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "12.0.0000",
+        "related.ip": [
+            "127.0.0.1",
+            "10.0.0.15"
+        ],
+        "related.user": [
+            "Administrator",
+            "HR"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "127.0.0.1",
+        "source.ip": "127.0.0.1",
+        "source.user.name": "Administrator",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ],
+        "user.name": "Administrator"
+    },
+    {
+        "@timestamp": "2021-03-25T14:56:44.000Z",
+        "cyberarkpas.audit.action": "SQL Command",
+        "cyberarkpas.audit.ca_properties.address": "oracle.cybr.com",
+        "cyberarkpas.audit.ca_properties.cpm_status": "success",
+        "cyberarkpas.audit.ca_properties.creation_method": "PVWA",
+        "cyberarkpas.audit.ca_properties.database": "XE",
+        "cyberarkpas.audit.ca_properties.device_type": "Database",
+        "cyberarkpas.audit.ca_properties.last_success_change": "1616011984",
+        "cyberarkpas.audit.ca_properties.last_success_verification": "1616580248",
+        "cyberarkpas.audit.ca_properties.last_task": "VerifyTask",
+        "cyberarkpas.audit.ca_properties.policy_id": "Oracle",
+        "cyberarkpas.audit.ca_properties.port": "1521",
+        "cyberarkpas.audit.ca_properties.privcloud": "privcloud",
+        "cyberarkpas.audit.ca_properties.retries_count": "-1",
+        "cyberarkpas.audit.ca_properties.tags": "Oracle;DB",
+        "cyberarkpas.audit.ca_properties.user_name": "HR",
+        "cyberarkpas.audit.desc": "SQL Command",
+        "cyberarkpas.audit.extra_details.command": "SELECT CHAR_VALUE FROM SYSTEM.PRODUCT_PRIVS WHERE   (UPPER('SQL*Plus') LIKE UPPER(PRODUCT)) AND   ((UPPER(USER) LIKE USERID) OR (USERID \\= 'PUBLIC')) AND   (UPPER(ATTRIBUTE) \\= 'ROLES')",
+        "cyberarkpas.audit.extra_details.connection_component_id": "PSM-SQLPlus",
+        "cyberarkpas.audit.extra_details.data_base": "XE",
+        "cyberarkpas.audit.extra_details.dst_host": "oracle.cybr.com",
+        "cyberarkpas.audit.extra_details.protocol": "SQLNet",
+        "cyberarkpas.audit.extra_details.psmid": "PSMServer",
+        "cyberarkpas.audit.extra_details.session_id": "0887c643-42f2-4a4f-806e-58c1689de0e6",
+        "cyberarkpas.audit.extra_details.sql_offset": "380B",
+        "cyberarkpas.audit.extra_details.src_host": "127.0.0.1",
+        "cyberarkpas.audit.extra_details.user": "HR",
+        "cyberarkpas.audit.extra_details.vid_offset": "4T",
+        "cyberarkpas.audit.file": "Root\\Database-Oracle-oracle.cybr.com-HR",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-25T14:56:44Z",
+        "cyberarkpas.audit.issuer": "Administrator",
+        "cyberarkpas.audit.message": "SQL Command",
+        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 25 10:56:44</Timestamp>\n    <IsoTimestamp>2021-03-25T14:56:44Z</IsoTimestamp>\n    <Hostname>VLT01</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>12.0.0000</Version>\n    <MessageID>359</MessageID>\n    <Desc>SQL Command</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>SQL Command</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>Oracle</Safe>\n    <File>Root\\Database-Oracle-oracle.cybr.com-HR</File>\n    <Station>10.0.0.15</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails>Command=SELECT CHAR_VALUE FROM SYSTEM.PRODUCT_PRIVS WHERE   (UPPER('SQL*Plus') LIKE UPPER(PRODUCT)) AND   ((UPPER(USER) LIKE USERID) OR (USERID \\= 'PUBLIC')) AND   (UPPER(ATTRIBUTE) \\= 'ROLES');ConnectionComponentId=PSM-SQLPlus;DataBase=XE;DstHost=oracle.cybr.com;Protocol=SQLNet;PSMID=PSMServer;SessionID=0887c643-42f2-4a4f-806e-58c1689de0e6;SQLOffset=380B;SrcHost=127.0.0.1;User=HR;VIDOffset=4T;</ExtraDetails>\n    <Message>SQL Command</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"Oracle\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"HR\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"oracle.cybr.com\"></CAProperty>\n      <CAProperty Name=\"Database\" Value=\"XE\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Database\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"success\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"-1\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"VerifyTask\"></CAProperty>\n      <CAProperty Name=\"LastSuccessVerification\" Value=\"1616580248\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"Port\" Value=\"1521\"></CAProperty>\n      <CAProperty Name=\"LastSuccessChange\" Value=\"1616011984\"></CAProperty>\n      <CAProperty Name=\"Tags\" Value=\"Oracle;DB\"></CAProperty>\n      <CAProperty Name=\"Privcloud\" Value=\"privcloud\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.safe": "Oracle",
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.station": "10.0.0.15",
+        "cyberarkpas.audit.timestamp": "Mar 25 10:56:44",
+        "destination.address": "oracle.cybr.com",
+        "destination.domain": "oracle.cybr.com",
+        "destination.user.name": "HR",
+        "event.action": "sql command",
+        "event.category": [
+            "database"
+        ],
+        "event.code": "359",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.outcome": "success",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "event.type": [
+            "access"
+        ],
+        "file.path": "Root\\Database-Oracle-oracle.cybr.com-HR",
+        "fileset.name": "audit",
+        "host.name": "VLT01",
+        "input.type": "log",
+        "log.offset": 11047,
+        "log.syslog.priority": "5",
+        "network.application": "sqlnet",
+        "observer.hostname": "VLT01",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "12.0.0000",
+        "related.ip": [
+            "127.0.0.1",
+            "10.0.0.15"
+        ],
+        "related.user": [
+            "Administrator",
+            "HR"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "127.0.0.1",
+        "source.ip": "127.0.0.1",
+        "source.user.name": "Administrator",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ],
+        "user.name": "Administrator"
+    },
+    {
+        "@timestamp": "2021-03-25T14:56:44.000Z",
+        "cyberarkpas.audit.action": "SQL Command",
+        "cyberarkpas.audit.ca_properties.address": "oracle.cybr.com",
+        "cyberarkpas.audit.ca_properties.cpm_status": "success",
+        "cyberarkpas.audit.ca_properties.creation_method": "PVWA",
+        "cyberarkpas.audit.ca_properties.database": "XE",
+        "cyberarkpas.audit.ca_properties.device_type": "Database",
+        "cyberarkpas.audit.ca_properties.last_success_change": "1616011984",
+        "cyberarkpas.audit.ca_properties.last_success_verification": "1616580248",
+        "cyberarkpas.audit.ca_properties.last_task": "VerifyTask",
+        "cyberarkpas.audit.ca_properties.policy_id": "Oracle",
+        "cyberarkpas.audit.ca_properties.port": "1521",
+        "cyberarkpas.audit.ca_properties.privcloud": "privcloud",
+        "cyberarkpas.audit.ca_properties.retries_count": "-1",
+        "cyberarkpas.audit.ca_properties.tags": "Oracle;DB",
+        "cyberarkpas.audit.ca_properties.user_name": "HR",
+        "cyberarkpas.audit.desc": "SQL Command",
+        "cyberarkpas.audit.extra_details.command": "BEGIN DBMS_APPLICATION_INFO.SET_MODULE(:1,NULL)\\; END\\; (Parameters bound by position: 1\\=[SQL*Plus])",
+        "cyberarkpas.audit.extra_details.connection_component_id": "PSM-SQLPlus",
+        "cyberarkpas.audit.extra_details.data_base": "XE",
+        "cyberarkpas.audit.extra_details.dst_host": "oracle.cybr.com",
+        "cyberarkpas.audit.extra_details.protocol": "SQLNet",
+        "cyberarkpas.audit.extra_details.psmid": "PSMServer",
+        "cyberarkpas.audit.extra_details.session_id": "0887c643-42f2-4a4f-806e-58c1689de0e6",
+        "cyberarkpas.audit.extra_details.sql_offset": "596B",
+        "cyberarkpas.audit.extra_details.src_host": "127.0.0.1",
+        "cyberarkpas.audit.extra_details.user": "HR",
+        "cyberarkpas.audit.extra_details.vid_offset": "4T",
+        "cyberarkpas.audit.file": "Root\\Database-Oracle-oracle.cybr.com-HR",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-25T14:56:44Z",
+        "cyberarkpas.audit.issuer": "Administrator",
+        "cyberarkpas.audit.message": "SQL Command",
+        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 25 10:56:44</Timestamp>\n    <IsoTimestamp>2021-03-25T14:56:44Z</IsoTimestamp>\n    <Hostname>VLT01</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>12.0.0000</Version>\n    <MessageID>359</MessageID>\n    <Desc>SQL Command</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>SQL Command</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>Oracle</Safe>\n    <File>Root\\Database-Oracle-oracle.cybr.com-HR</File>\n    <Station>10.0.0.15</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails>Command=BEGIN DBMS_APPLICATION_INFO.SET_MODULE(:1,NULL)\\; END\\; (Parameters bound by position: 1\\=[SQL*Plus]);ConnectionComponentId=PSM-SQLPlus;DataBase=XE;DstHost=oracle.cybr.com;Protocol=SQLNet;PSMID=PSMServer;SessionID=0887c643-42f2-4a4f-806e-58c1689de0e6;SQLOffset=596B;SrcHost=127.0.0.1;User=HR;VIDOffset=4T;</ExtraDetails>\n    <Message>SQL Command</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"Oracle\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"HR\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"oracle.cybr.com\"></CAProperty>\n      <CAProperty Name=\"Database\" Value=\"XE\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Database\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"success\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"-1\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"VerifyTask\"></CAProperty>\n      <CAProperty Name=\"LastSuccessVerification\" Value=\"1616580248\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"Port\" Value=\"1521\"></CAProperty>\n      <CAProperty Name=\"LastSuccessChange\" Value=\"1616011984\"></CAProperty>\n      <CAProperty Name=\"Tags\" Value=\"Oracle;DB\"></CAProperty>\n      <CAProperty Name=\"Privcloud\" Value=\"privcloud\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.safe": "Oracle",
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.station": "10.0.0.15",
+        "cyberarkpas.audit.timestamp": "Mar 25 10:56:44",
+        "destination.address": "oracle.cybr.com",
+        "destination.domain": "oracle.cybr.com",
+        "destination.user.name": "HR",
+        "event.action": "sql command",
+        "event.category": [
+            "database"
+        ],
+        "event.code": "359",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.outcome": "success",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "event.type": [
+            "access"
+        ],
+        "file.path": "Root\\Database-Oracle-oracle.cybr.com-HR",
+        "fileset.name": "audit",
+        "host.name": "VLT01",
+        "input.type": "log",
+        "log.offset": 14960,
+        "log.syslog.priority": "5",
+        "network.application": "sqlnet",
+        "observer.hostname": "VLT01",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "12.0.0000",
+        "related.ip": [
+            "127.0.0.1",
+            "10.0.0.15"
+        ],
+        "related.user": [
+            "Administrator",
+            "HR"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "127.0.0.1",
+        "source.ip": "127.0.0.1",
+        "source.user.name": "Administrator",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ],
+        "user.name": "Administrator"
+    },
+    {
+        "@timestamp": "2021-03-25T14:56:45.000Z",
+        "cyberarkpas.audit.action": "SQL Command",
+        "cyberarkpas.audit.ca_properties.address": "oracle.cybr.com",
+        "cyberarkpas.audit.ca_properties.cpm_status": "success",
+        "cyberarkpas.audit.ca_properties.creation_method": "PVWA",
+        "cyberarkpas.audit.ca_properties.database": "XE",
+        "cyberarkpas.audit.ca_properties.device_type": "Database",
+        "cyberarkpas.audit.ca_properties.last_success_change": "1616011984",
+        "cyberarkpas.audit.ca_properties.last_success_verification": "1616580248",
+        "cyberarkpas.audit.ca_properties.last_task": "VerifyTask",
+        "cyberarkpas.audit.ca_properties.policy_id": "Oracle",
+        "cyberarkpas.audit.ca_properties.port": "1521",
+        "cyberarkpas.audit.ca_properties.privcloud": "privcloud",
+        "cyberarkpas.audit.ca_properties.retries_count": "-1",
+        "cyberarkpas.audit.ca_properties.tags": "Oracle;DB",
+        "cyberarkpas.audit.ca_properties.user_name": "HR",
+        "cyberarkpas.audit.desc": "SQL Command",
+        "cyberarkpas.audit.extra_details.command": "SELECT DECODE('A','A','1','2') FROM DUAL",
+        "cyberarkpas.audit.extra_details.connection_component_id": "PSM-SQLPlus",
+        "cyberarkpas.audit.extra_details.data_base": "XE",
+        "cyberarkpas.audit.extra_details.dst_host": "oracle.cybr.com",
+        "cyberarkpas.audit.extra_details.protocol": "SQLNet",
+        "cyberarkpas.audit.extra_details.psmid": "PSMServer",
+        "cyberarkpas.audit.extra_details.session_id": "0887c643-42f2-4a4f-806e-58c1689de0e6",
+        "cyberarkpas.audit.extra_details.sql_offset": "727B",
+        "cyberarkpas.audit.extra_details.src_host": "127.0.0.1",
+        "cyberarkpas.audit.extra_details.user": "HR",
+        "cyberarkpas.audit.extra_details.vid_offset": "5T",
+        "cyberarkpas.audit.file": "Root\\Database-Oracle-oracle.cybr.com-HR",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-25T14:56:45Z",
+        "cyberarkpas.audit.issuer": "Administrator",
+        "cyberarkpas.audit.message": "SQL Command",
+        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 25 10:56:45</Timestamp>\n    <IsoTimestamp>2021-03-25T14:56:45Z</IsoTimestamp>\n    <Hostname>VLT01</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>12.0.0000</Version>\n    <MessageID>359</MessageID>\n    <Desc>SQL Command</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>SQL Command</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>Oracle</Safe>\n    <File>Root\\Database-Oracle-oracle.cybr.com-HR</File>\n    <Station>10.0.0.15</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails>Command=SELECT DECODE('A','A','1','2') FROM DUAL;ConnectionComponentId=PSM-SQLPlus;DataBase=XE;DstHost=oracle.cybr.com;Protocol=SQLNet;PSMID=PSMServer;SessionID=0887c643-42f2-4a4f-806e-58c1689de0e6;SQLOffset=727B;SrcHost=127.0.0.1;User=HR;VIDOffset=5T;</ExtraDetails>\n    <Message>SQL Command</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"Oracle\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"HR\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"oracle.cybr.com\"></CAProperty>\n      <CAProperty Name=\"Database\" Value=\"XE\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Database\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"success\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"-1\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"VerifyTask\"></CAProperty>\n      <CAProperty Name=\"LastSuccessVerification\" Value=\"1616580248\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"Port\" Value=\"1521\"></CAProperty>\n      <CAProperty Name=\"LastSuccessChange\" Value=\"1616011984\"></CAProperty>\n      <CAProperty Name=\"Tags\" Value=\"Oracle;DB\"></CAProperty>\n      <CAProperty Name=\"Privcloud\" Value=\"privcloud\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.safe": "Oracle",
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.station": "10.0.0.15",
+        "cyberarkpas.audit.timestamp": "Mar 25 10:56:45",
+        "destination.address": "oracle.cybr.com",
+        "destination.domain": "oracle.cybr.com",
+        "destination.user.name": "HR",
+        "event.action": "sql command",
+        "event.category": [
+            "database"
+        ],
+        "event.code": "359",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.outcome": "success",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "event.type": [
+            "access"
+        ],
+        "file.path": "Root\\Database-Oracle-oracle.cybr.com-HR",
+        "fileset.name": "audit",
+        "host.name": "VLT01",
+        "input.type": "log",
+        "log.offset": 18707,
+        "log.syslog.priority": "5",
+        "network.application": "sqlnet",
+        "observer.hostname": "VLT01",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "12.0.0000",
+        "related.ip": [
+            "127.0.0.1",
+            "10.0.0.15"
+        ],
+        "related.user": [
+            "Administrator",
+            "HR"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "127.0.0.1",
+        "source.ip": "127.0.0.1",
+        "source.user.name": "Administrator",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ],
+        "user.name": "Administrator"
+    },
+    {
+        "@timestamp": "2021-03-25T14:56:54.000Z",
+        "cyberarkpas.audit.action": "SQL Command",
+        "cyberarkpas.audit.ca_properties.address": "oracle.cybr.com",
+        "cyberarkpas.audit.ca_properties.cpm_status": "success",
+        "cyberarkpas.audit.ca_properties.creation_method": "PVWA",
+        "cyberarkpas.audit.ca_properties.database": "XE",
+        "cyberarkpas.audit.ca_properties.device_type": "Database",
+        "cyberarkpas.audit.ca_properties.last_success_change": "1616011984",
+        "cyberarkpas.audit.ca_properties.last_success_verification": "1616580248",
+        "cyberarkpas.audit.ca_properties.last_task": "VerifyTask",
+        "cyberarkpas.audit.ca_properties.policy_id": "Oracle",
+        "cyberarkpas.audit.ca_properties.port": "1521",
+        "cyberarkpas.audit.ca_properties.privcloud": "privcloud",
+        "cyberarkpas.audit.ca_properties.retries_count": "-1",
+        "cyberarkpas.audit.ca_properties.tags": "Oracle;DB",
+        "cyberarkpas.audit.ca_properties.user_name": "HR",
+        "cyberarkpas.audit.desc": "SQL Command",
+        "cyberarkpas.audit.extra_details.command": "SELECT INFO FROM SYSTEM.HELP WHERE UPPER(TOPIC) LIKE :1 ORDER BY TOPIC,SEQ (Parameters bound by position: 1\\=[HELP])",
+        "cyberarkpas.audit.extra_details.connection_component_id": "PSM-SQLPlus",
+        "cyberarkpas.audit.extra_details.data_base": "XE",
+        "cyberarkpas.audit.extra_details.dst_host": "oracle.cybr.com",
+        "cyberarkpas.audit.extra_details.protocol": "SQLNet",
+        "cyberarkpas.audit.extra_details.psmid": "PSMServer",
+        "cyberarkpas.audit.extra_details.session_id": "0887c643-42f2-4a4f-806e-58c1689de0e6",
+        "cyberarkpas.audit.extra_details.sql_offset": "800B",
+        "cyberarkpas.audit.extra_details.src_host": "127.0.0.1",
+        "cyberarkpas.audit.extra_details.user": "HR",
+        "cyberarkpas.audit.extra_details.vid_offset": "14T",
+        "cyberarkpas.audit.file": "Root\\Database-Oracle-oracle.cybr.com-HR",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-25T14:56:54Z",
+        "cyberarkpas.audit.issuer": "Administrator",
+        "cyberarkpas.audit.message": "SQL Command",
+        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 25 10:56:54</Timestamp>\n    <IsoTimestamp>2021-03-25T14:56:54Z</IsoTimestamp>\n    <Hostname>VLT01</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>12.0.0000</Version>\n    <MessageID>359</MessageID>\n    <Desc>SQL Command</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>SQL Command</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>Oracle</Safe>\n    <File>Root\\Database-Oracle-oracle.cybr.com-HR</File>\n    <Station>10.0.0.15</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails>Command=SELECT INFO FROM SYSTEM.HELP WHERE UPPER(TOPIC) LIKE :1 ORDER BY TOPIC,SEQ (Parameters bound by position: 1\\=[HELP]);ConnectionComponentId=PSM-SQLPlus;DataBase=XE;DstHost=oracle.cybr.com;Protocol=SQLNet;PSMID=PSMServer;SessionID=0887c643-42f2-4a4f-806e-58c1689de0e6;SQLOffset=800B;SrcHost=127.0.0.1;User=HR;VIDOffset=14T;</ExtraDetails>\n    <Message>SQL Command</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"Oracle\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"HR\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"oracle.cybr.com\"></CAProperty>\n      <CAProperty Name=\"Database\" Value=\"XE\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Database\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"success\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"-1\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"VerifyTask\"></CAProperty>\n      <CAProperty Name=\"LastSuccessVerification\" Value=\"1616580248\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"Port\" Value=\"1521\"></CAProperty>\n      <CAProperty Name=\"LastSuccessChange\" Value=\"1616011984\"></CAProperty>\n      <CAProperty Name=\"Tags\" Value=\"Oracle;DB\"></CAProperty>\n      <CAProperty Name=\"Privcloud\" Value=\"privcloud\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.safe": "Oracle",
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.station": "10.0.0.15",
+        "cyberarkpas.audit.timestamp": "Mar 25 10:56:54",
+        "destination.address": "oracle.cybr.com",
+        "destination.domain": "oracle.cybr.com",
+        "destination.user.name": "HR",
+        "event.action": "sql command",
+        "event.category": [
+            "database"
+        ],
+        "event.code": "359",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.outcome": "success",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "event.type": [
+            "access"
+        ],
+        "file.path": "Root\\Database-Oracle-oracle.cybr.com-HR",
+        "fileset.name": "audit",
+        "host.name": "VLT01",
+        "input.type": "log",
+        "log.offset": 22326,
+        "log.syslog.priority": "5",
+        "network.application": "sqlnet",
+        "observer.hostname": "VLT01",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "12.0.0000",
+        "related.ip": [
+            "127.0.0.1",
+            "10.0.0.15"
+        ],
+        "related.user": [
+            "Administrator",
+            "HR"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "127.0.0.1",
+        "source.ip": "127.0.0.1",
+        "source.user.name": "Administrator",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ],
+        "user.name": "Administrator"
+    },
+    {
+        "@timestamp": "2021-03-25T14:58:02.000Z",
+        "cyberarkpas.audit.action": "SQL Command",
+        "cyberarkpas.audit.ca_properties.address": "oracle.cybr.com",
+        "cyberarkpas.audit.ca_properties.cpm_status": "success",
+        "cyberarkpas.audit.ca_properties.creation_method": "PVWA",
+        "cyberarkpas.audit.ca_properties.database": "XE",
+        "cyberarkpas.audit.ca_properties.device_type": "Database",
+        "cyberarkpas.audit.ca_properties.last_success_change": "1616011984",
+        "cyberarkpas.audit.ca_properties.last_success_verification": "1616580248",
+        "cyberarkpas.audit.ca_properties.last_task": "VerifyTask",
+        "cyberarkpas.audit.ca_properties.policy_id": "Oracle",
+        "cyberarkpas.audit.ca_properties.port": "1521",
+        "cyberarkpas.audit.ca_properties.privcloud": "privcloud",
+        "cyberarkpas.audit.ca_properties.retries_count": "-1",
+        "cyberarkpas.audit.ca_properties.tags": "Oracle;DB",
+        "cyberarkpas.audit.ca_properties.user_name": "HR",
+        "cyberarkpas.audit.desc": "SQL Command",
+        "cyberarkpas.audit.extra_details.command": "SELECT * FROM DBA_USERS",
+        "cyberarkpas.audit.extra_details.connection_component_id": "PSM-SQLPlus",
+        "cyberarkpas.audit.extra_details.data_base": "XE",
+        "cyberarkpas.audit.extra_details.dst_host": "oracle.cybr.com",
+        "cyberarkpas.audit.extra_details.protocol": "SQLNet",
+        "cyberarkpas.audit.extra_details.psmid": "PSMServer",
+        "cyberarkpas.audit.extra_details.session_id": "0887c643-42f2-4a4f-806e-58c1689de0e6",
+        "cyberarkpas.audit.extra_details.sql_offset": "1097B",
+        "cyberarkpas.audit.extra_details.src_host": "127.0.0.1",
+        "cyberarkpas.audit.extra_details.user": "HR",
+        "cyberarkpas.audit.extra_details.vid_offset": "82T",
+        "cyberarkpas.audit.file": "Root\\Database-Oracle-oracle.cybr.com-HR",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-25T14:58:02Z",
+        "cyberarkpas.audit.issuer": "Administrator",
+        "cyberarkpas.audit.message": "SQL Command",
+        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 25 10:58:02</Timestamp>\n    <IsoTimestamp>2021-03-25T14:58:02Z</IsoTimestamp>\n    <Hostname>VLT01</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>12.0.0000</Version>\n    <MessageID>359</MessageID>\n    <Desc>SQL Command</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>SQL Command</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>Oracle</Safe>\n    <File>Root\\Database-Oracle-oracle.cybr.com-HR</File>\n    <Station>10.0.0.15</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails>Command=SELECT * FROM DBA_USERS;ConnectionComponentId=PSM-SQLPlus;DataBase=XE;DstHost=oracle.cybr.com;Protocol=SQLNet;PSMID=PSMServer;SessionID=0887c643-42f2-4a4f-806e-58c1689de0e6;SQLOffset=1097B;SrcHost=127.0.0.1;User=HR;VIDOffset=82T;</ExtraDetails>\n    <Message>SQL Command</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"Oracle\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"HR\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"oracle.cybr.com\"></CAProperty>\n      <CAProperty Name=\"Database\" Value=\"XE\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Database\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"success\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"-1\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"VerifyTask\"></CAProperty>\n      <CAProperty Name=\"LastSuccessVerification\" Value=\"1616580248\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"Port\" Value=\"1521\"></CAProperty>\n      <CAProperty Name=\"LastSuccessChange\" Value=\"1616011984\"></CAProperty>\n      <CAProperty Name=\"Tags\" Value=\"Oracle;DB\"></CAProperty>\n      <CAProperty Name=\"Privcloud\" Value=\"privcloud\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.safe": "Oracle",
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.station": "10.0.0.15",
+        "cyberarkpas.audit.timestamp": "Mar 25 10:58:02",
+        "destination.address": "oracle.cybr.com",
+        "destination.domain": "oracle.cybr.com",
+        "destination.user.name": "HR",
+        "event.action": "sql command",
+        "event.category": [
+            "database"
+        ],
+        "event.code": "359",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.outcome": "success",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "event.type": [
+            "access"
+        ],
+        "file.path": "Root\\Database-Oracle-oracle.cybr.com-HR",
+        "fileset.name": "audit",
+        "host.name": "VLT01",
+        "input.type": "log",
+        "log.offset": 26101,
+        "log.syslog.priority": "5",
+        "network.application": "sqlnet",
+        "observer.hostname": "VLT01",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "12.0.0000",
+        "related.ip": [
+            "127.0.0.1",
+            "10.0.0.15"
+        ],
+        "related.user": [
+            "Administrator",
+            "HR"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "127.0.0.1",
+        "source.ip": "127.0.0.1",
+        "source.user.name": "Administrator",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ],
+        "user.name": "Administrator"
+    },
+    {
+        "@timestamp": "2021-03-25T14:57:05.000Z",
+        "cyberarkpas.audit.action": "SQL Command",
+        "cyberarkpas.audit.ca_properties.address": "oracle.cybr.com",
+        "cyberarkpas.audit.ca_properties.cpm_status": "success",
+        "cyberarkpas.audit.ca_properties.creation_method": "PVWA",
+        "cyberarkpas.audit.ca_properties.database": "XE",
+        "cyberarkpas.audit.ca_properties.device_type": "Database",
+        "cyberarkpas.audit.ca_properties.last_success_change": "1616011984",
+        "cyberarkpas.audit.ca_properties.last_success_verification": "1616580248",
+        "cyberarkpas.audit.ca_properties.last_task": "VerifyTask",
+        "cyberarkpas.audit.ca_properties.policy_id": "Oracle",
+        "cyberarkpas.audit.ca_properties.port": "1521",
+        "cyberarkpas.audit.ca_properties.privcloud": "privcloud",
+        "cyberarkpas.audit.ca_properties.retries_count": "-1",
+        "cyberarkpas.audit.ca_properties.tags": "Oracle;DB",
+        "cyberarkpas.audit.ca_properties.user_name": "HR",
+        "cyberarkpas.audit.desc": "SQL Command",
+        "cyberarkpas.audit.extra_details.command": "SELECT INFO FROM SYSTEM.HELP WHERE UPPER(TOPIC) LIKE :1 ORDER BY TOPIC,SEQ (Parameters bound by position: 1\\=[SHOW%])",
+        "cyberarkpas.audit.extra_details.connection_component_id": "PSM-SQLPlus",
+        "cyberarkpas.audit.extra_details.data_base": "XE",
+        "cyberarkpas.audit.extra_details.dst_host": "oracle.cybr.com",
+        "cyberarkpas.audit.extra_details.protocol": "SQLNet",
+        "cyberarkpas.audit.extra_details.psmid": "PSMServer",
+        "cyberarkpas.audit.extra_details.session_id": "0887c643-42f2-4a4f-806e-58c1689de0e6",
+        "cyberarkpas.audit.extra_details.sql_offset": "948B",
+        "cyberarkpas.audit.extra_details.src_host": "127.0.0.1",
+        "cyberarkpas.audit.extra_details.user": "HR",
+        "cyberarkpas.audit.extra_details.vid_offset": "25T",
+        "cyberarkpas.audit.file": "Root\\Database-Oracle-oracle.cybr.com-HR",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-25T14:57:05Z",
+        "cyberarkpas.audit.issuer": "Administrator",
+        "cyberarkpas.audit.message": "SQL Command",
+        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 25 10:57:05</Timestamp>\n    <IsoTimestamp>2021-03-25T14:57:05Z</IsoTimestamp>\n    <Hostname>VLT01</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>12.0.0000</Version>\n    <MessageID>359</MessageID>\n    <Desc>SQL Command</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>SQL Command</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>Oracle</Safe>\n    <File>Root\\Database-Oracle-oracle.cybr.com-HR</File>\n    <Station>10.0.0.15</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails>Command=SELECT INFO FROM SYSTEM.HELP WHERE UPPER(TOPIC) LIKE :1 ORDER BY TOPIC,SEQ (Parameters bound by position: 1\\=[SHOW%]);ConnectionComponentId=PSM-SQLPlus;DataBase=XE;DstHost=oracle.cybr.com;Protocol=SQLNet;PSMID=PSMServer;SessionID=0887c643-42f2-4a4f-806e-58c1689de0e6;SQLOffset=948B;SrcHost=127.0.0.1;User=HR;VIDOffset=25T;</ExtraDetails>\n    <Message>SQL Command</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"Oracle\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"HR\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"oracle.cybr.com\"></CAProperty>\n      <CAProperty Name=\"Database\" Value=\"XE\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Database\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"success\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"-1\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"VerifyTask\"></CAProperty>\n      <CAProperty Name=\"LastSuccessVerification\" Value=\"1616580248\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"Port\" Value=\"1521\"></CAProperty>\n      <CAProperty Name=\"LastSuccessChange\" Value=\"1616011984\"></CAProperty>\n      <CAProperty Name=\"Tags\" Value=\"Oracle;DB\"></CAProperty>\n      <CAProperty Name=\"Privcloud\" Value=\"privcloud\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.safe": "Oracle",
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.station": "10.0.0.15",
+        "cyberarkpas.audit.timestamp": "Mar 25 10:57:05",
+        "destination.address": "oracle.cybr.com",
+        "destination.domain": "oracle.cybr.com",
+        "destination.user.name": "HR",
+        "event.action": "sql command",
+        "event.category": [
+            "database"
+        ],
+        "event.code": "359",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.outcome": "success",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "event.type": [
+            "access"
+        ],
+        "file.path": "Root\\Database-Oracle-oracle.cybr.com-HR",
+        "fileset.name": "audit",
+        "host.name": "VLT01",
+        "input.type": "log",
+        "log.offset": 29690,
+        "log.syslog.priority": "5",
+        "network.application": "sqlnet",
+        "observer.hostname": "VLT01",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "12.0.0000",
+        "related.ip": [
+            "127.0.0.1",
+            "10.0.0.15"
+        ],
+        "related.user": [
+            "Administrator",
+            "HR"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "127.0.0.1",
+        "source.ip": "127.0.0.1",
+        "source.user.name": "Administrator",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ],
+        "user.name": "Administrator"
+    },
+    {
+        "@timestamp": "2021-03-25T14:58:44.000Z",
+        "cyberarkpas.audit.action": "SQL Command",
+        "cyberarkpas.audit.ca_properties.address": "oracle.cybr.com",
+        "cyberarkpas.audit.ca_properties.cpm_status": "success",
+        "cyberarkpas.audit.ca_properties.creation_method": "PVWA",
+        "cyberarkpas.audit.ca_properties.database": "XE",
+        "cyberarkpas.audit.ca_properties.device_type": "Database",
+        "cyberarkpas.audit.ca_properties.last_success_change": "1616011984",
+        "cyberarkpas.audit.ca_properties.last_success_verification": "1616580248",
+        "cyberarkpas.audit.ca_properties.last_task": "VerifyTask",
+        "cyberarkpas.audit.ca_properties.policy_id": "Oracle",
+        "cyberarkpas.audit.ca_properties.port": "1521",
+        "cyberarkpas.audit.ca_properties.privcloud": "privcloud",
+        "cyberarkpas.audit.ca_properties.retries_count": "-1",
+        "cyberarkpas.audit.ca_properties.tags": "Oracle;DB",
+        "cyberarkpas.audit.ca_properties.user_name": "HR",
+        "cyberarkpas.audit.desc": "SQL Command",
+        "cyberarkpas.audit.extra_details.command": "select distinct owner from all_objects",
+        "cyberarkpas.audit.extra_details.connection_component_id": "PSM-SQLPlus",
+        "cyberarkpas.audit.extra_details.data_base": "XE",
+        "cyberarkpas.audit.extra_details.dst_host": "oracle.cybr.com",
+        "cyberarkpas.audit.extra_details.protocol": "SQLNet",
+        "cyberarkpas.audit.extra_details.psmid": "PSMServer",
+        "cyberarkpas.audit.extra_details.session_id": "0887c643-42f2-4a4f-806e-58c1689de0e6",
+        "cyberarkpas.audit.extra_details.sql_offset": "1153B",
+        "cyberarkpas.audit.extra_details.src_host": "127.0.0.1",
+        "cyberarkpas.audit.extra_details.user": "HR",
+        "cyberarkpas.audit.extra_details.vid_offset": "124T",
+        "cyberarkpas.audit.file": "Root\\Database-Oracle-oracle.cybr.com-HR",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-25T14:58:44Z",
+        "cyberarkpas.audit.issuer": "Administrator",
+        "cyberarkpas.audit.message": "SQL Command",
+        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 25 10:58:44</Timestamp>\n    <IsoTimestamp>2021-03-25T14:58:44Z</IsoTimestamp>\n    <Hostname>VLT01</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>12.0.0000</Version>\n    <MessageID>359</MessageID>\n    <Desc>SQL Command</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>SQL Command</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>Oracle</Safe>\n    <File>Root\\Database-Oracle-oracle.cybr.com-HR</File>\n    <Station>10.0.0.15</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails>Command=select distinct owner from all_objects;ConnectionComponentId=PSM-SQLPlus;DataBase=XE;DstHost=oracle.cybr.com;Protocol=SQLNet;PSMID=PSMServer;SessionID=0887c643-42f2-4a4f-806e-58c1689de0e6;SQLOffset=1153B;SrcHost=127.0.0.1;User=HR;VIDOffset=124T;</ExtraDetails>\n    <Message>SQL Command</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"Oracle\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"HR\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"oracle.cybr.com\"></CAProperty>\n      <CAProperty Name=\"Database\" Value=\"XE\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Database\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"success\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"-1\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"VerifyTask\"></CAProperty>\n      <CAProperty Name=\"LastSuccessVerification\" Value=\"1616580248\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"Port\" Value=\"1521\"></CAProperty>\n      <CAProperty Name=\"LastSuccessChange\" Value=\"1616011984\"></CAProperty>\n      <CAProperty Name=\"Tags\" Value=\"Oracle;DB\"></CAProperty>\n      <CAProperty Name=\"Privcloud\" Value=\"privcloud\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.safe": "Oracle",
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.station": "10.0.0.15",
+        "cyberarkpas.audit.timestamp": "Mar 25 10:58:44",
+        "destination.address": "oracle.cybr.com",
+        "destination.domain": "oracle.cybr.com",
+        "destination.user.name": "HR",
+        "event.action": "sql command",
+        "event.category": [
+            "database"
+        ],
+        "event.code": "359",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.outcome": "success",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "event.type": [
+            "access"
+        ],
+        "file.path": "Root\\Database-Oracle-oracle.cybr.com-HR",
+        "fileset.name": "audit",
+        "host.name": "VLT01",
+        "input.type": "log",
+        "log.offset": 33467,
+        "log.syslog.priority": "5",
+        "network.application": "sqlnet",
+        "observer.hostname": "VLT01",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "12.0.0000",
+        "related.ip": [
+            "127.0.0.1",
+            "10.0.0.15"
+        ],
+        "related.user": [
+            "Administrator",
+            "HR"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "127.0.0.1",
+        "source.ip": "127.0.0.1",
+        "source.user.name": "Administrator",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ],
+        "user.name": "Administrator"
+    }
+]
\ No newline at end of file
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/361_keystroke_logging.log b/x-pack/filebeat/module/cyberarkpas/audit/test/361_keystroke_logging.log
new file mode 100644
index 00000000000..6c959f21d65
--- /dev/null
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/361_keystroke_logging.log
@@ -0,0 +1,7 @@
+{"format":"elastic","version":"1.0","raw":"<syslog>\n  <audit_record>\n    <Rfc5424>no</Rfc5424>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.6.0000</Version>\n    <MessageID>361</MessageID>\n    <Desc>Keystroke logging</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Keystroke logging</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>Linux</Safe>\n    <File>Root\\Operating System-LINUX-SSH-radiussrv.cyberark.local-admin2</File>\n    <Station>10.2.0.7</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails>Command=ls \"/var/tmp\";ConnectionComponentId=PSMP-SSH;DstHost=radiussrv.cyberark.local;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=499852f2-22b5-11eb-8bff-000c297aae88;SrcHost=10.2.0.6;SSHOffset=3642B;User=admin2;VIDOffset=125T;</ExtraDetails>\n    <Message>Keystroke logging</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"LINUX-SSH\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"admin2\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"radiussrv.cyberark.local\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n      <CAProperty Name=\"CPMDisabled\" Value=\"No Reason\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"Customer\" Value=\"Tesla\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n</syslog>","syslog":{"audit_record":{"Rfc5424":"no","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.6.0000","MessageID":"361","IsoTimestamp":"2021-03-16T15:01:00Z","Desc":"Keystroke logging","Severity":"Info","Issuer":"Administrator","Action":"Keystroke logging","SourceUser":"","TargetUser":"","Safe":"Linux","File":"Root\\Operating System-LINUX-SSH-radiussrv.cyberark.local-admin2","Station":"10.2.0.7","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"Command=ls \"/var/tmp\";ConnectionComponentId=PSMP-SSH;DstHost=radiussrv.cyberark.local;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=499852f2-22b5-11eb-8bff-000c297aae88;SrcHost=10.2.0.6;SSHOffset=3642B;User=admin2;VIDOffset=125T;","Message":"Keystroke logging","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"LINUX-SSH"},{"Name":"UserName","Value":"admin2"},{"Name":"Address","Value":"radiussrv.cyberark.local"},{"Name":"DeviceType","Value":"Operating System"},{"Name":"CPMDisabled","Value":"No Reason"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"Customer","Value":"Tesla"}]}}}}
+<5>1 2021-03-14T13:49:49Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 14 06:49:49</Timestamp>\n    <IsoTimestamp>2021-03-14T13:49:49Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>361</MessageID>\n    <Desc>Keystroke logging</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Keystroke logging</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Operating System-UnixSSH-34.123.103.115-testark</File>\n    <Station>34.71.250.247</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails>Command=sudo su;ConnectionComponentId=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=d284c268-2ba0-4366-af52-e33459b073a1;SrcHost=81.32.170.205;SSHOffset=1309B;User=testark;VIDOffset=10T;</ExtraDetails>\n    <Message>Keystroke logging</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSH\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"testark\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"ResetImmediately\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"failure\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"0\"></CAProperty>\n      <CAProperty Name=\"LastFailDate\" Value=\"1615729572\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"CPMErrorDetails\" Value=\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 06:49:49","IsoTimestamp":"2021-03-14T13:49:49Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"361","Desc":"Keystroke logging","Severity":"Info","Issuer":"Administrator","Action":"Keystroke logging","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-34.123.103.115-testark","Station":"34.71.250.247","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"Command=sudo su;ConnectionComponentId=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=d284c268-2ba0-4366-af52-e33459b073a1;SrcHost=81.32.170.205;SSHOffset=1309B;User=testark;VIDOffset=10T;","Message":"Keystroke logging","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"testark"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"ResetImmediately","Value":"ReconcileTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"0"},{"Name":"LastFailDate","Value":"1615729572"},{"Name":"LastTask","Value":"ReconcileTask"},{"Name":"CPMErrorDetails","Value":"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}}
+<5>1 2021-03-15T10:32:04Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 15 03:32:04</Timestamp>\n    <IsoTimestamp>2021-03-15T10:32:04Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>361</MessageID>\n    <Desc>Keystroke logging</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Keystroke logging</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Operating System-UnixSSH-34.123.103.115-testark</File>\n    <Station>34.71.250.247</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails>Command=sudo su;ConnectionComponentId=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=29f340df-89e9-405a-beae-0216390cda42;SrcHost=81.32.170.205;SSHOffset=1312B;User=testark;VIDOffset=6T;</ExtraDetails>\n    <Message>Keystroke logging</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSH\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"testark\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"success\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"-1\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"VerifyTask\"></CAProperty>\n      <CAProperty Name=\"LastSuccessVerification\" Value=\"1615803764\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 03:32:04","IsoTimestamp":"2021-03-15T10:32:04Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"361","Desc":"Keystroke logging","Severity":"Info","Issuer":"Administrator","Action":"Keystroke logging","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-34.123.103.115-testark","Station":"34.71.250.247","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"Command=sudo su;ConnectionComponentId=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=29f340df-89e9-405a-beae-0216390cda42;SrcHost=81.32.170.205;SSHOffset=1312B;User=testark;VIDOffset=6T;","Message":"Keystroke logging","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"testark"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"CPMStatus","Value":"success"},{"Name":"RetriesCount","Value":"-1"},{"Name":"LastTask","Value":"VerifyTask"},{"Name":"LastSuccessVerification","Value":"1615803764"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}}
+<5>1 2021-03-15T10:33:47Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 15 03:33:47</Timestamp>\n    <IsoTimestamp>2021-03-15T10:33:47Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>361</MessageID>\n    <Desc>Keystroke logging</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Keystroke logging</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Operating System-UnixSSH-34.123.103.115-testark</File>\n    <Station>34.71.250.247</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails>Command=sudo su;ConnectionComponentId=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=f1654cf8-8ce5-472a-8205-ba731b0fab46;SrcHost=81.32.170.205;SSHOffset=1309B;User=testark;VIDOffset=7T;</ExtraDetails>\n    <Message>Keystroke logging</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSH\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"testark\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"success\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"-1\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"VerifyTask\"></CAProperty>\n      <CAProperty Name=\"LastSuccessVerification\" Value=\"1615803764\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 03:33:47","IsoTimestamp":"2021-03-15T10:33:47Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"361","Desc":"Keystroke logging","Severity":"Info","Issuer":"Administrator","Action":"Keystroke logging","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-34.123.103.115-testark","Station":"34.71.250.247","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"Command=sudo su;ConnectionComponentId=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=f1654cf8-8ce5-472a-8205-ba731b0fab46;SrcHost=81.32.170.205;SSHOffset=1309B;User=testark;VIDOffset=7T;","Message":"Keystroke logging","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"testark"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"CPMStatus","Value":"success"},{"Name":"RetriesCount","Value":"-1"},{"Name":"LastTask","Value":"VerifyTask"},{"Name":"LastSuccessVerification","Value":"1615803764"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}}
+<5>1 2021-03-15T10:35:08Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 15 03:35:08</Timestamp>\n    <IsoTimestamp>2021-03-15T10:35:08Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>361</MessageID>\n    <Desc>Keystroke logging</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Keystroke logging</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Operating System-UnixSSH-34.123.103.115-testark</File>\n    <Station>34.71.250.247</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails>Command=sudo su;ConnectionComponentId=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=8b3d0b38-aef5-49d9-bdd7-d57706887d8b;SrcHost=81.32.170.205;SSHOffset=1309B;User=testark;VIDOffset=7T;</ExtraDetails>\n    <Message>Keystroke logging</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSH\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"testark\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"success\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"-1\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"VerifyTask\"></CAProperty>\n      <CAProperty Name=\"LastSuccessVerification\" Value=\"1615803764\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 03:35:08","IsoTimestamp":"2021-03-15T10:35:08Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"361","Desc":"Keystroke logging","Severity":"Info","Issuer":"Administrator","Action":"Keystroke logging","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-34.123.103.115-testark","Station":"34.71.250.247","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"Command=sudo su;ConnectionComponentId=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=8b3d0b38-aef5-49d9-bdd7-d57706887d8b;SrcHost=81.32.170.205;SSHOffset=1309B;User=testark;VIDOffset=7T;","Message":"Keystroke logging","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"testark"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"CPMStatus","Value":"success"},{"Name":"RetriesCount","Value":"-1"},{"Name":"LastTask","Value":"VerifyTask"},{"Name":"LastSuccessVerification","Value":"1615803764"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}}
+<5>1 2021-03-15T14:11:18Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 15 07:11:18</Timestamp>\n    <IsoTimestamp>2021-03-15T14:11:18Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>361</MessageID>\n    <Desc>Keystroke logging</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Keystroke logging</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Operating System-UnixSSH-34.123.103.115-testark</File>\n    <Station>34.71.250.247</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails>Command=sudo su;ConnectionComponentId=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=27f74dce-f5d5-4c94-bf99-ca6aafe2c518;SrcHost=81.32.170.205;SSHOffset=1309B;User=testark;VIDOffset=8T;</ExtraDetails>\n    <Message>Keystroke logging</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSH\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"testark\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"ResetImmediately\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"failure\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"0\"></CAProperty>\n      <CAProperty Name=\"LastFailDate\" Value=\"1615814025\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"LastSuccessVerification\" Value=\"1615803764\"></CAProperty>\n      <CAProperty Name=\"CPMErrorDetails\" Value=\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n      <CAProperty Name=\"UseSudoOnReconcile\" Value=\"Yes\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 07:11:18","IsoTimestamp":"2021-03-15T14:11:18Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"361","Desc":"Keystroke logging","Severity":"Info","Issuer":"Administrator","Action":"Keystroke logging","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-34.123.103.115-testark","Station":"34.71.250.247","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"Command=sudo su;ConnectionComponentId=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=27f74dce-f5d5-4c94-bf99-ca6aafe2c518;SrcHost=81.32.170.205;SSHOffset=1309B;User=testark;VIDOffset=8T;","Message":"Keystroke logging","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"testark"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"ResetImmediately","Value":"ReconcileTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"0"},{"Name":"LastFailDate","Value":"1615814025"},{"Name":"LastTask","Value":"ReconcileTask"},{"Name":"LastSuccessVerification","Value":"1615803764"},{"Name":"CPMErrorDetails","Value":"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"},{"Name":"UseSudoOnReconcile","Value":"Yes"}]}}}}
+<5>1 2021-03-15T14:45:51Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 15 07:45:51</Timestamp>\n    <IsoTimestamp>2021-03-15T14:45:51Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>361</MessageID>\n    <Desc>Keystroke logging</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Keystroke logging</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Operating System-UnixSSH-34.123.103.115-testark</File>\n    <Station>34.71.250.247</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails>Command=(reverse-i-search)`grant': grant all privileges on *.* TO 'root'@'%' with grant option\\;;ConnectionComponentId=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=27f74dce-f5d5-4c94-bf99-ca6aafe2c518;SrcHost=81.32.170.205;SSHOffset=296291B;User=testark;VIDOffset=2081T;</ExtraDetails>\n    <Message>Keystroke logging</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSH\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"testark\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"ResetImmediately\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"failure\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"1\"></CAProperty>\n      <CAProperty Name=\"LastFailDate\" Value=\"1615819476\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"LastSuccessVerification\" Value=\"1615803764\"></CAProperty>\n      <CAProperty Name=\"CPMErrorDetails\" Value=\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n      <CAProperty Name=\"UseSudoOnReconcile\" Value=\"Yes\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 07:45:51","IsoTimestamp":"2021-03-15T14:45:51Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"361","Desc":"Keystroke logging","Severity":"Info","Issuer":"Administrator","Action":"Keystroke logging","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-34.123.103.115-testark","Station":"34.71.250.247","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"Command=(reverse-i-search)`grant': grant all privileges on *.* TO 'root'@'%' with grant option\\;;ConnectionComponentId=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=27f74dce-f5d5-4c94-bf99-ca6aafe2c518;SrcHost=81.32.170.205;SSHOffset=296291B;User=testark;VIDOffset=2081T;","Message":"Keystroke logging","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"testark"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"ResetImmediately","Value":"ReconcileTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"1"},{"Name":"LastFailDate","Value":"1615819476"},{"Name":"LastTask","Value":"ReconcileTask"},{"Name":"LastSuccessVerification","Value":"1615803764"},{"Name":"CPMErrorDetails","Value":"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"},{"Name":"UseSudoOnReconcile","Value":"Yes"}]}}}}
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/361_keystroke_logging.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/361_keystroke_logging.log-expected.json
new file mode 100644
index 00000000000..77b675324c6
--- /dev/null
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/361_keystroke_logging.log-expected.json
@@ -0,0 +1,667 @@
+[
+    {
+        "@timestamp": "2021-03-16T15:01:00.000Z",
+        "cyberarkpas.audit.action": "Keystroke logging",
+        "cyberarkpas.audit.ca_properties.address": "radiussrv.cyberark.local",
+        "cyberarkpas.audit.ca_properties.cpm_disabled": "No Reason",
+        "cyberarkpas.audit.ca_properties.creation_method": "PVWA",
+        "cyberarkpas.audit.ca_properties.customer": "Tesla",
+        "cyberarkpas.audit.ca_properties.device_type": "Operating System",
+        "cyberarkpas.audit.ca_properties.policy_id": "LINUX-SSH",
+        "cyberarkpas.audit.ca_properties.user_name": "admin2",
+        "cyberarkpas.audit.desc": "Keystroke logging",
+        "cyberarkpas.audit.extra_details.command": "ls \"/var/tmp\"",
+        "cyberarkpas.audit.extra_details.connection_component_id": "PSMP-SSH",
+        "cyberarkpas.audit.extra_details.dst_host": "radiussrv.cyberark.local",
+        "cyberarkpas.audit.extra_details.managed_account": "Yes",
+        "cyberarkpas.audit.extra_details.protocol": "SSH",
+        "cyberarkpas.audit.extra_details.psmid": "PSMServer",
+        "cyberarkpas.audit.extra_details.session_id": "499852f2-22b5-11eb-8bff-000c297aae88",
+        "cyberarkpas.audit.extra_details.src_host": "10.2.0.6",
+        "cyberarkpas.audit.extra_details.ssh_offset": "3642B",
+        "cyberarkpas.audit.extra_details.user": "admin2",
+        "cyberarkpas.audit.extra_details.vid_offset": "125T",
+        "cyberarkpas.audit.file": "Root\\Operating System-LINUX-SSH-radiussrv.cyberark.local-admin2",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-16T15:01:00Z",
+        "cyberarkpas.audit.issuer": "Administrator",
+        "cyberarkpas.audit.message": "Keystroke logging",
+        "cyberarkpas.audit.raw": "<syslog>\n  <audit_record>\n    <Rfc5424>no</Rfc5424>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.6.0000</Version>\n    <MessageID>361</MessageID>\n    <Desc>Keystroke logging</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Keystroke logging</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>Linux</Safe>\n    <File>Root\\Operating System-LINUX-SSH-radiussrv.cyberark.local-admin2</File>\n    <Station>10.2.0.7</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails>Command=ls \"/var/tmp\";ConnectionComponentId=PSMP-SSH;DstHost=radiussrv.cyberark.local;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=499852f2-22b5-11eb-8bff-000c297aae88;SrcHost=10.2.0.6;SSHOffset=3642B;User=admin2;VIDOffset=125T;</ExtraDetails>\n    <Message>Keystroke logging</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"LINUX-SSH\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"admin2\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"radiussrv.cyberark.local\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n      <CAProperty Name=\"CPMDisabled\" Value=\"No Reason\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"Customer\" Value=\"Tesla\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n</syslog>",
+        "cyberarkpas.audit.rfc5424": false,
+        "cyberarkpas.audit.safe": "Linux",
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.station": "10.2.0.7",
+        "destination.address": "radiussrv.cyberark.local",
+        "destination.domain": "radiussrv.cyberark.local",
+        "destination.user.name": "admin2",
+        "event.action": "keystroke logging",
+        "event.category": [
+            "session"
+        ],
+        "event.code": "361",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "event.type": [
+            "info"
+        ],
+        "file.path": "Root\\Operating System-LINUX-SSH-radiussrv.cyberark.local-admin2",
+        "fileset.name": "audit",
+        "input.type": "log",
+        "log.offset": 0,
+        "network.application": "ssh",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.6.0000",
+        "related.ip": [
+            "10.2.0.6",
+            "10.2.0.7"
+        ],
+        "related.user": [
+            "Administrator",
+            "admin2"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "10.2.0.6",
+        "source.ip": "10.2.0.6",
+        "source.user.name": "Administrator",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ],
+        "user.name": "Administrator"
+    },
+    {
+        "@timestamp": "2021-03-14T13:49:49.000Z",
+        "cyberarkpas.audit.action": "Keystroke logging",
+        "cyberarkpas.audit.ca_properties.address": "34.123.103.115",
+        "cyberarkpas.audit.ca_properties.cpm_error_details": "First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031",
+        "cyberarkpas.audit.ca_properties.cpm_status": "failure",
+        "cyberarkpas.audit.ca_properties.creation_method": "PVWA",
+        "cyberarkpas.audit.ca_properties.device_type": "Operating System",
+        "cyberarkpas.audit.ca_properties.last_fail_date": "1615729572",
+        "cyberarkpas.audit.ca_properties.last_task": "ReconcileTask",
+        "cyberarkpas.audit.ca_properties.policy_id": "UnixSSH",
+        "cyberarkpas.audit.ca_properties.reset_immediately": "ReconcileTask",
+        "cyberarkpas.audit.ca_properties.retries_count": "0",
+        "cyberarkpas.audit.ca_properties.user_name": "testark",
+        "cyberarkpas.audit.desc": "Keystroke logging",
+        "cyberarkpas.audit.extra_details.command": "sudo su",
+        "cyberarkpas.audit.extra_details.connection_component_id": "PSMP-SSH",
+        "cyberarkpas.audit.extra_details.dst_host": "34.123.103.115",
+        "cyberarkpas.audit.extra_details.managed_account": "Yes",
+        "cyberarkpas.audit.extra_details.protocol": "SSH",
+        "cyberarkpas.audit.extra_details.psmid": "PSMServer",
+        "cyberarkpas.audit.extra_details.session_id": "d284c268-2ba0-4366-af52-e33459b073a1",
+        "cyberarkpas.audit.extra_details.src_host": "81.32.170.205",
+        "cyberarkpas.audit.extra_details.ssh_offset": "1309B",
+        "cyberarkpas.audit.extra_details.user": "testark",
+        "cyberarkpas.audit.extra_details.vid_offset": "10T",
+        "cyberarkpas.audit.file": "Root\\Operating System-UnixSSH-34.123.103.115-testark",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-14T13:49:49Z",
+        "cyberarkpas.audit.issuer": "Administrator",
+        "cyberarkpas.audit.message": "Keystroke logging",
+        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 14 06:49:49</Timestamp>\n    <IsoTimestamp>2021-03-14T13:49:49Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>361</MessageID>\n    <Desc>Keystroke logging</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Keystroke logging</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Operating System-UnixSSH-34.123.103.115-testark</File>\n    <Station>34.71.250.247</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails>Command=sudo su;ConnectionComponentId=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=d284c268-2ba0-4366-af52-e33459b073a1;SrcHost=81.32.170.205;SSHOffset=1309B;User=testark;VIDOffset=10T;</ExtraDetails>\n    <Message>Keystroke logging</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSH\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"testark\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"ResetImmediately\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"failure\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"0\"></CAProperty>\n      <CAProperty Name=\"LastFailDate\" Value=\"1615729572\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"CPMErrorDetails\" Value=\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.safe": "partner",
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.station": "34.71.250.247",
+        "cyberarkpas.audit.timestamp": "Mar 14 06:49:49",
+        "destination.address": "34.123.103.115",
+        "destination.geo.city_name": "Council Bluffs",
+        "destination.geo.continent_name": "North America",
+        "destination.geo.country_iso_code": "US",
+        "destination.geo.country_name": "United States",
+        "destination.geo.location.lat": 41.2591,
+        "destination.geo.location.lon": -95.8517,
+        "destination.geo.region_iso_code": "US-IA",
+        "destination.geo.region_name": "Iowa",
+        "destination.ip": "34.123.103.115",
+        "destination.user.name": "testark",
+        "event.action": "keystroke logging",
+        "event.category": [
+            "session"
+        ],
+        "event.code": "361",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "event.type": [
+            "info"
+        ],
+        "file.path": "Root\\Operating System-UnixSSH-34.123.103.115-testark",
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 2724,
+        "log.syslog.priority": "5",
+        "network.application": "ssh",
+        "network.direction": "external",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "81.32.170.205",
+            "34.123.103.115",
+            "34.71.250.247"
+        ],
+        "related.user": [
+            "Administrator",
+            "testark"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "81.32.170.205",
+        "source.geo.city_name": "Barcelona",
+        "source.geo.continent_name": "Europe",
+        "source.geo.country_iso_code": "ES",
+        "source.geo.country_name": "Spain",
+        "source.geo.location.lat": 41.387,
+        "source.geo.location.lon": 2.1701,
+        "source.geo.region_iso_code": "ES-B",
+        "source.geo.region_name": "Barcelona",
+        "source.ip": "81.32.170.205",
+        "source.user.name": "Administrator",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ],
+        "user.name": "Administrator"
+    },
+    {
+        "@timestamp": "2021-03-15T10:32:04.000Z",
+        "cyberarkpas.audit.action": "Keystroke logging",
+        "cyberarkpas.audit.ca_properties.address": "34.123.103.115",
+        "cyberarkpas.audit.ca_properties.cpm_status": "success",
+        "cyberarkpas.audit.ca_properties.creation_method": "PVWA",
+        "cyberarkpas.audit.ca_properties.device_type": "Operating System",
+        "cyberarkpas.audit.ca_properties.last_success_verification": "1615803764",
+        "cyberarkpas.audit.ca_properties.last_task": "VerifyTask",
+        "cyberarkpas.audit.ca_properties.policy_id": "UnixSSH",
+        "cyberarkpas.audit.ca_properties.retries_count": "-1",
+        "cyberarkpas.audit.ca_properties.user_name": "testark",
+        "cyberarkpas.audit.desc": "Keystroke logging",
+        "cyberarkpas.audit.extra_details.command": "sudo su",
+        "cyberarkpas.audit.extra_details.connection_component_id": "PSMP-SSH",
+        "cyberarkpas.audit.extra_details.dst_host": "34.123.103.115",
+        "cyberarkpas.audit.extra_details.managed_account": "Yes",
+        "cyberarkpas.audit.extra_details.protocol": "SSH",
+        "cyberarkpas.audit.extra_details.psmid": "PSMServer",
+        "cyberarkpas.audit.extra_details.session_id": "29f340df-89e9-405a-beae-0216390cda42",
+        "cyberarkpas.audit.extra_details.src_host": "81.32.170.205",
+        "cyberarkpas.audit.extra_details.ssh_offset": "1312B",
+        "cyberarkpas.audit.extra_details.user": "testark",
+        "cyberarkpas.audit.extra_details.vid_offset": "6T",
+        "cyberarkpas.audit.file": "Root\\Operating System-UnixSSH-34.123.103.115-testark",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-15T10:32:04Z",
+        "cyberarkpas.audit.issuer": "Administrator",
+        "cyberarkpas.audit.message": "Keystroke logging",
+        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 15 03:32:04</Timestamp>\n    <IsoTimestamp>2021-03-15T10:32:04Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>361</MessageID>\n    <Desc>Keystroke logging</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Keystroke logging</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Operating System-UnixSSH-34.123.103.115-testark</File>\n    <Station>34.71.250.247</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails>Command=sudo su;ConnectionComponentId=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=29f340df-89e9-405a-beae-0216390cda42;SrcHost=81.32.170.205;SSHOffset=1312B;User=testark;VIDOffset=6T;</ExtraDetails>\n    <Message>Keystroke logging</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSH\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"testark\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"success\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"-1\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"VerifyTask\"></CAProperty>\n      <CAProperty Name=\"LastSuccessVerification\" Value=\"1615803764\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.safe": "partner",
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.station": "34.71.250.247",
+        "cyberarkpas.audit.timestamp": "Mar 15 03:32:04",
+        "destination.address": "34.123.103.115",
+        "destination.geo.city_name": "Council Bluffs",
+        "destination.geo.continent_name": "North America",
+        "destination.geo.country_iso_code": "US",
+        "destination.geo.country_name": "United States",
+        "destination.geo.location.lat": 41.2591,
+        "destination.geo.location.lon": -95.8517,
+        "destination.geo.region_iso_code": "US-IA",
+        "destination.geo.region_name": "Iowa",
+        "destination.ip": "34.123.103.115",
+        "destination.user.name": "testark",
+        "event.action": "keystroke logging",
+        "event.category": [
+            "session"
+        ],
+        "event.code": "361",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "event.type": [
+            "info"
+        ],
+        "file.path": "Root\\Operating System-UnixSSH-34.123.103.115-testark",
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 6380,
+        "log.syslog.priority": "5",
+        "network.application": "ssh",
+        "network.direction": "external",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "81.32.170.205",
+            "34.123.103.115",
+            "34.71.250.247"
+        ],
+        "related.user": [
+            "Administrator",
+            "testark"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "81.32.170.205",
+        "source.geo.city_name": "Barcelona",
+        "source.geo.continent_name": "Europe",
+        "source.geo.country_iso_code": "ES",
+        "source.geo.country_name": "Spain",
+        "source.geo.location.lat": 41.387,
+        "source.geo.location.lon": 2.1701,
+        "source.geo.region_iso_code": "ES-B",
+        "source.geo.region_name": "Barcelona",
+        "source.ip": "81.32.170.205",
+        "source.user.name": "Administrator",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ],
+        "user.name": "Administrator"
+    },
+    {
+        "@timestamp": "2021-03-15T10:33:47.000Z",
+        "cyberarkpas.audit.action": "Keystroke logging",
+        "cyberarkpas.audit.ca_properties.address": "34.123.103.115",
+        "cyberarkpas.audit.ca_properties.cpm_status": "success",
+        "cyberarkpas.audit.ca_properties.creation_method": "PVWA",
+        "cyberarkpas.audit.ca_properties.device_type": "Operating System",
+        "cyberarkpas.audit.ca_properties.last_success_verification": "1615803764",
+        "cyberarkpas.audit.ca_properties.last_task": "VerifyTask",
+        "cyberarkpas.audit.ca_properties.policy_id": "UnixSSH",
+        "cyberarkpas.audit.ca_properties.retries_count": "-1",
+        "cyberarkpas.audit.ca_properties.user_name": "testark",
+        "cyberarkpas.audit.desc": "Keystroke logging",
+        "cyberarkpas.audit.extra_details.command": "sudo su",
+        "cyberarkpas.audit.extra_details.connection_component_id": "PSMP-SSH",
+        "cyberarkpas.audit.extra_details.dst_host": "34.123.103.115",
+        "cyberarkpas.audit.extra_details.managed_account": "Yes",
+        "cyberarkpas.audit.extra_details.protocol": "SSH",
+        "cyberarkpas.audit.extra_details.psmid": "PSMServer",
+        "cyberarkpas.audit.extra_details.session_id": "f1654cf8-8ce5-472a-8205-ba731b0fab46",
+        "cyberarkpas.audit.extra_details.src_host": "81.32.170.205",
+        "cyberarkpas.audit.extra_details.ssh_offset": "1309B",
+        "cyberarkpas.audit.extra_details.user": "testark",
+        "cyberarkpas.audit.extra_details.vid_offset": "7T",
+        "cyberarkpas.audit.file": "Root\\Operating System-UnixSSH-34.123.103.115-testark",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-15T10:33:47Z",
+        "cyberarkpas.audit.issuer": "Administrator",
+        "cyberarkpas.audit.message": "Keystroke logging",
+        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 15 03:33:47</Timestamp>\n    <IsoTimestamp>2021-03-15T10:33:47Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>361</MessageID>\n    <Desc>Keystroke logging</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Keystroke logging</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Operating System-UnixSSH-34.123.103.115-testark</File>\n    <Station>34.71.250.247</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails>Command=sudo su;ConnectionComponentId=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=f1654cf8-8ce5-472a-8205-ba731b0fab46;SrcHost=81.32.170.205;SSHOffset=1309B;User=testark;VIDOffset=7T;</ExtraDetails>\n    <Message>Keystroke logging</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSH\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"testark\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"success\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"-1\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"VerifyTask\"></CAProperty>\n      <CAProperty Name=\"LastSuccessVerification\" Value=\"1615803764\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.safe": "partner",
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.station": "34.71.250.247",
+        "cyberarkpas.audit.timestamp": "Mar 15 03:33:47",
+        "destination.address": "34.123.103.115",
+        "destination.geo.city_name": "Council Bluffs",
+        "destination.geo.continent_name": "North America",
+        "destination.geo.country_iso_code": "US",
+        "destination.geo.country_name": "United States",
+        "destination.geo.location.lat": 41.2591,
+        "destination.geo.location.lon": -95.8517,
+        "destination.geo.region_iso_code": "US-IA",
+        "destination.geo.region_name": "Iowa",
+        "destination.ip": "34.123.103.115",
+        "destination.user.name": "testark",
+        "event.action": "keystroke logging",
+        "event.category": [
+            "session"
+        ],
+        "event.code": "361",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "event.type": [
+            "info"
+        ],
+        "file.path": "Root\\Operating System-UnixSSH-34.123.103.115-testark",
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 9514,
+        "log.syslog.priority": "5",
+        "network.application": "ssh",
+        "network.direction": "external",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "81.32.170.205",
+            "34.123.103.115",
+            "34.71.250.247"
+        ],
+        "related.user": [
+            "Administrator",
+            "testark"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "81.32.170.205",
+        "source.geo.city_name": "Barcelona",
+        "source.geo.continent_name": "Europe",
+        "source.geo.country_iso_code": "ES",
+        "source.geo.country_name": "Spain",
+        "source.geo.location.lat": 41.387,
+        "source.geo.location.lon": 2.1701,
+        "source.geo.region_iso_code": "ES-B",
+        "source.geo.region_name": "Barcelona",
+        "source.ip": "81.32.170.205",
+        "source.user.name": "Administrator",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ],
+        "user.name": "Administrator"
+    },
+    {
+        "@timestamp": "2021-03-15T10:35:08.000Z",
+        "cyberarkpas.audit.action": "Keystroke logging",
+        "cyberarkpas.audit.ca_properties.address": "34.123.103.115",
+        "cyberarkpas.audit.ca_properties.cpm_status": "success",
+        "cyberarkpas.audit.ca_properties.creation_method": "PVWA",
+        "cyberarkpas.audit.ca_properties.device_type": "Operating System",
+        "cyberarkpas.audit.ca_properties.last_success_verification": "1615803764",
+        "cyberarkpas.audit.ca_properties.last_task": "VerifyTask",
+        "cyberarkpas.audit.ca_properties.policy_id": "UnixSSH",
+        "cyberarkpas.audit.ca_properties.retries_count": "-1",
+        "cyberarkpas.audit.ca_properties.user_name": "testark",
+        "cyberarkpas.audit.desc": "Keystroke logging",
+        "cyberarkpas.audit.extra_details.command": "sudo su",
+        "cyberarkpas.audit.extra_details.connection_component_id": "PSMP-SSH",
+        "cyberarkpas.audit.extra_details.dst_host": "34.123.103.115",
+        "cyberarkpas.audit.extra_details.managed_account": "Yes",
+        "cyberarkpas.audit.extra_details.protocol": "SSH",
+        "cyberarkpas.audit.extra_details.psmid": "PSMServer",
+        "cyberarkpas.audit.extra_details.session_id": "8b3d0b38-aef5-49d9-bdd7-d57706887d8b",
+        "cyberarkpas.audit.extra_details.src_host": "81.32.170.205",
+        "cyberarkpas.audit.extra_details.ssh_offset": "1309B",
+        "cyberarkpas.audit.extra_details.user": "testark",
+        "cyberarkpas.audit.extra_details.vid_offset": "7T",
+        "cyberarkpas.audit.file": "Root\\Operating System-UnixSSH-34.123.103.115-testark",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-15T10:35:08Z",
+        "cyberarkpas.audit.issuer": "Administrator",
+        "cyberarkpas.audit.message": "Keystroke logging",
+        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 15 03:35:08</Timestamp>\n    <IsoTimestamp>2021-03-15T10:35:08Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>361</MessageID>\n    <Desc>Keystroke logging</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Keystroke logging</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Operating System-UnixSSH-34.123.103.115-testark</File>\n    <Station>34.71.250.247</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails>Command=sudo su;ConnectionComponentId=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=8b3d0b38-aef5-49d9-bdd7-d57706887d8b;SrcHost=81.32.170.205;SSHOffset=1309B;User=testark;VIDOffset=7T;</ExtraDetails>\n    <Message>Keystroke logging</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSH\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"testark\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"success\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"-1\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"VerifyTask\"></CAProperty>\n      <CAProperty Name=\"LastSuccessVerification\" Value=\"1615803764\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.safe": "partner",
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.station": "34.71.250.247",
+        "cyberarkpas.audit.timestamp": "Mar 15 03:35:08",
+        "destination.address": "34.123.103.115",
+        "destination.geo.city_name": "Council Bluffs",
+        "destination.geo.continent_name": "North America",
+        "destination.geo.country_iso_code": "US",
+        "destination.geo.country_name": "United States",
+        "destination.geo.location.lat": 41.2591,
+        "destination.geo.location.lon": -95.8517,
+        "destination.geo.region_iso_code": "US-IA",
+        "destination.geo.region_name": "Iowa",
+        "destination.ip": "34.123.103.115",
+        "destination.user.name": "testark",
+        "event.action": "keystroke logging",
+        "event.category": [
+            "session"
+        ],
+        "event.code": "361",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "event.type": [
+            "info"
+        ],
+        "file.path": "Root\\Operating System-UnixSSH-34.123.103.115-testark",
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 12648,
+        "log.syslog.priority": "5",
+        "network.application": "ssh",
+        "network.direction": "external",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "81.32.170.205",
+            "34.123.103.115",
+            "34.71.250.247"
+        ],
+        "related.user": [
+            "Administrator",
+            "testark"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "81.32.170.205",
+        "source.geo.city_name": "Barcelona",
+        "source.geo.continent_name": "Europe",
+        "source.geo.country_iso_code": "ES",
+        "source.geo.country_name": "Spain",
+        "source.geo.location.lat": 41.387,
+        "source.geo.location.lon": 2.1701,
+        "source.geo.region_iso_code": "ES-B",
+        "source.geo.region_name": "Barcelona",
+        "source.ip": "81.32.170.205",
+        "source.user.name": "Administrator",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ],
+        "user.name": "Administrator"
+    },
+    {
+        "@timestamp": "2021-03-15T14:11:18.000Z",
+        "cyberarkpas.audit.action": "Keystroke logging",
+        "cyberarkpas.audit.ca_properties.address": "34.123.103.115",
+        "cyberarkpas.audit.ca_properties.cpm_error_details": "First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031",
+        "cyberarkpas.audit.ca_properties.cpm_status": "failure",
+        "cyberarkpas.audit.ca_properties.creation_method": "PVWA",
+        "cyberarkpas.audit.ca_properties.device_type": "Operating System",
+        "cyberarkpas.audit.ca_properties.last_fail_date": "1615814025",
+        "cyberarkpas.audit.ca_properties.last_success_verification": "1615803764",
+        "cyberarkpas.audit.ca_properties.last_task": "ReconcileTask",
+        "cyberarkpas.audit.ca_properties.policy_id": "UnixSSH",
+        "cyberarkpas.audit.ca_properties.reset_immediately": "ReconcileTask",
+        "cyberarkpas.audit.ca_properties.retries_count": "0",
+        "cyberarkpas.audit.ca_properties.use_sudo_on_reconcile": "Yes",
+        "cyberarkpas.audit.ca_properties.user_name": "testark",
+        "cyberarkpas.audit.desc": "Keystroke logging",
+        "cyberarkpas.audit.extra_details.command": "sudo su",
+        "cyberarkpas.audit.extra_details.connection_component_id": "PSMP-SSH",
+        "cyberarkpas.audit.extra_details.dst_host": "34.123.103.115",
+        "cyberarkpas.audit.extra_details.managed_account": "Yes",
+        "cyberarkpas.audit.extra_details.protocol": "SSH",
+        "cyberarkpas.audit.extra_details.psmid": "PSMServer",
+        "cyberarkpas.audit.extra_details.session_id": "27f74dce-f5d5-4c94-bf99-ca6aafe2c518",
+        "cyberarkpas.audit.extra_details.src_host": "81.32.170.205",
+        "cyberarkpas.audit.extra_details.ssh_offset": "1309B",
+        "cyberarkpas.audit.extra_details.user": "testark",
+        "cyberarkpas.audit.extra_details.vid_offset": "8T",
+        "cyberarkpas.audit.file": "Root\\Operating System-UnixSSH-34.123.103.115-testark",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-15T14:11:18Z",
+        "cyberarkpas.audit.issuer": "Administrator",
+        "cyberarkpas.audit.message": "Keystroke logging",
+        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 15 07:11:18</Timestamp>\n    <IsoTimestamp>2021-03-15T14:11:18Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>361</MessageID>\n    <Desc>Keystroke logging</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Keystroke logging</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Operating System-UnixSSH-34.123.103.115-testark</File>\n    <Station>34.71.250.247</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails>Command=sudo su;ConnectionComponentId=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=27f74dce-f5d5-4c94-bf99-ca6aafe2c518;SrcHost=81.32.170.205;SSHOffset=1309B;User=testark;VIDOffset=8T;</ExtraDetails>\n    <Message>Keystroke logging</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSH\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"testark\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"ResetImmediately\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"failure\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"0\"></CAProperty>\n      <CAProperty Name=\"LastFailDate\" Value=\"1615814025\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"LastSuccessVerification\" Value=\"1615803764\"></CAProperty>\n      <CAProperty Name=\"CPMErrorDetails\" Value=\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n      <CAProperty Name=\"UseSudoOnReconcile\" Value=\"Yes\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.safe": "partner",
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.station": "34.71.250.247",
+        "cyberarkpas.audit.timestamp": "Mar 15 07:11:18",
+        "destination.address": "34.123.103.115",
+        "destination.geo.city_name": "Council Bluffs",
+        "destination.geo.continent_name": "North America",
+        "destination.geo.country_iso_code": "US",
+        "destination.geo.country_name": "United States",
+        "destination.geo.location.lat": 41.2591,
+        "destination.geo.location.lon": -95.8517,
+        "destination.geo.region_iso_code": "US-IA",
+        "destination.geo.region_name": "Iowa",
+        "destination.ip": "34.123.103.115",
+        "destination.user.name": "testark",
+        "event.action": "keystroke logging",
+        "event.category": [
+            "session"
+        ],
+        "event.code": "361",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "event.type": [
+            "info"
+        ],
+        "file.path": "Root\\Operating System-UnixSSH-34.123.103.115-testark",
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 15782,
+        "log.syslog.priority": "5",
+        "network.application": "ssh",
+        "network.direction": "external",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "81.32.170.205",
+            "34.123.103.115",
+            "34.71.250.247"
+        ],
+        "related.user": [
+            "Administrator",
+            "testark"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "81.32.170.205",
+        "source.geo.city_name": "Barcelona",
+        "source.geo.continent_name": "Europe",
+        "source.geo.country_iso_code": "ES",
+        "source.geo.country_name": "Spain",
+        "source.geo.location.lat": 41.387,
+        "source.geo.location.lon": 2.1701,
+        "source.geo.region_iso_code": "ES-B",
+        "source.geo.region_name": "Barcelona",
+        "source.ip": "81.32.170.205",
+        "source.user.name": "Administrator",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ],
+        "user.name": "Administrator"
+    },
+    {
+        "@timestamp": "2021-03-15T14:45:51.000Z",
+        "cyberarkpas.audit.action": "Keystroke logging",
+        "cyberarkpas.audit.ca_properties.address": "34.123.103.115",
+        "cyberarkpas.audit.ca_properties.cpm_error_details": "First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031",
+        "cyberarkpas.audit.ca_properties.cpm_status": "failure",
+        "cyberarkpas.audit.ca_properties.creation_method": "PVWA",
+        "cyberarkpas.audit.ca_properties.device_type": "Operating System",
+        "cyberarkpas.audit.ca_properties.last_fail_date": "1615819476",
+        "cyberarkpas.audit.ca_properties.last_success_verification": "1615803764",
+        "cyberarkpas.audit.ca_properties.last_task": "ReconcileTask",
+        "cyberarkpas.audit.ca_properties.policy_id": "UnixSSH",
+        "cyberarkpas.audit.ca_properties.reset_immediately": "ReconcileTask",
+        "cyberarkpas.audit.ca_properties.retries_count": "1",
+        "cyberarkpas.audit.ca_properties.use_sudo_on_reconcile": "Yes",
+        "cyberarkpas.audit.ca_properties.user_name": "testark",
+        "cyberarkpas.audit.desc": "Keystroke logging",
+        "cyberarkpas.audit.extra_details.command": "(reverse-i-search)`grant': grant all privileges on *.* TO 'root'@'%' with grant option\\;",
+        "cyberarkpas.audit.extra_details.connection_component_id": "PSMP-SSH",
+        "cyberarkpas.audit.extra_details.dst_host": "34.123.103.115",
+        "cyberarkpas.audit.extra_details.managed_account": "Yes",
+        "cyberarkpas.audit.extra_details.protocol": "SSH",
+        "cyberarkpas.audit.extra_details.psmid": "PSMServer",
+        "cyberarkpas.audit.extra_details.session_id": "27f74dce-f5d5-4c94-bf99-ca6aafe2c518",
+        "cyberarkpas.audit.extra_details.src_host": "81.32.170.205",
+        "cyberarkpas.audit.extra_details.ssh_offset": "296291B",
+        "cyberarkpas.audit.extra_details.user": "testark",
+        "cyberarkpas.audit.extra_details.vid_offset": "2081T",
+        "cyberarkpas.audit.file": "Root\\Operating System-UnixSSH-34.123.103.115-testark",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-15T14:45:51Z",
+        "cyberarkpas.audit.issuer": "Administrator",
+        "cyberarkpas.audit.message": "Keystroke logging",
+        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 15 07:45:51</Timestamp>\n    <IsoTimestamp>2021-03-15T14:45:51Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>361</MessageID>\n    <Desc>Keystroke logging</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Keystroke logging</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Operating System-UnixSSH-34.123.103.115-testark</File>\n    <Station>34.71.250.247</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails>Command=(reverse-i-search)`grant': grant all privileges on *.* TO 'root'@'%' with grant option\\;;ConnectionComponentId=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=27f74dce-f5d5-4c94-bf99-ca6aafe2c518;SrcHost=81.32.170.205;SSHOffset=296291B;User=testark;VIDOffset=2081T;</ExtraDetails>\n    <Message>Keystroke logging</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSH\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"testark\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"ResetImmediately\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"failure\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"1\"></CAProperty>\n      <CAProperty Name=\"LastFailDate\" Value=\"1615819476\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"LastSuccessVerification\" Value=\"1615803764\"></CAProperty>\n      <CAProperty Name=\"CPMErrorDetails\" Value=\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n      <CAProperty Name=\"UseSudoOnReconcile\" Value=\"Yes\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.safe": "partner",
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.station": "34.71.250.247",
+        "cyberarkpas.audit.timestamp": "Mar 15 07:45:51",
+        "destination.address": "34.123.103.115",
+        "destination.geo.city_name": "Council Bluffs",
+        "destination.geo.continent_name": "North America",
+        "destination.geo.country_iso_code": "US",
+        "destination.geo.country_name": "United States",
+        "destination.geo.location.lat": 41.2591,
+        "destination.geo.location.lon": -95.8517,
+        "destination.geo.region_iso_code": "US-IA",
+        "destination.geo.region_name": "Iowa",
+        "destination.ip": "34.123.103.115",
+        "destination.user.name": "testark",
+        "event.action": "keystroke logging",
+        "event.category": [
+            "session"
+        ],
+        "event.code": "361",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "event.type": [
+            "info"
+        ],
+        "file.path": "Root\\Operating System-UnixSSH-34.123.103.115-testark",
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 19698,
+        "log.syslog.priority": "5",
+        "network.application": "ssh",
+        "network.direction": "external",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "81.32.170.205",
+            "34.123.103.115",
+            "34.71.250.247"
+        ],
+        "related.user": [
+            "Administrator",
+            "testark"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "81.32.170.205",
+        "source.geo.city_name": "Barcelona",
+        "source.geo.continent_name": "Europe",
+        "source.geo.country_iso_code": "ES",
+        "source.geo.country_name": "Spain",
+        "source.geo.location.lat": 41.387,
+        "source.geo.location.lon": 2.1701,
+        "source.geo.region_iso_code": "ES-B",
+        "source.geo.region_name": "Barcelona",
+        "source.ip": "81.32.170.205",
+        "source.user.name": "Administrator",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ],
+        "user.name": "Administrator"
+    }
+]
\ No newline at end of file
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/385_blservice_audit_record.log b/x-pack/filebeat/module/cyberarkpas/audit/test/385_blservice_audit_record.log
new file mode 100644
index 00000000000..54143042844
--- /dev/null
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/385_blservice_audit_record.log
@@ -0,0 +1,5 @@
+<5>1 2021-03-11T16:31:13Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 08:31:13</Timestamp>\n    <IsoTimestamp>2021-03-11T16:31:13Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>385</MessageID>\n    <Desc>BLService Audit Record</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>BLService Audit Record</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe></Safe>\n    <File></File>\n    <Station>127.0.0.1</Station>\n    <Location><VaultCommandAuditApplicativeHeader z:Id=\"1\" xmlns=\"CyberArk.AppServices.LogicContainer.Audit\" xmlns:i=\"http://www.w3.org/2001/XMLSchema-instance\" xmlns:z=\"http://schemas.microsoft.com/2003/10/Serialization/\"><RuleAuditComponent z:Id=\"2\"><Action z:Id=\"3\">Update</Action><ContainerName z:Id=\"4\"/><IsAdvanced>true</IsAdvanced><NewValue z:Id=\"5\">EnforceExclusiveAccess: False; EnforceOneTimePasswords: False; AllowOPMAccess: True; RecordSessions: False; EnforceExpirationPeriod: 90; EnforceVerificationPeriod: 7; AuditRetentionPeriod: 90; PSMEnabled: True; RequireReason: AllowFreeTextReason: True, BasicValue: True; AllowTransparentConnection: AllowViewingPasswords: True, BasicValue: True; DualControl: BasicValue: False, DualControlRequireMultilevelApproval: False, DualControlRequireManagerialApproval: False, DualControlRequiredConfirmers: 1</NewValue><OldValue z:Id=\"6\">N/A</OldValue><PropertyName z:Id=\"7\">Master Policy</PropertyName></RuleAuditComponent></VaultCommandAuditApplicativeHeader></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>BLService Audit Record</Message>\n    <GatewayStation>10.0.1.20</GatewayStation>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 08:31:13","IsoTimestamp":"2021-03-11T16:31:13Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"385","Desc":"BLService Audit Record","Severity":"Info","Issuer":"Administrator","Action":"BLService Audit Record","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"127.0.0.1","Location":"<VaultCommandAuditApplicativeHeader z:Id=\"1\" xmlns=\"CyberArk.AppServices.LogicContainer.Audit\" xmlns:i=\"http://www.w3.org/2001/XMLSchema-instance\" xmlns:z=\"http://schemas.microsoft.com/2003/10/Serialization/\"><RuleAuditComponent z:Id=\"2\"><Action z:Id=\"3\">Update</Action><ContainerName z:Id=\"4\"/><IsAdvanced>true</IsAdvanced><NewValue z:Id=\"5\">EnforceExclusiveAccess: False; EnforceOneTimePasswords: False; AllowOPMAccess: True; RecordSessions: False; EnforceExpirationPeriod: 90; EnforceVerificationPeriod: 7; AuditRetentionPeriod: 90; PSMEnabled: True; RequireReason: AllowFreeTextReason: True, BasicValue: True; AllowTransparentConnection: AllowViewingPasswords: True, BasicValue: True; DualControl: BasicValue: False, DualControlRequireMultilevelApproval: False, DualControlRequireManagerialApproval: False, DualControlRequiredConfirmers: 1</NewValue><OldValue z:Id=\"6\">N/A</OldValue><PropertyName z:Id=\"7\">Master Policy</PropertyName></RuleAuditComponent></VaultCommandAuditApplicativeHeader>","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"BLService Audit Record","GatewayStation":"10.0.1.20"}}}
+<5>1 2021-03-11T16:31:23Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 08:31:23</Timestamp>\n    <IsoTimestamp>2021-03-11T16:31:23Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>385</MessageID>\n    <Desc>BLService Audit Record</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>BLService Audit Record</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe></Safe>\n    <File></File>\n    <Station>127.0.0.1</Station>\n    <Location><VaultCommandAuditApplicativeHeader z:Id=\"1\" xmlns=\"CyberArk.AppServices.LogicContainer.Audit\" xmlns:i=\"http://www.w3.org/2001/XMLSchema-instance\" xmlns:z=\"http://schemas.microsoft.com/2003/10/Serialization/\"><RuleAuditComponent z:Id=\"2\"><Action z:Id=\"3\">Update</Action><ContainerName z:Id=\"4\"/><IsAdvanced>true</IsAdvanced><NewValue z:Id=\"5\">EnforceExclusiveAccess: False; EnforceOneTimePasswords: False; AllowOPMAccess: True; RecordSessions: True; EnforceExpirationPeriod: 90; EnforceVerificationPeriod: 7; AuditRetentionPeriod: 90; PSMEnabled: True; RequireReason: AllowFreeTextReason: True, BasicValue: True; AllowTransparentConnection: AllowViewingPasswords: True, BasicValue: True; DualControl: BasicValue: False, DualControlRequireMultilevelApproval: False, DualControlRequireManagerialApproval: False, DualControlRequiredConfirmers: 1</NewValue><OldValue z:Id=\"6\">N/A</OldValue><PropertyName z:Id=\"7\">Master Policy</PropertyName></RuleAuditComponent></VaultCommandAuditApplicativeHeader></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>BLService Audit Record</Message>\n    <GatewayStation>10.0.1.20</GatewayStation>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 08:31:23","IsoTimestamp":"2021-03-11T16:31:23Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"385","Desc":"BLService Audit Record","Severity":"Info","Issuer":"Administrator","Action":"BLService Audit Record","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"127.0.0.1","Location":"<VaultCommandAuditApplicativeHeader z:Id=\"1\" xmlns=\"CyberArk.AppServices.LogicContainer.Audit\" xmlns:i=\"http://www.w3.org/2001/XMLSchema-instance\" xmlns:z=\"http://schemas.microsoft.com/2003/10/Serialization/\"><RuleAuditComponent z:Id=\"2\"><Action z:Id=\"3\">Update</Action><ContainerName z:Id=\"4\"/><IsAdvanced>true</IsAdvanced><NewValue z:Id=\"5\">EnforceExclusiveAccess: False; EnforceOneTimePasswords: False; AllowOPMAccess: True; RecordSessions: True; EnforceExpirationPeriod: 90; EnforceVerificationPeriod: 7; AuditRetentionPeriod: 90; PSMEnabled: True; RequireReason: AllowFreeTextReason: True, BasicValue: True; AllowTransparentConnection: AllowViewingPasswords: True, BasicValue: True; DualControl: BasicValue: False, DualControlRequireMultilevelApproval: False, DualControlRequireManagerialApproval: False, DualControlRequiredConfirmers: 1</NewValue><OldValue z:Id=\"6\">N/A</OldValue><PropertyName z:Id=\"7\">Master Policy</PropertyName></RuleAuditComponent></VaultCommandAuditApplicativeHeader>","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"BLService Audit Record","GatewayStation":"10.0.1.20"}}}
+<5>1 2021-03-11T19:40:52Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 11:40:52</Timestamp>\n    <IsoTimestamp>2021-03-11T19:40:52Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>385</MessageID>\n    <Desc>BLService Audit Record</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>BLService Audit Record</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe></Safe>\n    <File></File>\n    <Station>127.0.0.1</Station>\n    <Location><VaultCommandAuditApplicativeHeader z:Id=\"1\" xmlns=\"CyberArk.AppServices.LogicContainer.Audit\" xmlns:i=\"http://www.w3.org/2001/XMLSchema-instance\" xmlns:z=\"http://schemas.microsoft.com/2003/10/Serialization/\"><RuleAuditComponent z:Id=\"2\"><Action z:Id=\"3\">Update</Action><ContainerName z:Id=\"4\"/><IsAdvanced>true</IsAdvanced><NewValue z:Id=\"5\">EnforceExclusiveAccess: False; EnforceOneTimePasswords: False; AllowOPMAccess: True; RecordSessions: True; EnforceExpirationPeriod: 90; EnforceVerificationPeriod: 7; AuditRetentionPeriod: 90; PSMEnabled: False; RequireReason: AllowFreeTextReason: True, BasicValue: True; AllowTransparentConnection: AllowViewingPasswords: True, BasicValue: True; DualControl: BasicValue: False, DualControlRequireMultilevelApproval: False, DualControlRequireManagerialApproval: False, DualControlRequiredConfirmers: 1</NewValue><OldValue z:Id=\"6\">N/A</OldValue><PropertyName z:Id=\"7\">Master Policy</PropertyName></RuleAuditComponent></VaultCommandAuditApplicativeHeader></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>BLService Audit Record</Message>\n    <GatewayStation>10.0.1.20</GatewayStation>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 11:40:52","IsoTimestamp":"2021-03-11T19:40:52Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"385","Desc":"BLService Audit Record","Severity":"Info","Issuer":"Administrator","Action":"BLService Audit Record","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"127.0.0.1","Location":"<VaultCommandAuditApplicativeHeader z:Id=\"1\" xmlns=\"CyberArk.AppServices.LogicContainer.Audit\" xmlns:i=\"http://www.w3.org/2001/XMLSchema-instance\" xmlns:z=\"http://schemas.microsoft.com/2003/10/Serialization/\"><RuleAuditComponent z:Id=\"2\"><Action z:Id=\"3\">Update</Action><ContainerName z:Id=\"4\"/><IsAdvanced>true</IsAdvanced><NewValue z:Id=\"5\">EnforceExclusiveAccess: False; EnforceOneTimePasswords: False; AllowOPMAccess: True; RecordSessions: True; EnforceExpirationPeriod: 90; EnforceVerificationPeriod: 7; AuditRetentionPeriod: 90; PSMEnabled: False; RequireReason: AllowFreeTextReason: True, BasicValue: True; AllowTransparentConnection: AllowViewingPasswords: True, BasicValue: True; DualControl: BasicValue: False, DualControlRequireMultilevelApproval: False, DualControlRequireManagerialApproval: False, DualControlRequiredConfirmers: 1</NewValue><OldValue z:Id=\"6\">N/A</OldValue><PropertyName z:Id=\"7\">Master Policy</PropertyName></RuleAuditComponent></VaultCommandAuditApplicativeHeader>","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"BLService Audit Record","GatewayStation":"10.0.1.20"}}}
+<5>1 2021-03-14T12:04:35Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 14 05:04:35</Timestamp>\n    <IsoTimestamp>2021-03-14T12:04:35Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>385</MessageID>\n    <Desc>BLService Audit Record</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>BLService Audit Record</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe></Safe>\n    <File></File>\n    <Station>127.0.0.1</Station>\n    <Location><VaultCommandAuditApplicativeHeader z:Id=\"1\" xmlns=\"CyberArk.AppServices.LogicContainer.Audit\" xmlns:i=\"http://www.w3.org/2001/XMLSchema-instance\" xmlns:z=\"http://schemas.microsoft.com/2003/10/Serialization/\"><RuleAuditComponent z:Id=\"2\"><Action z:Id=\"3\">Update</Action><ContainerName z:Id=\"4\"/><IsAdvanced>true</IsAdvanced><NewValue z:Id=\"5\">EnforceExclusiveAccess: False; EnforceOneTimePasswords: False; AllowOPMAccess: True; RecordSessions: True; EnforceExpirationPeriod: 90; EnforceVerificationPeriod: 7; AuditRetentionPeriod: 90; PSMEnabled: False; RequireReason: AllowFreeTextReason: True, BasicValue: False; AllowTransparentConnection: AllowViewingPasswords: True, BasicValue: True; DualControl: BasicValue: False, DualControlRequireMultilevelApproval: False, DualControlRequireManagerialApproval: False, DualControlRequiredConfirmers: 1</NewValue><OldValue z:Id=\"6\">N/A</OldValue><PropertyName z:Id=\"7\">Master Policy</PropertyName></RuleAuditComponent></VaultCommandAuditApplicativeHeader></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>BLService Audit Record</Message>\n    <GatewayStation>10.0.1.20</GatewayStation>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 05:04:35","IsoTimestamp":"2021-03-14T12:04:35Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"385","Desc":"BLService Audit Record","Severity":"Info","Issuer":"Administrator","Action":"BLService Audit Record","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"127.0.0.1","Location":"<VaultCommandAuditApplicativeHeader z:Id=\"1\" xmlns=\"CyberArk.AppServices.LogicContainer.Audit\" xmlns:i=\"http://www.w3.org/2001/XMLSchema-instance\" xmlns:z=\"http://schemas.microsoft.com/2003/10/Serialization/\"><RuleAuditComponent z:Id=\"2\"><Action z:Id=\"3\">Update</Action><ContainerName z:Id=\"4\"/><IsAdvanced>true</IsAdvanced><NewValue z:Id=\"5\">EnforceExclusiveAccess: False; EnforceOneTimePasswords: False; AllowOPMAccess: True; RecordSessions: True; EnforceExpirationPeriod: 90; EnforceVerificationPeriod: 7; AuditRetentionPeriod: 90; PSMEnabled: False; RequireReason: AllowFreeTextReason: True, BasicValue: False; AllowTransparentConnection: AllowViewingPasswords: True, BasicValue: True; DualControl: BasicValue: False, DualControlRequireMultilevelApproval: False, DualControlRequireManagerialApproval: False, DualControlRequiredConfirmers: 1</NewValue><OldValue z:Id=\"6\">N/A</OldValue><PropertyName z:Id=\"7\">Master Policy</PropertyName></RuleAuditComponent></VaultCommandAuditApplicativeHeader>","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"BLService Audit Record","GatewayStation":"10.0.1.20"}}}
+<5>1 2021-03-14T12:04:53Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 14 05:04:53</Timestamp>\n    <IsoTimestamp>2021-03-14T12:04:53Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>385</MessageID>\n    <Desc>BLService Audit Record</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>BLService Audit Record</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe></Safe>\n    <File></File>\n    <Station>127.0.0.1</Station>\n    <Location><VaultCommandAuditApplicativeHeader z:Id=\"1\" xmlns=\"CyberArk.AppServices.LogicContainer.Audit\" xmlns:i=\"http://www.w3.org/2001/XMLSchema-instance\" xmlns:z=\"http://schemas.microsoft.com/2003/10/Serialization/\"><RuleAuditComponent z:Id=\"2\"><Action z:Id=\"3\">Update</Action><ContainerName z:Id=\"4\"/><IsAdvanced>true</IsAdvanced><NewValue z:Id=\"5\">EnforceExclusiveAccess: False; EnforceOneTimePasswords: False; AllowOPMAccess: True; RecordSessions: True; EnforceExpirationPeriod: 500; EnforceVerificationPeriod: 7; AuditRetentionPeriod: 90; PSMEnabled: False; RequireReason: AllowFreeTextReason: True, BasicValue: False; AllowTransparentConnection: AllowViewingPasswords: True, BasicValue: True; DualControl: BasicValue: False, DualControlRequireMultilevelApproval: False, DualControlRequireManagerialApproval: False, DualControlRequiredConfirmers: 1</NewValue><OldValue z:Id=\"6\">N/A</OldValue><PropertyName z:Id=\"7\">Master Policy</PropertyName></RuleAuditComponent></VaultCommandAuditApplicativeHeader></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>BLService Audit Record</Message>\n    <GatewayStation>10.0.1.20</GatewayStation>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 05:04:53","IsoTimestamp":"2021-03-14T12:04:53Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"385","Desc":"BLService Audit Record","Severity":"Info","Issuer":"Administrator","Action":"BLService Audit Record","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"127.0.0.1","Location":"<VaultCommandAuditApplicativeHeader z:Id=\"1\" xmlns=\"CyberArk.AppServices.LogicContainer.Audit\" xmlns:i=\"http://www.w3.org/2001/XMLSchema-instance\" xmlns:z=\"http://schemas.microsoft.com/2003/10/Serialization/\"><RuleAuditComponent z:Id=\"2\"><Action z:Id=\"3\">Update</Action><ContainerName z:Id=\"4\"/><IsAdvanced>true</IsAdvanced><NewValue z:Id=\"5\">EnforceExclusiveAccess: False; EnforceOneTimePasswords: False; AllowOPMAccess: True; RecordSessions: True; EnforceExpirationPeriod: 500; EnforceVerificationPeriod: 7; AuditRetentionPeriod: 90; PSMEnabled: False; RequireReason: AllowFreeTextReason: True, BasicValue: False; AllowTransparentConnection: AllowViewingPasswords: True, BasicValue: True; DualControl: BasicValue: False, DualControlRequireMultilevelApproval: False, DualControlRequireManagerialApproval: False, DualControlRequiredConfirmers: 1</NewValue><OldValue z:Id=\"6\">N/A</OldValue><PropertyName z:Id=\"7\">Master Policy</PropertyName></RuleAuditComponent></VaultCommandAuditApplicativeHeader>","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"BLService Audit Record","GatewayStation":"10.0.1.20"}}}
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/385_blservice_audit_record.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/385_blservice_audit_record.log-expected.json
new file mode 100644
index 00000000000..afc569ca43a
--- /dev/null
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/385_blservice_audit_record.log-expected.json
@@ -0,0 +1,227 @@
+[
+    {
+        "@timestamp": "2021-03-11T16:31:13.000Z",
+        "cyberarkpas.audit.action": "BLService Audit Record",
+        "cyberarkpas.audit.desc": "BLService Audit Record",
+        "cyberarkpas.audit.gateway_station": "10.0.1.20",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-11T16:31:13Z",
+        "cyberarkpas.audit.issuer": "Administrator",
+        "cyberarkpas.audit.location": "<VaultCommandAuditApplicativeHeader z:Id=\"1\" xmlns=\"CyberArk.AppServices.LogicContainer.Audit\" xmlns:i=\"http://www.w3.org/2001/XMLSchema-instance\" xmlns:z=\"http://schemas.microsoft.com/2003/10/Serialization/\"><RuleAuditComponent z:Id=\"2\"><Action z:Id=\"3\">Update</Action><ContainerName z:Id=\"4\"/><IsAdvanced>true</IsAdvanced><NewValue z:Id=\"5\">EnforceExclusiveAccess: False; EnforceOneTimePasswords: False; AllowOPMAccess: True; RecordSessions: False; EnforceExpirationPeriod: 90; EnforceVerificationPeriod: 7; AuditRetentionPeriod: 90; PSMEnabled: True; RequireReason: AllowFreeTextReason: True, BasicValue: True; AllowTransparentConnection: AllowViewingPasswords: True, BasicValue: True; DualControl: BasicValue: False, DualControlRequireMultilevelApproval: False, DualControlRequireManagerialApproval: False, DualControlRequiredConfirmers: 1</NewValue><OldValue z:Id=\"6\">N/A</OldValue><PropertyName z:Id=\"7\">Master Policy</PropertyName></RuleAuditComponent></VaultCommandAuditApplicativeHeader>",
+        "cyberarkpas.audit.message": "BLService Audit Record",
+        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 08:31:13</Timestamp>\n    <IsoTimestamp>2021-03-11T16:31:13Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>385</MessageID>\n    <Desc>BLService Audit Record</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>BLService Audit Record</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe></Safe>\n    <File></File>\n    <Station>127.0.0.1</Station>\n    <Location><VaultCommandAuditApplicativeHeader z:Id=\"1\" xmlns=\"CyberArk.AppServices.LogicContainer.Audit\" xmlns:i=\"http://www.w3.org/2001/XMLSchema-instance\" xmlns:z=\"http://schemas.microsoft.com/2003/10/Serialization/\"><RuleAuditComponent z:Id=\"2\"><Action z:Id=\"3\">Update</Action><ContainerName z:Id=\"4\"/><IsAdvanced>true</IsAdvanced><NewValue z:Id=\"5\">EnforceExclusiveAccess: False; EnforceOneTimePasswords: False; AllowOPMAccess: True; RecordSessions: False; EnforceExpirationPeriod: 90; EnforceVerificationPeriod: 7; AuditRetentionPeriod: 90; PSMEnabled: True; RequireReason: AllowFreeTextReason: True, BasicValue: True; AllowTransparentConnection: AllowViewingPasswords: True, BasicValue: True; DualControl: BasicValue: False, DualControlRequireMultilevelApproval: False, DualControlRequireManagerialApproval: False, DualControlRequiredConfirmers: 1</NewValue><OldValue z:Id=\"6\">N/A</OldValue><PropertyName z:Id=\"7\">Master Policy</PropertyName></RuleAuditComponent></VaultCommandAuditApplicativeHeader></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>BLService Audit Record</Message>\n    <GatewayStation>10.0.1.20</GatewayStation>\n  </audit_record>\n\n</syslog>",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.station": "127.0.0.1",
+        "cyberarkpas.audit.timestamp": "Mar 11 08:31:13",
+        "destination.address": "10.0.1.20",
+        "destination.ip": "10.0.1.20",
+        "event.action": "blservice audit record",
+        "event.code": "385",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 0,
+        "log.syslog.priority": "5",
+        "network.direction": "internal",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "127.0.0.1",
+            "10.0.1.20"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "127.0.0.1",
+        "source.ip": "127.0.0.1",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ]
+    },
+    {
+        "@timestamp": "2021-03-11T16:31:23.000Z",
+        "cyberarkpas.audit.action": "BLService Audit Record",
+        "cyberarkpas.audit.desc": "BLService Audit Record",
+        "cyberarkpas.audit.gateway_station": "10.0.1.20",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-11T16:31:23Z",
+        "cyberarkpas.audit.issuer": "Administrator",
+        "cyberarkpas.audit.location": "<VaultCommandAuditApplicativeHeader z:Id=\"1\" xmlns=\"CyberArk.AppServices.LogicContainer.Audit\" xmlns:i=\"http://www.w3.org/2001/XMLSchema-instance\" xmlns:z=\"http://schemas.microsoft.com/2003/10/Serialization/\"><RuleAuditComponent z:Id=\"2\"><Action z:Id=\"3\">Update</Action><ContainerName z:Id=\"4\"/><IsAdvanced>true</IsAdvanced><NewValue z:Id=\"5\">EnforceExclusiveAccess: False; EnforceOneTimePasswords: False; AllowOPMAccess: True; RecordSessions: True; EnforceExpirationPeriod: 90; EnforceVerificationPeriod: 7; AuditRetentionPeriod: 90; PSMEnabled: True; RequireReason: AllowFreeTextReason: True, BasicValue: True; AllowTransparentConnection: AllowViewingPasswords: True, BasicValue: True; DualControl: BasicValue: False, DualControlRequireMultilevelApproval: False, DualControlRequireManagerialApproval: False, DualControlRequiredConfirmers: 1</NewValue><OldValue z:Id=\"6\">N/A</OldValue><PropertyName z:Id=\"7\">Master Policy</PropertyName></RuleAuditComponent></VaultCommandAuditApplicativeHeader>",
+        "cyberarkpas.audit.message": "BLService Audit Record",
+        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 08:31:23</Timestamp>\n    <IsoTimestamp>2021-03-11T16:31:23Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>385</MessageID>\n    <Desc>BLService Audit Record</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>BLService Audit Record</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe></Safe>\n    <File></File>\n    <Station>127.0.0.1</Station>\n    <Location><VaultCommandAuditApplicativeHeader z:Id=\"1\" xmlns=\"CyberArk.AppServices.LogicContainer.Audit\" xmlns:i=\"http://www.w3.org/2001/XMLSchema-instance\" xmlns:z=\"http://schemas.microsoft.com/2003/10/Serialization/\"><RuleAuditComponent z:Id=\"2\"><Action z:Id=\"3\">Update</Action><ContainerName z:Id=\"4\"/><IsAdvanced>true</IsAdvanced><NewValue z:Id=\"5\">EnforceExclusiveAccess: False; EnforceOneTimePasswords: False; AllowOPMAccess: True; RecordSessions: True; EnforceExpirationPeriod: 90; EnforceVerificationPeriod: 7; AuditRetentionPeriod: 90; PSMEnabled: True; RequireReason: AllowFreeTextReason: True, BasicValue: True; AllowTransparentConnection: AllowViewingPasswords: True, BasicValue: True; DualControl: BasicValue: False, DualControlRequireMultilevelApproval: False, DualControlRequireManagerialApproval: False, DualControlRequiredConfirmers: 1</NewValue><OldValue z:Id=\"6\">N/A</OldValue><PropertyName z:Id=\"7\">Master Policy</PropertyName></RuleAuditComponent></VaultCommandAuditApplicativeHeader></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>BLService Audit Record</Message>\n    <GatewayStation>10.0.1.20</GatewayStation>\n  </audit_record>\n\n</syslog>",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.station": "127.0.0.1",
+        "cyberarkpas.audit.timestamp": "Mar 11 08:31:23",
+        "destination.address": "10.0.1.20",
+        "destination.ip": "10.0.1.20",
+        "event.action": "blservice audit record",
+        "event.code": "385",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 3510,
+        "log.syslog.priority": "5",
+        "network.direction": "internal",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "127.0.0.1",
+            "10.0.1.20"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "127.0.0.1",
+        "source.ip": "127.0.0.1",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ]
+    },
+    {
+        "@timestamp": "2021-03-11T19:40:52.000Z",
+        "cyberarkpas.audit.action": "BLService Audit Record",
+        "cyberarkpas.audit.desc": "BLService Audit Record",
+        "cyberarkpas.audit.gateway_station": "10.0.1.20",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-11T19:40:52Z",
+        "cyberarkpas.audit.issuer": "Administrator",
+        "cyberarkpas.audit.location": "<VaultCommandAuditApplicativeHeader z:Id=\"1\" xmlns=\"CyberArk.AppServices.LogicContainer.Audit\" xmlns:i=\"http://www.w3.org/2001/XMLSchema-instance\" xmlns:z=\"http://schemas.microsoft.com/2003/10/Serialization/\"><RuleAuditComponent z:Id=\"2\"><Action z:Id=\"3\">Update</Action><ContainerName z:Id=\"4\"/><IsAdvanced>true</IsAdvanced><NewValue z:Id=\"5\">EnforceExclusiveAccess: False; EnforceOneTimePasswords: False; AllowOPMAccess: True; RecordSessions: True; EnforceExpirationPeriod: 90; EnforceVerificationPeriod: 7; AuditRetentionPeriod: 90; PSMEnabled: False; RequireReason: AllowFreeTextReason: True, BasicValue: True; AllowTransparentConnection: AllowViewingPasswords: True, BasicValue: True; DualControl: BasicValue: False, DualControlRequireMultilevelApproval: False, DualControlRequireManagerialApproval: False, DualControlRequiredConfirmers: 1</NewValue><OldValue z:Id=\"6\">N/A</OldValue><PropertyName z:Id=\"7\">Master Policy</PropertyName></RuleAuditComponent></VaultCommandAuditApplicativeHeader>",
+        "cyberarkpas.audit.message": "BLService Audit Record",
+        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 11:40:52</Timestamp>\n    <IsoTimestamp>2021-03-11T19:40:52Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>385</MessageID>\n    <Desc>BLService Audit Record</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>BLService Audit Record</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe></Safe>\n    <File></File>\n    <Station>127.0.0.1</Station>\n    <Location><VaultCommandAuditApplicativeHeader z:Id=\"1\" xmlns=\"CyberArk.AppServices.LogicContainer.Audit\" xmlns:i=\"http://www.w3.org/2001/XMLSchema-instance\" xmlns:z=\"http://schemas.microsoft.com/2003/10/Serialization/\"><RuleAuditComponent z:Id=\"2\"><Action z:Id=\"3\">Update</Action><ContainerName z:Id=\"4\"/><IsAdvanced>true</IsAdvanced><NewValue z:Id=\"5\">EnforceExclusiveAccess: False; EnforceOneTimePasswords: False; AllowOPMAccess: True; RecordSessions: True; EnforceExpirationPeriod: 90; EnforceVerificationPeriod: 7; AuditRetentionPeriod: 90; PSMEnabled: False; RequireReason: AllowFreeTextReason: True, BasicValue: True; AllowTransparentConnection: AllowViewingPasswords: True, BasicValue: True; DualControl: BasicValue: False, DualControlRequireMultilevelApproval: False, DualControlRequireManagerialApproval: False, DualControlRequiredConfirmers: 1</NewValue><OldValue z:Id=\"6\">N/A</OldValue><PropertyName z:Id=\"7\">Master Policy</PropertyName></RuleAuditComponent></VaultCommandAuditApplicativeHeader></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>BLService Audit Record</Message>\n    <GatewayStation>10.0.1.20</GatewayStation>\n  </audit_record>\n\n</syslog>",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.station": "127.0.0.1",
+        "cyberarkpas.audit.timestamp": "Mar 11 11:40:52",
+        "destination.address": "10.0.1.20",
+        "destination.ip": "10.0.1.20",
+        "event.action": "blservice audit record",
+        "event.code": "385",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 7018,
+        "log.syslog.priority": "5",
+        "network.direction": "internal",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "127.0.0.1",
+            "10.0.1.20"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "127.0.0.1",
+        "source.ip": "127.0.0.1",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ]
+    },
+    {
+        "@timestamp": "2021-03-14T12:04:35.000Z",
+        "cyberarkpas.audit.action": "BLService Audit Record",
+        "cyberarkpas.audit.desc": "BLService Audit Record",
+        "cyberarkpas.audit.gateway_station": "10.0.1.20",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-14T12:04:35Z",
+        "cyberarkpas.audit.issuer": "Administrator",
+        "cyberarkpas.audit.location": "<VaultCommandAuditApplicativeHeader z:Id=\"1\" xmlns=\"CyberArk.AppServices.LogicContainer.Audit\" xmlns:i=\"http://www.w3.org/2001/XMLSchema-instance\" xmlns:z=\"http://schemas.microsoft.com/2003/10/Serialization/\"><RuleAuditComponent z:Id=\"2\"><Action z:Id=\"3\">Update</Action><ContainerName z:Id=\"4\"/><IsAdvanced>true</IsAdvanced><NewValue z:Id=\"5\">EnforceExclusiveAccess: False; EnforceOneTimePasswords: False; AllowOPMAccess: True; RecordSessions: True; EnforceExpirationPeriod: 90; EnforceVerificationPeriod: 7; AuditRetentionPeriod: 90; PSMEnabled: False; RequireReason: AllowFreeTextReason: True, BasicValue: False; AllowTransparentConnection: AllowViewingPasswords: True, BasicValue: True; DualControl: BasicValue: False, DualControlRequireMultilevelApproval: False, DualControlRequireManagerialApproval: False, DualControlRequiredConfirmers: 1</NewValue><OldValue z:Id=\"6\">N/A</OldValue><PropertyName z:Id=\"7\">Master Policy</PropertyName></RuleAuditComponent></VaultCommandAuditApplicativeHeader>",
+        "cyberarkpas.audit.message": "BLService Audit Record",
+        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 14 05:04:35</Timestamp>\n    <IsoTimestamp>2021-03-14T12:04:35Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>385</MessageID>\n    <Desc>BLService Audit Record</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>BLService Audit Record</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe></Safe>\n    <File></File>\n    <Station>127.0.0.1</Station>\n    <Location><VaultCommandAuditApplicativeHeader z:Id=\"1\" xmlns=\"CyberArk.AppServices.LogicContainer.Audit\" xmlns:i=\"http://www.w3.org/2001/XMLSchema-instance\" xmlns:z=\"http://schemas.microsoft.com/2003/10/Serialization/\"><RuleAuditComponent z:Id=\"2\"><Action z:Id=\"3\">Update</Action><ContainerName z:Id=\"4\"/><IsAdvanced>true</IsAdvanced><NewValue z:Id=\"5\">EnforceExclusiveAccess: False; EnforceOneTimePasswords: False; AllowOPMAccess: True; RecordSessions: True; EnforceExpirationPeriod: 90; EnforceVerificationPeriod: 7; AuditRetentionPeriod: 90; PSMEnabled: False; RequireReason: AllowFreeTextReason: True, BasicValue: False; AllowTransparentConnection: AllowViewingPasswords: True, BasicValue: True; DualControl: BasicValue: False, DualControlRequireMultilevelApproval: False, DualControlRequireManagerialApproval: False, DualControlRequiredConfirmers: 1</NewValue><OldValue z:Id=\"6\">N/A</OldValue><PropertyName z:Id=\"7\">Master Policy</PropertyName></RuleAuditComponent></VaultCommandAuditApplicativeHeader></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>BLService Audit Record</Message>\n    <GatewayStation>10.0.1.20</GatewayStation>\n  </audit_record>\n\n</syslog>",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.station": "127.0.0.1",
+        "cyberarkpas.audit.timestamp": "Mar 14 05:04:35",
+        "destination.address": "10.0.1.20",
+        "destination.ip": "10.0.1.20",
+        "event.action": "blservice audit record",
+        "event.code": "385",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 10528,
+        "log.syslog.priority": "5",
+        "network.direction": "internal",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "127.0.0.1",
+            "10.0.1.20"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "127.0.0.1",
+        "source.ip": "127.0.0.1",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ]
+    },
+    {
+        "@timestamp": "2021-03-14T12:04:53.000Z",
+        "cyberarkpas.audit.action": "BLService Audit Record",
+        "cyberarkpas.audit.desc": "BLService Audit Record",
+        "cyberarkpas.audit.gateway_station": "10.0.1.20",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-14T12:04:53Z",
+        "cyberarkpas.audit.issuer": "Administrator",
+        "cyberarkpas.audit.location": "<VaultCommandAuditApplicativeHeader z:Id=\"1\" xmlns=\"CyberArk.AppServices.LogicContainer.Audit\" xmlns:i=\"http://www.w3.org/2001/XMLSchema-instance\" xmlns:z=\"http://schemas.microsoft.com/2003/10/Serialization/\"><RuleAuditComponent z:Id=\"2\"><Action z:Id=\"3\">Update</Action><ContainerName z:Id=\"4\"/><IsAdvanced>true</IsAdvanced><NewValue z:Id=\"5\">EnforceExclusiveAccess: False; EnforceOneTimePasswords: False; AllowOPMAccess: True; RecordSessions: True; EnforceExpirationPeriod: 500; EnforceVerificationPeriod: 7; AuditRetentionPeriod: 90; PSMEnabled: False; RequireReason: AllowFreeTextReason: True, BasicValue: False; AllowTransparentConnection: AllowViewingPasswords: True, BasicValue: True; DualControl: BasicValue: False, DualControlRequireMultilevelApproval: False, DualControlRequireManagerialApproval: False, DualControlRequiredConfirmers: 1</NewValue><OldValue z:Id=\"6\">N/A</OldValue><PropertyName z:Id=\"7\">Master Policy</PropertyName></RuleAuditComponent></VaultCommandAuditApplicativeHeader>",
+        "cyberarkpas.audit.message": "BLService Audit Record",
+        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 14 05:04:53</Timestamp>\n    <IsoTimestamp>2021-03-14T12:04:53Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>385</MessageID>\n    <Desc>BLService Audit Record</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>BLService Audit Record</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe></Safe>\n    <File></File>\n    <Station>127.0.0.1</Station>\n    <Location><VaultCommandAuditApplicativeHeader z:Id=\"1\" xmlns=\"CyberArk.AppServices.LogicContainer.Audit\" xmlns:i=\"http://www.w3.org/2001/XMLSchema-instance\" xmlns:z=\"http://schemas.microsoft.com/2003/10/Serialization/\"><RuleAuditComponent z:Id=\"2\"><Action z:Id=\"3\">Update</Action><ContainerName z:Id=\"4\"/><IsAdvanced>true</IsAdvanced><NewValue z:Id=\"5\">EnforceExclusiveAccess: False; EnforceOneTimePasswords: False; AllowOPMAccess: True; RecordSessions: True; EnforceExpirationPeriod: 500; EnforceVerificationPeriod: 7; AuditRetentionPeriod: 90; PSMEnabled: False; RequireReason: AllowFreeTextReason: True, BasicValue: False; AllowTransparentConnection: AllowViewingPasswords: True, BasicValue: True; DualControl: BasicValue: False, DualControlRequireMultilevelApproval: False, DualControlRequireManagerialApproval: False, DualControlRequiredConfirmers: 1</NewValue><OldValue z:Id=\"6\">N/A</OldValue><PropertyName z:Id=\"7\">Master Policy</PropertyName></RuleAuditComponent></VaultCommandAuditApplicativeHeader></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>BLService Audit Record</Message>\n    <GatewayStation>10.0.1.20</GatewayStation>\n  </audit_record>\n\n</syslog>",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.station": "127.0.0.1",
+        "cyberarkpas.audit.timestamp": "Mar 14 05:04:53",
+        "destination.address": "10.0.1.20",
+        "destination.ip": "10.0.1.20",
+        "event.action": "blservice audit record",
+        "event.code": "385",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 14040,
+        "log.syslog.priority": "5",
+        "network.direction": "internal",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "127.0.0.1",
+            "10.0.1.20"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "127.0.0.1",
+        "source.ip": "127.0.0.1",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ]
+    }
+]
\ No newline at end of file
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/38_cpm_verify_password_failed.log b/x-pack/filebeat/module/cyberarkpas/audit/test/38_cpm_verify_password_failed.log
new file mode 100644
index 00000000000..211d487b613
--- /dev/null
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/38_cpm_verify_password_failed.log
@@ -0,0 +1,15 @@
+<7>1 2021-03-15T13:19:58Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 15 06:19:58</Timestamp>\n    <IsoTimestamp>2021-03-15T13:19:58Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>38</MessageID>\n    <Desc>CPM Verify Password Failed</Desc>\n    <Severity>Error</Severity>\n    <Issuer>PasswordManager</Issuer>\n    <Action>CPM Verify Password Failed</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Operating System-WinDomain-35.192.121.42-ELASTICbart</File>\n    <Station>10.0.1.20</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason>ImmediateTask. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-35.192.121.42-ELASTICbart failed (try #0). Code: 2101, Error: Error in verifypass to user 34.66.114.180\\ELASTIC\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \n</Reason>\n    <ExtraDetails>address=34.66.114.180;username=ELASTIC\\bart;</ExtraDetails>\n    <Message>CPM Verify Password Failed</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"WinDomain\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"ELASTIC\\bart\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.66.114.180\"></CAProperty>\n      <CAProperty Name=\"ResetImmediately\" Value=\"VerifyTask\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"failure\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"0\"></CAProperty>\n      <CAProperty Name=\"LastFailDate\" Value=\"1615814397\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"VerifyTask\"></CAProperty>\n      <CAProperty Name=\"LogonDomain\" Value=\"34.66.114.180\"></CAProperty>\n      <CAProperty Name=\"CPMErrorDetails\" Value=\"Error in verifypass to user 34.66.114.180\\ELASTIC\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 06:19:58","IsoTimestamp":"2021-03-15T13:19:58Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"38","Desc":"CPM Verify Password Failed","Severity":"Error","Issuer":"PasswordManager","Action":"CPM Verify Password Failed","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-WinDomain-35.192.121.42-ELASTICbart","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"ImmediateTask. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-35.192.121.42-ELASTICbart failed (try #0). Code: 2101, Error: Error in verifypass to user 34.66.114.180\\ELASTIC\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \n","ExtraDetails":"address=34.66.114.180;username=ELASTIC\\bart;","Message":"CPM Verify Password Failed","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"WinDomain"},{"Name":"UserName","Value":"ELASTIC\\bart"},{"Name":"Address","Value":"34.66.114.180"},{"Name":"ResetImmediately","Value":"VerifyTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"0"},{"Name":"LastFailDate","Value":"1615814397"},{"Name":"LastTask","Value":"VerifyTask"},{"Name":"LogonDomain","Value":"34.66.114.180"},{"Name":"CPMErrorDetails","Value":"Error in verifypass to user 34.66.114.180\\ELASTIC\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). "},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}}
+<7>1 2021-03-15T13:25:32Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 15 06:25:32</Timestamp>\n    <IsoTimestamp>2021-03-15T13:25:32Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>38</MessageID>\n    <Desc>CPM Verify Password Failed</Desc>\n    <Severity>Error</Severity>\n    <Issuer>PasswordManager</Issuer>\n    <Action>CPM Verify Password Failed</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Operating System-WinDomain-35.192.121.42-ELASTICbart</File>\n    <Station>10.0.1.20</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason>ImmediateTask. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-35.192.121.42-ELASTICbart failed (try #0). Code: 2101, Error: Error in verifypass to user 34.66.114.180\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The network name cannot be found. (winRc=67). \n</Reason>\n    <ExtraDetails>address=34.66.114.180;username=bart;</ExtraDetails>\n    <Message>CPM Verify Password Failed</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"WinDomain\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"bart\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.66.114.180\"></CAProperty>\n      <CAProperty Name=\"ResetImmediately\" Value=\"VerifyTask\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"failure\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"0\"></CAProperty>\n      <CAProperty Name=\"LastFailDate\" Value=\"1615814709\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"VerifyTask\"></CAProperty>\n      <CAProperty Name=\"UserDN\" Value=\"ELASTIC.local\"></CAProperty>\n      <CAProperty Name=\"LogonDomain\" Value=\"34.66.114.180\"></CAProperty>\n      <CAProperty Name=\"CPMErrorDetails\" Value=\"Error in verifypass to user 34.66.114.180\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The network name cannot be found. (winRc=67). \"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 06:25:32","IsoTimestamp":"2021-03-15T13:25:32Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"38","Desc":"CPM Verify Password Failed","Severity":"Error","Issuer":"PasswordManager","Action":"CPM Verify Password Failed","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-WinDomain-35.192.121.42-ELASTICbart","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"ImmediateTask. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-35.192.121.42-ELASTICbart failed (try #0). Code: 2101, Error: Error in verifypass to user 34.66.114.180\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The network name cannot be found. (winRc=67). \n","ExtraDetails":"address=34.66.114.180;username=bart;","Message":"CPM Verify Password Failed","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"WinDomain"},{"Name":"UserName","Value":"bart"},{"Name":"Address","Value":"34.66.114.180"},{"Name":"ResetImmediately","Value":"VerifyTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"0"},{"Name":"LastFailDate","Value":"1615814709"},{"Name":"LastTask","Value":"VerifyTask"},{"Name":"UserDN","Value":"ELASTIC.local"},{"Name":"LogonDomain","Value":"34.66.114.180"},{"Name":"CPMErrorDetails","Value":"Error in verifypass to user 34.66.114.180\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The network name cannot be found. (winRc=67). "},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}}
+<7>1 2021-03-15T13:33:26Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 15 06:33:26</Timestamp>\n    <IsoTimestamp>2021-03-15T13:33:26Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>38</MessageID>\n    <Desc>CPM Verify Password Failed</Desc>\n    <Severity>Error</Severity>\n    <Issuer>PasswordManager</Issuer>\n    <Action>CPM Verify Password Failed</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Operating System-WinDomain-34.66.114.180-ELASTICbart</File>\n    <Station>10.0.1.20</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason>ImmediateTask. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-34.66.114.180-ELASTICbart failed (try #0). Code: 2101, Error: Error in verifypass to user 34.66.114.180\\ELASTIC.local\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \n</Reason>\n    <ExtraDetails>address=34.66.114.180;username=ELASTIC.local\\bart;</ExtraDetails>\n    <Message>CPM Verify Password Failed</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"WinDomain\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"ELASTIC.local\\bart\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.66.114.180\"></CAProperty>\n      <CAProperty Name=\"ResetImmediately\" Value=\"VerifyTask\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"failure\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"0\"></CAProperty>\n      <CAProperty Name=\"LastFailDate\" Value=\"1615815206\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"VerifyTask\"></CAProperty>\n      <CAProperty Name=\"LogonDomain\" Value=\"34.66.114.180\"></CAProperty>\n      <CAProperty Name=\"CPMErrorDetails\" Value=\"Error in verifypass to user 34.66.114.180\\ELASTIC.local\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 06:33:26","IsoTimestamp":"2021-03-15T13:33:26Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"38","Desc":"CPM Verify Password Failed","Severity":"Error","Issuer":"PasswordManager","Action":"CPM Verify Password Failed","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-WinDomain-34.66.114.180-ELASTICbart","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"ImmediateTask. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-34.66.114.180-ELASTICbart failed (try #0). Code: 2101, Error: Error in verifypass to user 34.66.114.180\\ELASTIC.local\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \n","ExtraDetails":"address=34.66.114.180;username=ELASTIC.local\\bart;","Message":"CPM Verify Password Failed","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"WinDomain"},{"Name":"UserName","Value":"ELASTIC.local\\bart"},{"Name":"Address","Value":"34.66.114.180"},{"Name":"ResetImmediately","Value":"VerifyTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"0"},{"Name":"LastFailDate","Value":"1615815206"},{"Name":"LastTask","Value":"VerifyTask"},{"Name":"LogonDomain","Value":"34.66.114.180"},{"Name":"CPMErrorDetails","Value":"Error in verifypass to user 34.66.114.180\\ELASTIC.local\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). "},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}}
+<7>1 2021-03-15T15:04:11Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 15 08:04:11</Timestamp>\n    <IsoTimestamp>2021-03-15T15:04:11Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>38</MessageID>\n    <Desc>CPM Verify Password Failed</Desc>\n    <Severity>Error</Severity>\n    <Issuer>PasswordManager</Issuer>\n    <Action>CPM Verify Password Failed</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Operating System-WinDomain-34.66.114.180-ELASTICbart</File>\n    <Station>10.0.1.20</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason>ImmediateTask,Failure. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-34.66.114.180-ELASTICbart failed (try #1). Code: 2101, Error: Error in verifypass to user 34.66.114.180\\ELASTIC.local\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \n</Reason>\n    <ExtraDetails>address=34.66.114.180;retriescount=1;username=ELASTIC.local\\bart;</ExtraDetails>\n    <Message>CPM Verify Password Failed</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"WinDomain\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"ELASTIC.local\\bart\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.66.114.180\"></CAProperty>\n      <CAProperty Name=\"ResetImmediately\" Value=\"VerifyTask\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"failure\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"1\"></CAProperty>\n      <CAProperty Name=\"LastFailDate\" Value=\"1615820651\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"VerifyTask\"></CAProperty>\n      <CAProperty Name=\"LogonDomain\" Value=\"34.66.114.180\"></CAProperty>\n      <CAProperty Name=\"CPMErrorDetails\" Value=\"Error in verifypass to user 34.66.114.180\\ELASTIC.local\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 08:04:11","IsoTimestamp":"2021-03-15T15:04:11Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"38","Desc":"CPM Verify Password Failed","Severity":"Error","Issuer":"PasswordManager","Action":"CPM Verify Password Failed","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-WinDomain-34.66.114.180-ELASTICbart","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"ImmediateTask,Failure. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-34.66.114.180-ELASTICbart failed (try #1). Code: 2101, Error: Error in verifypass to user 34.66.114.180\\ELASTIC.local\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \n","ExtraDetails":"address=34.66.114.180;retriescount=1;username=ELASTIC.local\\bart;","Message":"CPM Verify Password Failed","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"WinDomain"},{"Name":"UserName","Value":"ELASTIC.local\\bart"},{"Name":"Address","Value":"34.66.114.180"},{"Name":"ResetImmediately","Value":"VerifyTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"1"},{"Name":"LastFailDate","Value":"1615820651"},{"Name":"LastTask","Value":"VerifyTask"},{"Name":"LogonDomain","Value":"34.66.114.180"},{"Name":"CPMErrorDetails","Value":"Error in verifypass to user 34.66.114.180\\ELASTIC.local\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). "},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}}
+<7>1 2021-03-15T16:35:01Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 15 09:35:01</Timestamp>\n    <IsoTimestamp>2021-03-15T16:35:01Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>38</MessageID>\n    <Desc>CPM Verify Password Failed</Desc>\n    <Severity>Error</Severity>\n    <Issuer>PasswordManager</Issuer>\n    <Action>CPM Verify Password Failed</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Operating System-WinDomain-34.66.114.180-ELASTICbart</File>\n    <Station>10.0.1.20</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason>ImmediateTask,Failure. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-34.66.114.180-ELASTICbart failed (try #2). Code: 2101, Error: Error in verifypass to user 34.66.114.180\\ELASTIC.local\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \n</Reason>\n    <ExtraDetails>address=34.66.114.180;retriescount=2;username=ELASTIC.local\\bart;</ExtraDetails>\n    <Message>CPM Verify Password Failed</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"WinDomain\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"ELASTIC.local\\bart\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.66.114.180\"></CAProperty>\n      <CAProperty Name=\"ResetImmediately\" Value=\"VerifyTask\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"failure\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"2\"></CAProperty>\n      <CAProperty Name=\"LastFailDate\" Value=\"1615826099\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"VerifyTask\"></CAProperty>\n      <CAProperty Name=\"LogonDomain\" Value=\"34.66.114.180\"></CAProperty>\n      <CAProperty Name=\"CPMErrorDetails\" Value=\"Error in verifypass to user 34.66.114.180\\ELASTIC.local\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 09:35:01","IsoTimestamp":"2021-03-15T16:35:01Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"38","Desc":"CPM Verify Password Failed","Severity":"Error","Issuer":"PasswordManager","Action":"CPM Verify Password Failed","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-WinDomain-34.66.114.180-ELASTICbart","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"ImmediateTask,Failure. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-34.66.114.180-ELASTICbart failed (try #2). Code: 2101, Error: Error in verifypass to user 34.66.114.180\\ELASTIC.local\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \n","ExtraDetails":"address=34.66.114.180;retriescount=2;username=ELASTIC.local\\bart;","Message":"CPM Verify Password Failed","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"WinDomain"},{"Name":"UserName","Value":"ELASTIC.local\\bart"},{"Name":"Address","Value":"34.66.114.180"},{"Name":"ResetImmediately","Value":"VerifyTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"2"},{"Name":"LastFailDate","Value":"1615826099"},{"Name":"LastTask","Value":"VerifyTask"},{"Name":"LogonDomain","Value":"34.66.114.180"},{"Name":"CPMErrorDetails","Value":"Error in verifypass to user 34.66.114.180\\ELASTIC.local\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). "},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}}
+<7>1 2021-03-15T16:56:29Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 15 09:56:29</Timestamp>\n    <IsoTimestamp>2021-03-15T16:56:29Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>38</MessageID>\n    <Desc>CPM Verify Password Failed</Desc>\n    <Severity>Error</Severity>\n    <Issuer>PasswordManager</Issuer>\n    <Action>CPM Verify Password Failed</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Database-MySQL-10.0.1.20-root</File>\n    <Station>10.0.1.20</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason>ImmediateTask. Failure Description: CACPM344E Verifying Password Safe: partner, Folder: Root, Object: Database-MySQL-10.0.1.20-root failed (try #0). Code: 2103, Error: Error when verifypass to User root on Server 10.0.1.20. State: IM002 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Data source name not found and no default driver specified\n</Reason>\n    <ExtraDetails>address=10.0.1.20;username=root;</ExtraDetails>\n    <Message>CPM Verify Password Failed</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"MySQL\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"root\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"10.0.1.20\"></CAProperty>\n      <CAProperty Name=\"ResetImmediately\" Value=\"VerifyTask\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"failure\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"0\"></CAProperty>\n      <CAProperty Name=\"LastFailDate\" Value=\"1615827245\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"VerifyTask\"></CAProperty>\n      <CAProperty Name=\"CPMErrorDetails\" Value=\"Error when verifypass to User root on Server 10.0.1.20. State: IM002 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Data source name not found and no default driver specified\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Database\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 09:56:29","IsoTimestamp":"2021-03-15T16:56:29Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"38","Desc":"CPM Verify Password Failed","Severity":"Error","Issuer":"PasswordManager","Action":"CPM Verify Password Failed","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Database-MySQL-10.0.1.20-root","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"ImmediateTask. Failure Description: CACPM344E Verifying Password Safe: partner, Folder: Root, Object: Database-MySQL-10.0.1.20-root failed (try #0). Code: 2103, Error: Error when verifypass to User root on Server 10.0.1.20. State: IM002 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Data source name not found and no default driver specified\n","ExtraDetails":"address=10.0.1.20;username=root;","Message":"CPM Verify Password Failed","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"MySQL"},{"Name":"UserName","Value":"root"},{"Name":"Address","Value":"10.0.1.20"},{"Name":"ResetImmediately","Value":"VerifyTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"0"},{"Name":"LastFailDate","Value":"1615827245"},{"Name":"LastTask","Value":"VerifyTask"},{"Name":"CPMErrorDetails","Value":"Error when verifypass to User root on Server 10.0.1.20. State: IM002 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Data source name not found and no default driver specified"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Database"}]}}}}
+<7>1 2021-03-15T17:01:07Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 15 10:01:07</Timestamp>\n    <IsoTimestamp>2021-03-15T17:01:07Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>38</MessageID>\n    <Desc>CPM Verify Password Failed</Desc>\n    <Severity>Error</Severity>\n    <Issuer>PasswordManager</Issuer>\n    <Action>CPM Verify Password Failed</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Database-MySQL-10.0.1.20-root</File>\n    <Station>10.0.1.20</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason>ImmediateTask. Failure Description: CACPM344E Verifying Password Safe: partner, Folder: Root, Object: Database-MySQL-10.0.1.20-root failed (try #0). Code: 2103, Error: Error when verifypass to User root on Server . State: IM014 Native error: 0 Message: [Microsoft][ODBC Driver Manager] The specified DSN contains an architecture mismatch between the Driver and Application\n</Reason>\n    <ExtraDetails>address=10.0.1.20;username=root;</ExtraDetails>\n    <Message>CPM Verify Password Failed</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"MySQL\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"root\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"10.0.1.20\"></CAProperty>\n      <CAProperty Name=\"ResetImmediately\" Value=\"VerifyTask\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"failure\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"0\"></CAProperty>\n      <CAProperty Name=\"LastFailDate\" Value=\"1615827554\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"VerifyTask\"></CAProperty>\n      <CAProperty Name=\"DSN\" Value=\"mariadb\"></CAProperty>\n      <CAProperty Name=\"CPMErrorDetails\" Value=\"Error when verifypass to User root on Server . State: IM014 Native error: 0 Message: [Microsoft][ODBC Driver Manager] The specified DSN contains an architecture mismatch between the Driver and Application\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Database\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 10:01:07","IsoTimestamp":"2021-03-15T17:01:07Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"38","Desc":"CPM Verify Password Failed","Severity":"Error","Issuer":"PasswordManager","Action":"CPM Verify Password Failed","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Database-MySQL-10.0.1.20-root","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"ImmediateTask. Failure Description: CACPM344E Verifying Password Safe: partner, Folder: Root, Object: Database-MySQL-10.0.1.20-root failed (try #0). Code: 2103, Error: Error when verifypass to User root on Server . State: IM014 Native error: 0 Message: [Microsoft][ODBC Driver Manager] The specified DSN contains an architecture mismatch between the Driver and Application\n","ExtraDetails":"address=10.0.1.20;username=root;","Message":"CPM Verify Password Failed","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"MySQL"},{"Name":"UserName","Value":"root"},{"Name":"Address","Value":"10.0.1.20"},{"Name":"ResetImmediately","Value":"VerifyTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"0"},{"Name":"LastFailDate","Value":"1615827554"},{"Name":"LastTask","Value":"VerifyTask"},{"Name":"DSN","Value":"mariadb"},{"Name":"CPMErrorDetails","Value":"Error when verifypass to User root on Server . State: IM014 Native error: 0 Message: [Microsoft][ODBC Driver Manager] The specified DSN contains an architecture mismatch between the Driver and Application"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Database"}]}}}}
+<7>1 2021-03-15T17:05:47Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 15 10:05:47</Timestamp>\n    <IsoTimestamp>2021-03-15T17:05:47Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>38</MessageID>\n    <Desc>CPM Verify Password Failed</Desc>\n    <Severity>Error</Severity>\n    <Issuer>PasswordManager</Issuer>\n    <Action>CPM Verify Password Failed</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Database-MySQL-10.0.1.20-root</File>\n    <Station>10.0.1.20</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason>ImmediateTask. Failure Description: CACPM344E Verifying Password Safe: partner, Folder: Root, Object: Database-MySQL-10.0.1.20-root failed (try #0). Code: 2103, Error: Error when verifypass to User root on Server . State: HY090 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Invalid string or buffer length\n</Reason>\n    <ExtraDetails>address=10.0.1.20;username=root;</ExtraDetails>\n    <Message>CPM Verify Password Failed</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"MySQL\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"root\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"10.0.1.20\"></CAProperty>\n      <CAProperty Name=\"ResetImmediately\" Value=\"VerifyTask\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"failure\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"0\"></CAProperty>\n      <CAProperty Name=\"LastFailDate\" Value=\"1615827864\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"VerifyTask\"></CAProperty>\n      <CAProperty Name=\"DSN\" Value=\"DRIVER={MariaDB ODBC 3.1 Driver};TCPIP=1;SERVER=localhost;UID=root;PWD=1234;DATABASE=test\"></CAProperty>\n      <CAProperty Name=\"CPMErrorDetails\" Value=\"Error when verifypass to User root on Server . State: HY090 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Invalid string or buffer length\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Database\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 10:05:47","IsoTimestamp":"2021-03-15T17:05:47Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"38","Desc":"CPM Verify Password Failed","Severity":"Error","Issuer":"PasswordManager","Action":"CPM Verify Password Failed","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Database-MySQL-10.0.1.20-root","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"ImmediateTask. Failure Description: CACPM344E Verifying Password Safe: partner, Folder: Root, Object: Database-MySQL-10.0.1.20-root failed (try #0). Code: 2103, Error: Error when verifypass to User root on Server . State: HY090 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Invalid string or buffer length\n","ExtraDetails":"address=10.0.1.20;username=root;","Message":"CPM Verify Password Failed","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"MySQL"},{"Name":"UserName","Value":"root"},{"Name":"Address","Value":"10.0.1.20"},{"Name":"ResetImmediately","Value":"VerifyTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"0"},{"Name":"LastFailDate","Value":"1615827864"},{"Name":"LastTask","Value":"VerifyTask"},{"Name":"DSN","Value":"DRIVER={MariaDB ODBC 3.1 Driver};TCPIP=1;SERVER=localhost;UID=root;PWD=1234;DATABASE=test"},{"Name":"CPMErrorDetails","Value":"Error when verifypass to User root on Server . State: HY090 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Invalid string or buffer length"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Database"}]}}}}
+<7>1 2021-03-15T17:10:25Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 15 10:10:25</Timestamp>\n    <IsoTimestamp>2021-03-15T17:10:25Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>38</MessageID>\n    <Desc>CPM Verify Password Failed</Desc>\n    <Severity>Error</Severity>\n    <Issuer>PasswordManager</Issuer>\n    <Action>CPM Verify Password Failed</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Database-MySQL-10.0.1.20-root</File>\n    <Station>10.0.1.20</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason>ImmediateTask. Failure Description: CACPM344E Verifying Password Safe: partner, Folder: Root, Object: Database-MySQL-10.0.1.20-root failed (try #0). Code: 2103, Error: Error when verifypass to User root on Server . State: HY090 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Invalid string or buffer length\n</Reason>\n    <ExtraDetails>address=10.0.1.20;username=root;</ExtraDetails>\n    <Message>CPM Verify Password Failed</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"MySQL\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"root\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"10.0.1.20\"></CAProperty>\n      <CAProperty Name=\"ResetImmediately\" Value=\"VerifyTask\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"failure\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"0\"></CAProperty>\n      <CAProperty Name=\"LastFailDate\" Value=\"1615828174\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"VerifyTask\"></CAProperty>\n      <CAProperty Name=\"DSN\" Value=\"DSN=mariadb;TCPIP=1;SERVER=localhost;UID=root;PWD=1234;DATABASE=test\"></CAProperty>\n      <CAProperty Name=\"CPMErrorDetails\" Value=\"Error when verifypass to User root on Server . State: HY090 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Invalid string or buffer length\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Database\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 10:10:25","IsoTimestamp":"2021-03-15T17:10:25Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"38","Desc":"CPM Verify Password Failed","Severity":"Error","Issuer":"PasswordManager","Action":"CPM Verify Password Failed","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Database-MySQL-10.0.1.20-root","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"ImmediateTask. Failure Description: CACPM344E Verifying Password Safe: partner, Folder: Root, Object: Database-MySQL-10.0.1.20-root failed (try #0). Code: 2103, Error: Error when verifypass to User root on Server . State: HY090 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Invalid string or buffer length\n","ExtraDetails":"address=10.0.1.20;username=root;","Message":"CPM Verify Password Failed","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"MySQL"},{"Name":"UserName","Value":"root"},{"Name":"Address","Value":"10.0.1.20"},{"Name":"ResetImmediately","Value":"VerifyTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"0"},{"Name":"LastFailDate","Value":"1615828174"},{"Name":"LastTask","Value":"VerifyTask"},{"Name":"DSN","Value":"DSN=mariadb;TCPIP=1;SERVER=localhost;UID=root;PWD=1234;DATABASE=test"},{"Name":"CPMErrorDetails","Value":"Error when verifypass to User root on Server . State: HY090 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Invalid string or buffer length"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Database"}]}}}}
+<7>1 2021-03-15T17:28:07Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 15 10:28:07</Timestamp>\n    <IsoTimestamp>2021-03-15T17:28:07Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>38</MessageID>\n    <Desc>CPM Verify Password Failed</Desc>\n    <Severity>Error</Severity>\n    <Issuer>PasswordManager</Issuer>\n    <Action>CPM Verify Password Failed</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Database-MySQL-10.0.1.20-root</File>\n    <Station>10.0.1.20</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason>ImmediateTask. Failure Description: CACPM344E Verifying Password Safe: partner, Folder: Root, Object: Database-MySQL-10.0.1.20-root failed (try #0). Code: 2103, Error: Error when verifypass to User root on Server 127.0.0.1. State: IM002 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Data source name not found and no default driver specified\n</Reason>\n    <ExtraDetails>address=127.0.0.1;username=root;</ExtraDetails>\n    <Message>CPM Verify Password Failed</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"MySQL\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"root\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"127.0.0.1\"></CAProperty>\n      <CAProperty Name=\"ResetImmediately\" Value=\"VerifyTask\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"failure\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"0\"></CAProperty>\n      <CAProperty Name=\"LastFailDate\" Value=\"1615829287\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"VerifyTask\"></CAProperty>\n      <CAProperty Name=\"Port\" Value=\"3306\"></CAProperty>\n      <CAProperty Name=\"Database\" Value=\"test\"></CAProperty>\n      <CAProperty Name=\"CPMErrorDetails\" Value=\"Error when verifypass to User root on Server 127.0.0.1. State: IM002 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Data source name not found and no default driver specified\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Database\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 10:28:07","IsoTimestamp":"2021-03-15T17:28:07Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"38","Desc":"CPM Verify Password Failed","Severity":"Error","Issuer":"PasswordManager","Action":"CPM Verify Password Failed","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Database-MySQL-10.0.1.20-root","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"ImmediateTask. Failure Description: CACPM344E Verifying Password Safe: partner, Folder: Root, Object: Database-MySQL-10.0.1.20-root failed (try #0). Code: 2103, Error: Error when verifypass to User root on Server 127.0.0.1. State: IM002 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Data source name not found and no default driver specified\n","ExtraDetails":"address=127.0.0.1;username=root;","Message":"CPM Verify Password Failed","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"MySQL"},{"Name":"UserName","Value":"root"},{"Name":"Address","Value":"127.0.0.1"},{"Name":"ResetImmediately","Value":"VerifyTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"0"},{"Name":"LastFailDate","Value":"1615829287"},{"Name":"LastTask","Value":"VerifyTask"},{"Name":"Port","Value":"3306"},{"Name":"Database","Value":"test"},{"Name":"CPMErrorDetails","Value":"Error when verifypass to User root on Server 127.0.0.1. State: IM002 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Data source name not found and no default driver specified"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Database"}]}}}}
+<7>1 2021-03-15T17:33:17Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 15 10:33:17</Timestamp>\n    <IsoTimestamp>2021-03-15T17:33:17Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>38</MessageID>\n    <Desc>CPM Verify Password Failed</Desc>\n    <Severity>Error</Severity>\n    <Issuer>PasswordManager</Issuer>\n    <Action>CPM Verify Password Failed</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Database-MySQL-10.0.1.20-root</File>\n    <Station>10.0.1.20</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason>ImmediateTask. Failure Description: CACPM344E Verifying Password Safe: partner, Folder: Root, Object: Database-MySQL-10.0.1.20-root failed (try #0). Code: 2103, Error: Error when verifypass to User root on Server . State: IM002 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Data source name not found and no default driver specified\n</Reason>\n    <ExtraDetails>address=127.0.0.1;username=root;</ExtraDetails>\n    <Message>CPM Verify Password Failed</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"MySQL\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"root\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"127.0.0.1\"></CAProperty>\n      <CAProperty Name=\"ResetImmediately\" Value=\"VerifyTask\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"failure\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"0\"></CAProperty>\n      <CAProperty Name=\"LastFailDate\" Value=\"1615829597\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"VerifyTask\"></CAProperty>\n      <CAProperty Name=\"Port\" Value=\"3306\"></CAProperty>\n      <CAProperty Name=\"Database\" Value=\"test\"></CAProperty>\n      <CAProperty Name=\"DSN\" Value=\"mysql\"></CAProperty>\n      <CAProperty Name=\"CPMErrorDetails\" Value=\"Error when verifypass to User root on Server . State: IM002 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Data source name not found and no default driver specified\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Database\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 10:33:17","IsoTimestamp":"2021-03-15T17:33:17Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"38","Desc":"CPM Verify Password Failed","Severity":"Error","Issuer":"PasswordManager","Action":"CPM Verify Password Failed","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Database-MySQL-10.0.1.20-root","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"ImmediateTask. Failure Description: CACPM344E Verifying Password Safe: partner, Folder: Root, Object: Database-MySQL-10.0.1.20-root failed (try #0). Code: 2103, Error: Error when verifypass to User root on Server . State: IM002 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Data source name not found and no default driver specified\n","ExtraDetails":"address=127.0.0.1;username=root;","Message":"CPM Verify Password Failed","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"MySQL"},{"Name":"UserName","Value":"root"},{"Name":"Address","Value":"127.0.0.1"},{"Name":"ResetImmediately","Value":"VerifyTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"0"},{"Name":"LastFailDate","Value":"1615829597"},{"Name":"LastTask","Value":"VerifyTask"},{"Name":"Port","Value":"3306"},{"Name":"Database","Value":"test"},{"Name":"DSN","Value":"mysql"},{"Name":"CPMErrorDetails","Value":"Error when verifypass to User root on Server . State: IM002 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Data source name not found and no default driver specified"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Database"}]}}}}
+<7>1 2021-03-15T17:38:27Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 15 10:38:27</Timestamp>\n    <IsoTimestamp>2021-03-15T17:38:27Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>38</MessageID>\n    <Desc>CPM Verify Password Failed</Desc>\n    <Severity>Error</Severity>\n    <Issuer>PasswordManager</Issuer>\n    <Action>CPM Verify Password Failed</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Database-MySQL-10.0.1.20-root</File>\n    <Station>10.0.1.20</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason>ImmediateTask. Failure Description: CACPM344E Verifying Password Safe: partner, Folder: Root, Object: Database-MySQL-10.0.1.20-root failed (try #0). Code: 2103, Error: Error when verifypass to User root on Server . State: HY090 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Invalid string or buffer length\n</Reason>\n    <ExtraDetails>address=127.0.0.1;username=root;</ExtraDetails>\n    <Message>CPM Verify Password Failed</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"MySQL\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"root\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"127.0.0.1\"></CAProperty>\n      <CAProperty Name=\"ResetImmediately\" Value=\"VerifyTask\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"failure\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"0\"></CAProperty>\n      <CAProperty Name=\"LastFailDate\" Value=\"1615829907\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"VerifyTask\"></CAProperty>\n      <CAProperty Name=\"Port\" Value=\"3306\"></CAProperty>\n      <CAProperty Name=\"Database\" Value=\"test\"></CAProperty>\n      <CAProperty Name=\"DSN\" Value=\"Driver={MySQL ODBC 5.3 Unicode Driver};server=%ADDRESS%;user=%USER%;option=3;port=%PORT%;Password=%LOGONPASSWORD%\"></CAProperty>\n      <CAProperty Name=\"CPMErrorDetails\" Value=\"Error when verifypass to User root on Server . State: HY090 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Invalid string or buffer length\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Database\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 10:38:27","IsoTimestamp":"2021-03-15T17:38:27Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"38","Desc":"CPM Verify Password Failed","Severity":"Error","Issuer":"PasswordManager","Action":"CPM Verify Password Failed","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Database-MySQL-10.0.1.20-root","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"ImmediateTask. Failure Description: CACPM344E Verifying Password Safe: partner, Folder: Root, Object: Database-MySQL-10.0.1.20-root failed (try #0). Code: 2103, Error: Error when verifypass to User root on Server . State: HY090 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Invalid string or buffer length\n","ExtraDetails":"address=127.0.0.1;username=root;","Message":"CPM Verify Password Failed","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"MySQL"},{"Name":"UserName","Value":"root"},{"Name":"Address","Value":"127.0.0.1"},{"Name":"ResetImmediately","Value":"VerifyTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"0"},{"Name":"LastFailDate","Value":"1615829907"},{"Name":"LastTask","Value":"VerifyTask"},{"Name":"Port","Value":"3306"},{"Name":"Database","Value":"test"},{"Name":"DSN","Value":"Driver={MySQL ODBC 5.3 Unicode Driver};server=%ADDRESS%;user=%USER%;option=3;port=%PORT%;Password=%LOGONPASSWORD%"},{"Name":"CPMErrorDetails","Value":"Error when verifypass to User root on Server . State: HY090 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Invalid string or buffer length"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Database"}]}}}}
+<7>1 2021-03-15T18:00:07Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 15 11:00:07</Timestamp>\n    <IsoTimestamp>2021-03-15T18:00:07Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>38</MessageID>\n    <Desc>CPM Verify Password Failed</Desc>\n    <Severity>Error</Severity>\n    <Issuer>PasswordManager</Issuer>\n    <Action>CPM Verify Password Failed</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Database-MySQL-10.0.1.20-root</File>\n    <Station>10.0.1.20</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason>ImmediateTask. Failure Description: CACPM344E Verifying Password Safe: partner, Folder: Root, Object: Database-MySQL-10.0.1.20-root failed (try #0). Code: 2103, Error: Error when verifypass to User root on Server . State: IM002 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Data source name not found and no default driver specified\n</Reason>\n    <ExtraDetails>address=Driver\\={MySQL ODBC 5.3 Unicode Driver}\\;server\\=127.0.0.1\\;user\\=root\\;option\\=3\\;port\\=3306\\;Password\\=1234;username=root;</ExtraDetails>\n    <Message>CPM Verify Password Failed</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"MySQL\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"root\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"Driver={MySQL ODBC 5.3 Unicode Driver};server=127.0.0.1;user=root;option=3;port=3306;Password=1234\"></CAProperty>\n      <CAProperty Name=\"ResetImmediately\" Value=\"VerifyTask\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"failure\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"0\"></CAProperty>\n      <CAProperty Name=\"LastFailDate\" Value=\"1615831206\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"VerifyTask\"></CAProperty>\n      <CAProperty Name=\"Port\" Value=\"3306\"></CAProperty>\n      <CAProperty Name=\"Database\" Value=\"test\"></CAProperty>\n      <CAProperty Name=\"DSN\" Value=\"mysql\"></CAProperty>\n      <CAProperty Name=\"CPMErrorDetails\" Value=\"Error when verifypass to User root on Server . State: IM002 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Data source name not found and no default driver specified\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Database\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 11:00:07","IsoTimestamp":"2021-03-15T18:00:07Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"38","Desc":"CPM Verify Password Failed","Severity":"Error","Issuer":"PasswordManager","Action":"CPM Verify Password Failed","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Database-MySQL-10.0.1.20-root","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"ImmediateTask. Failure Description: CACPM344E Verifying Password Safe: partner, Folder: Root, Object: Database-MySQL-10.0.1.20-root failed (try #0). Code: 2103, Error: Error when verifypass to User root on Server . State: IM002 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Data source name not found and no default driver specified\n","ExtraDetails":"address=Driver\\={MySQL ODBC 5.3 Unicode Driver}\\;server\\=127.0.0.1\\;user\\=root\\;option\\=3\\;port\\=3306\\;Password\\=1234;username=root;","Message":"CPM Verify Password Failed","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"MySQL"},{"Name":"UserName","Value":"root"},{"Name":"Address","Value":"Driver={MySQL ODBC 5.3 Unicode Driver};server=127.0.0.1;user=root;option=3;port=3306;Password=1234"},{"Name":"ResetImmediately","Value":"VerifyTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"0"},{"Name":"LastFailDate","Value":"1615831206"},{"Name":"LastTask","Value":"VerifyTask"},{"Name":"Port","Value":"3306"},{"Name":"Database","Value":"test"},{"Name":"DSN","Value":"mysql"},{"Name":"CPMErrorDetails","Value":"Error when verifypass to User root on Server . State: IM002 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Data source name not found and no default driver specified"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Database"}]}}}}
+<7>1 2021-03-15T18:05:16Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 15 11:05:16</Timestamp>\n    <IsoTimestamp>2021-03-15T18:05:16Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>38</MessageID>\n    <Desc>CPM Verify Password Failed</Desc>\n    <Severity>Error</Severity>\n    <Issuer>PasswordManager</Issuer>\n    <Action>CPM Verify Password Failed</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Operating System-WinDomain-34.66.114.180-ELASTICbart</File>\n    <Station>10.0.1.20</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason>ImmediateTask,Failure. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-34.66.114.180-ELASTICbart failed (try #3). Code: 2101, Error: Error in verifypass to user 34.66.114.180\\ELASTIC.local\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \n</Reason>\n    <ExtraDetails>address=34.66.114.180;retriescount=3;username=ELASTIC.local\\bart;</ExtraDetails>\n    <Message>CPM Verify Password Failed</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"WinDomain\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"ELASTIC.local\\bart\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.66.114.180\"></CAProperty>\n      <CAProperty Name=\"ResetImmediately\" Value=\"VerifyTask\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"failure\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"3\"></CAProperty>\n      <CAProperty Name=\"LastFailDate\" Value=\"1615831516\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"VerifyTask\"></CAProperty>\n      <CAProperty Name=\"LogonDomain\" Value=\"34.66.114.180\"></CAProperty>\n      <CAProperty Name=\"CPMErrorDetails\" Value=\"Error in verifypass to user 34.66.114.180\\ELASTIC.local\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 11:05:16","IsoTimestamp":"2021-03-15T18:05:16Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"38","Desc":"CPM Verify Password Failed","Severity":"Error","Issuer":"PasswordManager","Action":"CPM Verify Password Failed","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-WinDomain-34.66.114.180-ELASTICbart","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"ImmediateTask,Failure. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-34.66.114.180-ELASTICbart failed (try #3). Code: 2101, Error: Error in verifypass to user 34.66.114.180\\ELASTIC.local\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \n","ExtraDetails":"address=34.66.114.180;retriescount=3;username=ELASTIC.local\\bart;","Message":"CPM Verify Password Failed","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"WinDomain"},{"Name":"UserName","Value":"ELASTIC.local\\bart"},{"Name":"Address","Value":"34.66.114.180"},{"Name":"ResetImmediately","Value":"VerifyTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"3"},{"Name":"LastFailDate","Value":"1615831516"},{"Name":"LastTask","Value":"VerifyTask"},{"Name":"LogonDomain","Value":"34.66.114.180"},{"Name":"CPMErrorDetails","Value":"Error in verifypass to user 34.66.114.180\\ELASTIC.local\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). "},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}}
+<7>1 2021-03-16T09:50:19Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 16 02:50:19</Timestamp>\n    <IsoTimestamp>2021-03-16T09:50:19Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>38</MessageID>\n    <Desc>CPM Verify Password Failed</Desc>\n    <Severity>Error</Severity>\n    <Issuer>PasswordManager</Issuer>\n    <Action>CPM Verify Password Failed</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Operating System-WinDomain-34.66.114.180-ELASTICbart</File>\n    <Station>10.0.1.20</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason>ImmediateTask,Failure. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-34.66.114.180-ELASTICbart failed (try #4). Code: 2101, Error: Error in verifypass to user 34.66.114.180\\ELASTIC.local\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \n</Reason>\n    <ExtraDetails>address=34.66.114.180;retriescount=4;username=ELASTIC.local\\bart;</ExtraDetails>\n    <Message>CPM Verify Password Failed</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"WinDomain\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"ELASTIC.local\\bart\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.66.114.180\"></CAProperty>\n      <CAProperty Name=\"ResetImmediately\" Value=\"VerifyTask\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"failure\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"4\"></CAProperty>\n      <CAProperty Name=\"LastFailDate\" Value=\"1615888216\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"VerifyTask\"></CAProperty>\n      <CAProperty Name=\"LogonDomain\" Value=\"34.66.114.180\"></CAProperty>\n      <CAProperty Name=\"CPMErrorDetails\" Value=\"Error in verifypass to user 34.66.114.180\\ELASTIC.local\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 16 02:50:19","IsoTimestamp":"2021-03-16T09:50:19Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"38","Desc":"CPM Verify Password Failed","Severity":"Error","Issuer":"PasswordManager","Action":"CPM Verify Password Failed","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-WinDomain-34.66.114.180-ELASTICbart","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"ImmediateTask,Failure. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-34.66.114.180-ELASTICbart failed (try #4). Code: 2101, Error: Error in verifypass to user 34.66.114.180\\ELASTIC.local\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \n","ExtraDetails":"address=34.66.114.180;retriescount=4;username=ELASTIC.local\\bart;","Message":"CPM Verify Password Failed","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"WinDomain"},{"Name":"UserName","Value":"ELASTIC.local\\bart"},{"Name":"Address","Value":"34.66.114.180"},{"Name":"ResetImmediately","Value":"VerifyTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"4"},{"Name":"LastFailDate","Value":"1615888216"},{"Name":"LastTask","Value":"VerifyTask"},{"Name":"LogonDomain","Value":"34.66.114.180"},{"Name":"CPMErrorDetails","Value":"Error in verifypass to user 34.66.114.180\\ELASTIC.local\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). "},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}}
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/38_cpm_verify_password_failed.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/38_cpm_verify_password_failed.log-expected.json
new file mode 100644
index 00000000000..6b6497a81c9
--- /dev/null
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/38_cpm_verify_password_failed.log-expected.json
@@ -0,0 +1,1203 @@
+[
+    {
+        "@timestamp": "2021-03-15T13:19:58.000Z",
+        "cyberarkpas.audit.action": "CPM Verify Password Failed",
+        "cyberarkpas.audit.ca_properties.address": "34.66.114.180",
+        "cyberarkpas.audit.ca_properties.cpm_error_details": "Error in verifypass to user 34.66.114.180\\ELASTIC\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). ",
+        "cyberarkpas.audit.ca_properties.cpm_status": "failure",
+        "cyberarkpas.audit.ca_properties.creation_method": "PVWA",
+        "cyberarkpas.audit.ca_properties.device_type": "Operating System",
+        "cyberarkpas.audit.ca_properties.last_fail_date": "1615814397",
+        "cyberarkpas.audit.ca_properties.last_task": "VerifyTask",
+        "cyberarkpas.audit.ca_properties.logon_domain": "34.66.114.180",
+        "cyberarkpas.audit.ca_properties.policy_id": "WinDomain",
+        "cyberarkpas.audit.ca_properties.reset_immediately": "VerifyTask",
+        "cyberarkpas.audit.ca_properties.retries_count": "0",
+        "cyberarkpas.audit.ca_properties.user_name": "ELASTIC\\bart",
+        "cyberarkpas.audit.desc": "CPM Verify Password Failed",
+        "cyberarkpas.audit.extra_details.address": "34.66.114.180",
+        "cyberarkpas.audit.extra_details.username": "ELASTIC\\bart",
+        "cyberarkpas.audit.file": "Root\\Operating System-WinDomain-35.192.121.42-ELASTICbart",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-15T13:19:58Z",
+        "cyberarkpas.audit.issuer": "PasswordManager",
+        "cyberarkpas.audit.message": "CPM Verify Password Failed",
+        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 15 06:19:58</Timestamp>\n    <IsoTimestamp>2021-03-15T13:19:58Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>38</MessageID>\n    <Desc>CPM Verify Password Failed</Desc>\n    <Severity>Error</Severity>\n    <Issuer>PasswordManager</Issuer>\n    <Action>CPM Verify Password Failed</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Operating System-WinDomain-35.192.121.42-ELASTICbart</File>\n    <Station>10.0.1.20</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason>ImmediateTask. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-35.192.121.42-ELASTICbart failed (try #0). Code: 2101, Error: Error in verifypass to user 34.66.114.180\\ELASTIC\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \n</Reason>\n    <ExtraDetails>address=34.66.114.180;username=ELASTIC\\bart;</ExtraDetails>\n    <Message>CPM Verify Password Failed</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"WinDomain\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"ELASTIC\\bart\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.66.114.180\"></CAProperty>\n      <CAProperty Name=\"ResetImmediately\" Value=\"VerifyTask\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"failure\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"0\"></CAProperty>\n      <CAProperty Name=\"LastFailDate\" Value=\"1615814397\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"VerifyTask\"></CAProperty>\n      <CAProperty Name=\"LogonDomain\" Value=\"34.66.114.180\"></CAProperty>\n      <CAProperty Name=\"CPMErrorDetails\" Value=\"Error in verifypass to user 34.66.114.180\\ELASTIC\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>",
+        "cyberarkpas.audit.reason": "ImmediateTask. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-35.192.121.42-ELASTICbart failed (try #0). Code: 2101, Error: Error in verifypass to user 34.66.114.180\\ELASTIC\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \n",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.safe": "partner",
+        "cyberarkpas.audit.severity": "Error",
+        "cyberarkpas.audit.station": "10.0.1.20",
+        "cyberarkpas.audit.timestamp": "Mar 15 06:19:58",
+        "destination.address": "34.66.114.180",
+        "destination.geo.city_name": "Council Bluffs",
+        "destination.geo.continent_name": "North America",
+        "destination.geo.country_iso_code": "US",
+        "destination.geo.country_name": "United States",
+        "destination.geo.location.lat": 41.2591,
+        "destination.geo.location.lon": -95.8517,
+        "destination.geo.region_iso_code": "US-IA",
+        "destination.geo.region_name": "Iowa",
+        "destination.ip": "34.66.114.180",
+        "destination.user.name": "ELASTIC\\bart",
+        "event.action": "cpm verify password failed",
+        "event.category": [
+            "iam"
+        ],
+        "event.code": "38",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.outcome": "failure",
+        "event.reason": "Error in verifypass to user 34.66.114.180\\ELASTIC\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). ",
+        "event.severity": 7,
+        "event.timezone": "-02:00",
+        "event.type": [
+            "error"
+        ],
+        "file.path": "Root\\Operating System-WinDomain-35.192.121.42-ELASTICbart",
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 0,
+        "log.syslog.priority": "7",
+        "network.direction": "outbound",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "10.0.1.20",
+            "34.66.114.180"
+        ],
+        "related.user": [
+            "PasswordManager",
+            "ELASTIC\\bart"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "10.0.1.20",
+        "source.ip": "10.0.1.20",
+        "source.user.name": "PasswordManager",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ],
+        "user.name": "PasswordManager"
+    },
+    {
+        "@timestamp": "2021-03-15T13:25:32.000Z",
+        "cyberarkpas.audit.action": "CPM Verify Password Failed",
+        "cyberarkpas.audit.ca_properties.address": "34.66.114.180",
+        "cyberarkpas.audit.ca_properties.cpm_error_details": "Error in verifypass to user 34.66.114.180\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The network name cannot be found. (winRc=67). ",
+        "cyberarkpas.audit.ca_properties.cpm_status": "failure",
+        "cyberarkpas.audit.ca_properties.creation_method": "PVWA",
+        "cyberarkpas.audit.ca_properties.device_type": "Operating System",
+        "cyberarkpas.audit.ca_properties.last_fail_date": "1615814709",
+        "cyberarkpas.audit.ca_properties.last_task": "VerifyTask",
+        "cyberarkpas.audit.ca_properties.logon_domain": "34.66.114.180",
+        "cyberarkpas.audit.ca_properties.policy_id": "WinDomain",
+        "cyberarkpas.audit.ca_properties.reset_immediately": "VerifyTask",
+        "cyberarkpas.audit.ca_properties.retries_count": "0",
+        "cyberarkpas.audit.ca_properties.user_dn": "ELASTIC.local",
+        "cyberarkpas.audit.ca_properties.user_name": "bart",
+        "cyberarkpas.audit.desc": "CPM Verify Password Failed",
+        "cyberarkpas.audit.extra_details.address": "34.66.114.180",
+        "cyberarkpas.audit.extra_details.username": "bart",
+        "cyberarkpas.audit.file": "Root\\Operating System-WinDomain-35.192.121.42-ELASTICbart",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-15T13:25:32Z",
+        "cyberarkpas.audit.issuer": "PasswordManager",
+        "cyberarkpas.audit.message": "CPM Verify Password Failed",
+        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 15 06:25:32</Timestamp>\n    <IsoTimestamp>2021-03-15T13:25:32Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>38</MessageID>\n    <Desc>CPM Verify Password Failed</Desc>\n    <Severity>Error</Severity>\n    <Issuer>PasswordManager</Issuer>\n    <Action>CPM Verify Password Failed</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Operating System-WinDomain-35.192.121.42-ELASTICbart</File>\n    <Station>10.0.1.20</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason>ImmediateTask. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-35.192.121.42-ELASTICbart failed (try #0). Code: 2101, Error: Error in verifypass to user 34.66.114.180\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The network name cannot be found. (winRc=67). \n</Reason>\n    <ExtraDetails>address=34.66.114.180;username=bart;</ExtraDetails>\n    <Message>CPM Verify Password Failed</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"WinDomain\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"bart\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.66.114.180\"></CAProperty>\n      <CAProperty Name=\"ResetImmediately\" Value=\"VerifyTask\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"failure\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"0\"></CAProperty>\n      <CAProperty Name=\"LastFailDate\" Value=\"1615814709\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"VerifyTask\"></CAProperty>\n      <CAProperty Name=\"UserDN\" Value=\"ELASTIC.local\"></CAProperty>\n      <CAProperty Name=\"LogonDomain\" Value=\"34.66.114.180\"></CAProperty>\n      <CAProperty Name=\"CPMErrorDetails\" Value=\"Error in verifypass to user 34.66.114.180\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The network name cannot be found. (winRc=67). \"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>",
+        "cyberarkpas.audit.reason": "ImmediateTask. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-35.192.121.42-ELASTICbart failed (try #0). Code: 2101, Error: Error in verifypass to user 34.66.114.180\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The network name cannot be found. (winRc=67). \n",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.safe": "partner",
+        "cyberarkpas.audit.severity": "Error",
+        "cyberarkpas.audit.station": "10.0.1.20",
+        "cyberarkpas.audit.timestamp": "Mar 15 06:25:32",
+        "destination.address": "34.66.114.180",
+        "destination.geo.city_name": "Council Bluffs",
+        "destination.geo.continent_name": "North America",
+        "destination.geo.country_iso_code": "US",
+        "destination.geo.country_name": "United States",
+        "destination.geo.location.lat": 41.2591,
+        "destination.geo.location.lon": -95.8517,
+        "destination.geo.region_iso_code": "US-IA",
+        "destination.geo.region_name": "Iowa",
+        "destination.ip": "34.66.114.180",
+        "destination.user.name": "bart",
+        "event.action": "cpm verify password failed",
+        "event.category": [
+            "iam"
+        ],
+        "event.code": "38",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.outcome": "failure",
+        "event.reason": "Error in verifypass to user 34.66.114.180\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The network name cannot be found. (winRc=67). ",
+        "event.severity": 7,
+        "event.timezone": "-02:00",
+        "event.type": [
+            "error"
+        ],
+        "file.path": "Root\\Operating System-WinDomain-35.192.121.42-ELASTICbart",
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 4191,
+        "log.syslog.priority": "7",
+        "network.direction": "outbound",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "10.0.1.20",
+            "34.66.114.180"
+        ],
+        "related.user": [
+            "PasswordManager",
+            "bart"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "10.0.1.20",
+        "source.ip": "10.0.1.20",
+        "source.user.name": "PasswordManager",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ],
+        "user.name": "PasswordManager"
+    },
+    {
+        "@timestamp": "2021-03-15T13:33:26.000Z",
+        "cyberarkpas.audit.action": "CPM Verify Password Failed",
+        "cyberarkpas.audit.ca_properties.address": "34.66.114.180",
+        "cyberarkpas.audit.ca_properties.cpm_error_details": "Error in verifypass to user 34.66.114.180\\ELASTIC.local\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). ",
+        "cyberarkpas.audit.ca_properties.cpm_status": "failure",
+        "cyberarkpas.audit.ca_properties.creation_method": "PVWA",
+        "cyberarkpas.audit.ca_properties.device_type": "Operating System",
+        "cyberarkpas.audit.ca_properties.last_fail_date": "1615815206",
+        "cyberarkpas.audit.ca_properties.last_task": "VerifyTask",
+        "cyberarkpas.audit.ca_properties.logon_domain": "34.66.114.180",
+        "cyberarkpas.audit.ca_properties.policy_id": "WinDomain",
+        "cyberarkpas.audit.ca_properties.reset_immediately": "VerifyTask",
+        "cyberarkpas.audit.ca_properties.retries_count": "0",
+        "cyberarkpas.audit.ca_properties.user_name": "ELASTIC.local\\bart",
+        "cyberarkpas.audit.desc": "CPM Verify Password Failed",
+        "cyberarkpas.audit.extra_details.address": "34.66.114.180",
+        "cyberarkpas.audit.extra_details.username": "ELASTIC.local\\bart",
+        "cyberarkpas.audit.file": "Root\\Operating System-WinDomain-34.66.114.180-ELASTICbart",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-15T13:33:26Z",
+        "cyberarkpas.audit.issuer": "PasswordManager",
+        "cyberarkpas.audit.message": "CPM Verify Password Failed",
+        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 15 06:33:26</Timestamp>\n    <IsoTimestamp>2021-03-15T13:33:26Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>38</MessageID>\n    <Desc>CPM Verify Password Failed</Desc>\n    <Severity>Error</Severity>\n    <Issuer>PasswordManager</Issuer>\n    <Action>CPM Verify Password Failed</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Operating System-WinDomain-34.66.114.180-ELASTICbart</File>\n    <Station>10.0.1.20</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason>ImmediateTask. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-34.66.114.180-ELASTICbart failed (try #0). Code: 2101, Error: Error in verifypass to user 34.66.114.180\\ELASTIC.local\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \n</Reason>\n    <ExtraDetails>address=34.66.114.180;username=ELASTIC.local\\bart;</ExtraDetails>\n    <Message>CPM Verify Password Failed</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"WinDomain\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"ELASTIC.local\\bart\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.66.114.180\"></CAProperty>\n      <CAProperty Name=\"ResetImmediately\" Value=\"VerifyTask\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"failure\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"0\"></CAProperty>\n      <CAProperty Name=\"LastFailDate\" Value=\"1615815206\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"VerifyTask\"></CAProperty>\n      <CAProperty Name=\"LogonDomain\" Value=\"34.66.114.180\"></CAProperty>\n      <CAProperty Name=\"CPMErrorDetails\" Value=\"Error in verifypass to user 34.66.114.180\\ELASTIC.local\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>",
+        "cyberarkpas.audit.reason": "ImmediateTask. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-34.66.114.180-ELASTICbart failed (try #0). Code: 2101, Error: Error in verifypass to user 34.66.114.180\\ELASTIC.local\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \n",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.safe": "partner",
+        "cyberarkpas.audit.severity": "Error",
+        "cyberarkpas.audit.station": "10.0.1.20",
+        "cyberarkpas.audit.timestamp": "Mar 15 06:33:26",
+        "destination.address": "34.66.114.180",
+        "destination.geo.city_name": "Council Bluffs",
+        "destination.geo.continent_name": "North America",
+        "destination.geo.country_iso_code": "US",
+        "destination.geo.country_name": "United States",
+        "destination.geo.location.lat": 41.2591,
+        "destination.geo.location.lon": -95.8517,
+        "destination.geo.region_iso_code": "US-IA",
+        "destination.geo.region_name": "Iowa",
+        "destination.ip": "34.66.114.180",
+        "destination.user.name": "ELASTIC.local\\bart",
+        "event.action": "cpm verify password failed",
+        "event.category": [
+            "iam"
+        ],
+        "event.code": "38",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.outcome": "failure",
+        "event.reason": "Error in verifypass to user 34.66.114.180\\ELASTIC.local\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). ",
+        "event.severity": 7,
+        "event.timezone": "-02:00",
+        "event.type": [
+            "error"
+        ],
+        "file.path": "Root\\Operating System-WinDomain-34.66.114.180-ELASTICbart",
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 8413,
+        "log.syslog.priority": "7",
+        "network.direction": "outbound",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "10.0.1.20",
+            "34.66.114.180"
+        ],
+        "related.user": [
+            "PasswordManager",
+            "ELASTIC.local\\bart"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "10.0.1.20",
+        "source.ip": "10.0.1.20",
+        "source.user.name": "PasswordManager",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ],
+        "user.name": "PasswordManager"
+    },
+    {
+        "@timestamp": "2021-03-15T15:04:11.000Z",
+        "cyberarkpas.audit.action": "CPM Verify Password Failed",
+        "cyberarkpas.audit.ca_properties.address": "34.66.114.180",
+        "cyberarkpas.audit.ca_properties.cpm_error_details": "Error in verifypass to user 34.66.114.180\\ELASTIC.local\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). ",
+        "cyberarkpas.audit.ca_properties.cpm_status": "failure",
+        "cyberarkpas.audit.ca_properties.creation_method": "PVWA",
+        "cyberarkpas.audit.ca_properties.device_type": "Operating System",
+        "cyberarkpas.audit.ca_properties.last_fail_date": "1615820651",
+        "cyberarkpas.audit.ca_properties.last_task": "VerifyTask",
+        "cyberarkpas.audit.ca_properties.logon_domain": "34.66.114.180",
+        "cyberarkpas.audit.ca_properties.policy_id": "WinDomain",
+        "cyberarkpas.audit.ca_properties.reset_immediately": "VerifyTask",
+        "cyberarkpas.audit.ca_properties.retries_count": "1",
+        "cyberarkpas.audit.ca_properties.user_name": "ELASTIC.local\\bart",
+        "cyberarkpas.audit.desc": "CPM Verify Password Failed",
+        "cyberarkpas.audit.extra_details.address": "34.66.114.180",
+        "cyberarkpas.audit.extra_details.retriescount": "1",
+        "cyberarkpas.audit.extra_details.username": "ELASTIC.local\\bart",
+        "cyberarkpas.audit.file": "Root\\Operating System-WinDomain-34.66.114.180-ELASTICbart",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-15T15:04:11Z",
+        "cyberarkpas.audit.issuer": "PasswordManager",
+        "cyberarkpas.audit.message": "CPM Verify Password Failed",
+        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 15 08:04:11</Timestamp>\n    <IsoTimestamp>2021-03-15T15:04:11Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>38</MessageID>\n    <Desc>CPM Verify Password Failed</Desc>\n    <Severity>Error</Severity>\n    <Issuer>PasswordManager</Issuer>\n    <Action>CPM Verify Password Failed</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Operating System-WinDomain-34.66.114.180-ELASTICbart</File>\n    <Station>10.0.1.20</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason>ImmediateTask,Failure. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-34.66.114.180-ELASTICbart failed (try #1). Code: 2101, Error: Error in verifypass to user 34.66.114.180\\ELASTIC.local\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \n</Reason>\n    <ExtraDetails>address=34.66.114.180;retriescount=1;username=ELASTIC.local\\bart;</ExtraDetails>\n    <Message>CPM Verify Password Failed</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"WinDomain\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"ELASTIC.local\\bart\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.66.114.180\"></CAProperty>\n      <CAProperty Name=\"ResetImmediately\" Value=\"VerifyTask\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"failure\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"1\"></CAProperty>\n      <CAProperty Name=\"LastFailDate\" Value=\"1615820651\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"VerifyTask\"></CAProperty>\n      <CAProperty Name=\"LogonDomain\" Value=\"34.66.114.180\"></CAProperty>\n      <CAProperty Name=\"CPMErrorDetails\" Value=\"Error in verifypass to user 34.66.114.180\\ELASTIC.local\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>",
+        "cyberarkpas.audit.reason": "ImmediateTask,Failure. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-34.66.114.180-ELASTICbart failed (try #1). Code: 2101, Error: Error in verifypass to user 34.66.114.180\\ELASTIC.local\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \n",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.safe": "partner",
+        "cyberarkpas.audit.severity": "Error",
+        "cyberarkpas.audit.station": "10.0.1.20",
+        "cyberarkpas.audit.timestamp": "Mar 15 08:04:11",
+        "destination.address": "34.66.114.180",
+        "destination.geo.city_name": "Council Bluffs",
+        "destination.geo.continent_name": "North America",
+        "destination.geo.country_iso_code": "US",
+        "destination.geo.country_name": "United States",
+        "destination.geo.location.lat": 41.2591,
+        "destination.geo.location.lon": -95.8517,
+        "destination.geo.region_iso_code": "US-IA",
+        "destination.geo.region_name": "Iowa",
+        "destination.ip": "34.66.114.180",
+        "destination.user.name": "ELASTIC.local\\bart",
+        "event.action": "cpm verify password failed",
+        "event.category": [
+            "iam"
+        ],
+        "event.code": "38",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.outcome": "failure",
+        "event.reason": "Error in verifypass to user 34.66.114.180\\ELASTIC.local\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). ",
+        "event.severity": 7,
+        "event.timezone": "-02:00",
+        "event.type": [
+            "error"
+        ],
+        "file.path": "Root\\Operating System-WinDomain-34.66.114.180-ELASTICbart",
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 12652,
+        "log.syslog.priority": "7",
+        "network.direction": "outbound",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "10.0.1.20",
+            "34.66.114.180"
+        ],
+        "related.user": [
+            "PasswordManager",
+            "ELASTIC.local\\bart"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "10.0.1.20",
+        "source.ip": "10.0.1.20",
+        "source.user.name": "PasswordManager",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ],
+        "user.name": "PasswordManager"
+    },
+    {
+        "@timestamp": "2021-03-15T16:35:01.000Z",
+        "cyberarkpas.audit.action": "CPM Verify Password Failed",
+        "cyberarkpas.audit.ca_properties.address": "34.66.114.180",
+        "cyberarkpas.audit.ca_properties.cpm_error_details": "Error in verifypass to user 34.66.114.180\\ELASTIC.local\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). ",
+        "cyberarkpas.audit.ca_properties.cpm_status": "failure",
+        "cyberarkpas.audit.ca_properties.creation_method": "PVWA",
+        "cyberarkpas.audit.ca_properties.device_type": "Operating System",
+        "cyberarkpas.audit.ca_properties.last_fail_date": "1615826099",
+        "cyberarkpas.audit.ca_properties.last_task": "VerifyTask",
+        "cyberarkpas.audit.ca_properties.logon_domain": "34.66.114.180",
+        "cyberarkpas.audit.ca_properties.policy_id": "WinDomain",
+        "cyberarkpas.audit.ca_properties.reset_immediately": "VerifyTask",
+        "cyberarkpas.audit.ca_properties.retries_count": "2",
+        "cyberarkpas.audit.ca_properties.user_name": "ELASTIC.local\\bart",
+        "cyberarkpas.audit.desc": "CPM Verify Password Failed",
+        "cyberarkpas.audit.extra_details.address": "34.66.114.180",
+        "cyberarkpas.audit.extra_details.retriescount": "2",
+        "cyberarkpas.audit.extra_details.username": "ELASTIC.local\\bart",
+        "cyberarkpas.audit.file": "Root\\Operating System-WinDomain-34.66.114.180-ELASTICbart",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-15T16:35:01Z",
+        "cyberarkpas.audit.issuer": "PasswordManager",
+        "cyberarkpas.audit.message": "CPM Verify Password Failed",
+        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 15 09:35:01</Timestamp>\n    <IsoTimestamp>2021-03-15T16:35:01Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>38</MessageID>\n    <Desc>CPM Verify Password Failed</Desc>\n    <Severity>Error</Severity>\n    <Issuer>PasswordManager</Issuer>\n    <Action>CPM Verify Password Failed</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Operating System-WinDomain-34.66.114.180-ELASTICbart</File>\n    <Station>10.0.1.20</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason>ImmediateTask,Failure. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-34.66.114.180-ELASTICbart failed (try #2). Code: 2101, Error: Error in verifypass to user 34.66.114.180\\ELASTIC.local\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \n</Reason>\n    <ExtraDetails>address=34.66.114.180;retriescount=2;username=ELASTIC.local\\bart;</ExtraDetails>\n    <Message>CPM Verify Password Failed</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"WinDomain\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"ELASTIC.local\\bart\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.66.114.180\"></CAProperty>\n      <CAProperty Name=\"ResetImmediately\" Value=\"VerifyTask\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"failure\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"2\"></CAProperty>\n      <CAProperty Name=\"LastFailDate\" Value=\"1615826099\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"VerifyTask\"></CAProperty>\n      <CAProperty Name=\"LogonDomain\" Value=\"34.66.114.180\"></CAProperty>\n      <CAProperty Name=\"CPMErrorDetails\" Value=\"Error in verifypass to user 34.66.114.180\\ELASTIC.local\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>",
+        "cyberarkpas.audit.reason": "ImmediateTask,Failure. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-34.66.114.180-ELASTICbart failed (try #2). Code: 2101, Error: Error in verifypass to user 34.66.114.180\\ELASTIC.local\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \n",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.safe": "partner",
+        "cyberarkpas.audit.severity": "Error",
+        "cyberarkpas.audit.station": "10.0.1.20",
+        "cyberarkpas.audit.timestamp": "Mar 15 09:35:01",
+        "destination.address": "34.66.114.180",
+        "destination.geo.city_name": "Council Bluffs",
+        "destination.geo.continent_name": "North America",
+        "destination.geo.country_iso_code": "US",
+        "destination.geo.country_name": "United States",
+        "destination.geo.location.lat": 41.2591,
+        "destination.geo.location.lon": -95.8517,
+        "destination.geo.region_iso_code": "US-IA",
+        "destination.geo.region_name": "Iowa",
+        "destination.ip": "34.66.114.180",
+        "destination.user.name": "ELASTIC.local\\bart",
+        "event.action": "cpm verify password failed",
+        "event.category": [
+            "iam"
+        ],
+        "event.code": "38",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.outcome": "failure",
+        "event.reason": "Error in verifypass to user 34.66.114.180\\ELASTIC.local\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). ",
+        "event.severity": 7,
+        "event.timezone": "-02:00",
+        "event.type": [
+            "error"
+        ],
+        "file.path": "Root\\Operating System-WinDomain-34.66.114.180-ELASTICbart",
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 16937,
+        "log.syslog.priority": "7",
+        "network.direction": "outbound",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "10.0.1.20",
+            "34.66.114.180"
+        ],
+        "related.user": [
+            "PasswordManager",
+            "ELASTIC.local\\bart"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "10.0.1.20",
+        "source.ip": "10.0.1.20",
+        "source.user.name": "PasswordManager",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ],
+        "user.name": "PasswordManager"
+    },
+    {
+        "@timestamp": "2021-03-15T16:56:29.000Z",
+        "cyberarkpas.audit.action": "CPM Verify Password Failed",
+        "cyberarkpas.audit.ca_properties.address": "10.0.1.20",
+        "cyberarkpas.audit.ca_properties.cpm_error_details": "Error when verifypass to User root on Server 10.0.1.20. State: IM002 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Data source name not found and no default driver specified",
+        "cyberarkpas.audit.ca_properties.cpm_status": "failure",
+        "cyberarkpas.audit.ca_properties.creation_method": "PVWA",
+        "cyberarkpas.audit.ca_properties.device_type": "Database",
+        "cyberarkpas.audit.ca_properties.last_fail_date": "1615827245",
+        "cyberarkpas.audit.ca_properties.last_task": "VerifyTask",
+        "cyberarkpas.audit.ca_properties.policy_id": "MySQL",
+        "cyberarkpas.audit.ca_properties.reset_immediately": "VerifyTask",
+        "cyberarkpas.audit.ca_properties.retries_count": "0",
+        "cyberarkpas.audit.ca_properties.user_name": "root",
+        "cyberarkpas.audit.desc": "CPM Verify Password Failed",
+        "cyberarkpas.audit.extra_details.address": "10.0.1.20",
+        "cyberarkpas.audit.extra_details.username": "root",
+        "cyberarkpas.audit.file": "Root\\Database-MySQL-10.0.1.20-root",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-15T16:56:29Z",
+        "cyberarkpas.audit.issuer": "PasswordManager",
+        "cyberarkpas.audit.message": "CPM Verify Password Failed",
+        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 15 09:56:29</Timestamp>\n    <IsoTimestamp>2021-03-15T16:56:29Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>38</MessageID>\n    <Desc>CPM Verify Password Failed</Desc>\n    <Severity>Error</Severity>\n    <Issuer>PasswordManager</Issuer>\n    <Action>CPM Verify Password Failed</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Database-MySQL-10.0.1.20-root</File>\n    <Station>10.0.1.20</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason>ImmediateTask. Failure Description: CACPM344E Verifying Password Safe: partner, Folder: Root, Object: Database-MySQL-10.0.1.20-root failed (try #0). Code: 2103, Error: Error when verifypass to User root on Server 10.0.1.20. State: IM002 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Data source name not found and no default driver specified\n</Reason>\n    <ExtraDetails>address=10.0.1.20;username=root;</ExtraDetails>\n    <Message>CPM Verify Password Failed</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"MySQL\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"root\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"10.0.1.20\"></CAProperty>\n      <CAProperty Name=\"ResetImmediately\" Value=\"VerifyTask\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"failure\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"0\"></CAProperty>\n      <CAProperty Name=\"LastFailDate\" Value=\"1615827245\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"VerifyTask\"></CAProperty>\n      <CAProperty Name=\"CPMErrorDetails\" Value=\"Error when verifypass to User root on Server 10.0.1.20. State: IM002 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Data source name not found and no default driver specified\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Database\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>",
+        "cyberarkpas.audit.reason": "ImmediateTask. Failure Description: CACPM344E Verifying Password Safe: partner, Folder: Root, Object: Database-MySQL-10.0.1.20-root failed (try #0). Code: 2103, Error: Error when verifypass to User root on Server 10.0.1.20. State: IM002 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Data source name not found and no default driver specified\n",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.safe": "partner",
+        "cyberarkpas.audit.severity": "Error",
+        "cyberarkpas.audit.station": "10.0.1.20",
+        "cyberarkpas.audit.timestamp": "Mar 15 09:56:29",
+        "destination.address": "10.0.1.20",
+        "destination.ip": "10.0.1.20",
+        "destination.user.name": "root",
+        "event.action": "cpm verify password failed",
+        "event.category": [
+            "iam"
+        ],
+        "event.code": "38",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.outcome": "failure",
+        "event.reason": "Error when verifypass to User root on Server 10.0.1.20. State: IM002 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Data source name not found and no default driver specified",
+        "event.severity": 7,
+        "event.timezone": "-02:00",
+        "event.type": [
+            "error"
+        ],
+        "file.path": "Root\\Database-MySQL-10.0.1.20-root",
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 21222,
+        "log.syslog.priority": "7",
+        "network.direction": "internal",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "10.0.1.20"
+        ],
+        "related.user": [
+            "PasswordManager",
+            "root"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "10.0.1.20",
+        "source.ip": "10.0.1.20",
+        "source.user.name": "PasswordManager",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ],
+        "user.name": "PasswordManager"
+    },
+    {
+        "@timestamp": "2021-03-15T17:01:07.000Z",
+        "cyberarkpas.audit.action": "CPM Verify Password Failed",
+        "cyberarkpas.audit.ca_properties.address": "10.0.1.20",
+        "cyberarkpas.audit.ca_properties.cpm_error_details": "Error when verifypass to User root on Server . State: IM014 Native error: 0 Message: [Microsoft][ODBC Driver Manager] The specified DSN contains an architecture mismatch between the Driver and Application",
+        "cyberarkpas.audit.ca_properties.cpm_status": "failure",
+        "cyberarkpas.audit.ca_properties.creation_method": "PVWA",
+        "cyberarkpas.audit.ca_properties.device_type": "Database",
+        "cyberarkpas.audit.ca_properties.dsn": "mariadb",
+        "cyberarkpas.audit.ca_properties.last_fail_date": "1615827554",
+        "cyberarkpas.audit.ca_properties.last_task": "VerifyTask",
+        "cyberarkpas.audit.ca_properties.policy_id": "MySQL",
+        "cyberarkpas.audit.ca_properties.reset_immediately": "VerifyTask",
+        "cyberarkpas.audit.ca_properties.retries_count": "0",
+        "cyberarkpas.audit.ca_properties.user_name": "root",
+        "cyberarkpas.audit.desc": "CPM Verify Password Failed",
+        "cyberarkpas.audit.extra_details.address": "10.0.1.20",
+        "cyberarkpas.audit.extra_details.username": "root",
+        "cyberarkpas.audit.file": "Root\\Database-MySQL-10.0.1.20-root",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-15T17:01:07Z",
+        "cyberarkpas.audit.issuer": "PasswordManager",
+        "cyberarkpas.audit.message": "CPM Verify Password Failed",
+        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 15 10:01:07</Timestamp>\n    <IsoTimestamp>2021-03-15T17:01:07Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>38</MessageID>\n    <Desc>CPM Verify Password Failed</Desc>\n    <Severity>Error</Severity>\n    <Issuer>PasswordManager</Issuer>\n    <Action>CPM Verify Password Failed</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Database-MySQL-10.0.1.20-root</File>\n    <Station>10.0.1.20</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason>ImmediateTask. Failure Description: CACPM344E Verifying Password Safe: partner, Folder: Root, Object: Database-MySQL-10.0.1.20-root failed (try #0). Code: 2103, Error: Error when verifypass to User root on Server . State: IM014 Native error: 0 Message: [Microsoft][ODBC Driver Manager] The specified DSN contains an architecture mismatch between the Driver and Application\n</Reason>\n    <ExtraDetails>address=10.0.1.20;username=root;</ExtraDetails>\n    <Message>CPM Verify Password Failed</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"MySQL\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"root\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"10.0.1.20\"></CAProperty>\n      <CAProperty Name=\"ResetImmediately\" Value=\"VerifyTask\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"failure\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"0\"></CAProperty>\n      <CAProperty Name=\"LastFailDate\" Value=\"1615827554\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"VerifyTask\"></CAProperty>\n      <CAProperty Name=\"DSN\" Value=\"mariadb\"></CAProperty>\n      <CAProperty Name=\"CPMErrorDetails\" Value=\"Error when verifypass to User root on Server . State: IM014 Native error: 0 Message: [Microsoft][ODBC Driver Manager] The specified DSN contains an architecture mismatch between the Driver and Application\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Database\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>",
+        "cyberarkpas.audit.reason": "ImmediateTask. Failure Description: CACPM344E Verifying Password Safe: partner, Folder: Root, Object: Database-MySQL-10.0.1.20-root failed (try #0). Code: 2103, Error: Error when verifypass to User root on Server . State: IM014 Native error: 0 Message: [Microsoft][ODBC Driver Manager] The specified DSN contains an architecture mismatch between the Driver and Application\n",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.safe": "partner",
+        "cyberarkpas.audit.severity": "Error",
+        "cyberarkpas.audit.station": "10.0.1.20",
+        "cyberarkpas.audit.timestamp": "Mar 15 10:01:07",
+        "destination.address": "10.0.1.20",
+        "destination.ip": "10.0.1.20",
+        "destination.user.name": "root",
+        "event.action": "cpm verify password failed",
+        "event.category": [
+            "iam"
+        ],
+        "event.code": "38",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.outcome": "failure",
+        "event.reason": "Error when verifypass to User root on Server . State: IM014 Native error: 0 Message: [Microsoft][ODBC Driver Manager] The specified DSN contains an architecture mismatch between the Driver and Application",
+        "event.severity": 7,
+        "event.timezone": "-02:00",
+        "event.type": [
+            "error"
+        ],
+        "file.path": "Root\\Database-MySQL-10.0.1.20-root",
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 25232,
+        "log.syslog.priority": "7",
+        "network.direction": "internal",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "10.0.1.20"
+        ],
+        "related.user": [
+            "PasswordManager",
+            "root"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "10.0.1.20",
+        "source.ip": "10.0.1.20",
+        "source.user.name": "PasswordManager",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ],
+        "user.name": "PasswordManager"
+    },
+    {
+        "@timestamp": "2021-03-15T17:05:47.000Z",
+        "cyberarkpas.audit.action": "CPM Verify Password Failed",
+        "cyberarkpas.audit.ca_properties.address": "10.0.1.20",
+        "cyberarkpas.audit.ca_properties.cpm_error_details": "Error when verifypass to User root on Server . State: HY090 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Invalid string or buffer length",
+        "cyberarkpas.audit.ca_properties.cpm_status": "failure",
+        "cyberarkpas.audit.ca_properties.creation_method": "PVWA",
+        "cyberarkpas.audit.ca_properties.device_type": "Database",
+        "cyberarkpas.audit.ca_properties.dsn": "DRIVER={MariaDB ODBC 3.1 Driver};TCPIP=1;SERVER=localhost;UID=root;PWD=1234;DATABASE=test",
+        "cyberarkpas.audit.ca_properties.last_fail_date": "1615827864",
+        "cyberarkpas.audit.ca_properties.last_task": "VerifyTask",
+        "cyberarkpas.audit.ca_properties.policy_id": "MySQL",
+        "cyberarkpas.audit.ca_properties.reset_immediately": "VerifyTask",
+        "cyberarkpas.audit.ca_properties.retries_count": "0",
+        "cyberarkpas.audit.ca_properties.user_name": "root",
+        "cyberarkpas.audit.desc": "CPM Verify Password Failed",
+        "cyberarkpas.audit.extra_details.address": "10.0.1.20",
+        "cyberarkpas.audit.extra_details.username": "root",
+        "cyberarkpas.audit.file": "Root\\Database-MySQL-10.0.1.20-root",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-15T17:05:47Z",
+        "cyberarkpas.audit.issuer": "PasswordManager",
+        "cyberarkpas.audit.message": "CPM Verify Password Failed",
+        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 15 10:05:47</Timestamp>\n    <IsoTimestamp>2021-03-15T17:05:47Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>38</MessageID>\n    <Desc>CPM Verify Password Failed</Desc>\n    <Severity>Error</Severity>\n    <Issuer>PasswordManager</Issuer>\n    <Action>CPM Verify Password Failed</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Database-MySQL-10.0.1.20-root</File>\n    <Station>10.0.1.20</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason>ImmediateTask. Failure Description: CACPM344E Verifying Password Safe: partner, Folder: Root, Object: Database-MySQL-10.0.1.20-root failed (try #0). Code: 2103, Error: Error when verifypass to User root on Server . State: HY090 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Invalid string or buffer length\n</Reason>\n    <ExtraDetails>address=10.0.1.20;username=root;</ExtraDetails>\n    <Message>CPM Verify Password Failed</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"MySQL\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"root\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"10.0.1.20\"></CAProperty>\n      <CAProperty Name=\"ResetImmediately\" Value=\"VerifyTask\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"failure\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"0\"></CAProperty>\n      <CAProperty Name=\"LastFailDate\" Value=\"1615827864\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"VerifyTask\"></CAProperty>\n      <CAProperty Name=\"DSN\" Value=\"DRIVER={MariaDB ODBC 3.1 Driver};TCPIP=1;SERVER=localhost;UID=root;PWD=1234;DATABASE=test\"></CAProperty>\n      <CAProperty Name=\"CPMErrorDetails\" Value=\"Error when verifypass to User root on Server . State: HY090 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Invalid string or buffer length\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Database\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>",
+        "cyberarkpas.audit.reason": "ImmediateTask. Failure Description: CACPM344E Verifying Password Safe: partner, Folder: Root, Object: Database-MySQL-10.0.1.20-root failed (try #0). Code: 2103, Error: Error when verifypass to User root on Server . State: HY090 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Invalid string or buffer length\n",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.safe": "partner",
+        "cyberarkpas.audit.severity": "Error",
+        "cyberarkpas.audit.station": "10.0.1.20",
+        "cyberarkpas.audit.timestamp": "Mar 15 10:05:47",
+        "destination.address": "10.0.1.20",
+        "destination.ip": "10.0.1.20",
+        "destination.user.name": "root",
+        "event.action": "cpm verify password failed",
+        "event.category": [
+            "iam"
+        ],
+        "event.code": "38",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.outcome": "failure",
+        "event.reason": "Error when verifypass to User root on Server . State: HY090 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Invalid string or buffer length",
+        "event.severity": 7,
+        "event.timezone": "-02:00",
+        "event.type": [
+            "error"
+        ],
+        "file.path": "Root\\Database-MySQL-10.0.1.20-root",
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 29415,
+        "log.syslog.priority": "7",
+        "network.direction": "internal",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "10.0.1.20"
+        ],
+        "related.user": [
+            "PasswordManager",
+            "root"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "10.0.1.20",
+        "source.ip": "10.0.1.20",
+        "source.user.name": "PasswordManager",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ],
+        "user.name": "PasswordManager"
+    },
+    {
+        "@timestamp": "2021-03-15T17:10:25.000Z",
+        "cyberarkpas.audit.action": "CPM Verify Password Failed",
+        "cyberarkpas.audit.ca_properties.address": "10.0.1.20",
+        "cyberarkpas.audit.ca_properties.cpm_error_details": "Error when verifypass to User root on Server . State: HY090 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Invalid string or buffer length",
+        "cyberarkpas.audit.ca_properties.cpm_status": "failure",
+        "cyberarkpas.audit.ca_properties.creation_method": "PVWA",
+        "cyberarkpas.audit.ca_properties.device_type": "Database",
+        "cyberarkpas.audit.ca_properties.dsn": "DSN=mariadb;TCPIP=1;SERVER=localhost;UID=root;PWD=1234;DATABASE=test",
+        "cyberarkpas.audit.ca_properties.last_fail_date": "1615828174",
+        "cyberarkpas.audit.ca_properties.last_task": "VerifyTask",
+        "cyberarkpas.audit.ca_properties.policy_id": "MySQL",
+        "cyberarkpas.audit.ca_properties.reset_immediately": "VerifyTask",
+        "cyberarkpas.audit.ca_properties.retries_count": "0",
+        "cyberarkpas.audit.ca_properties.user_name": "root",
+        "cyberarkpas.audit.desc": "CPM Verify Password Failed",
+        "cyberarkpas.audit.extra_details.address": "10.0.1.20",
+        "cyberarkpas.audit.extra_details.username": "root",
+        "cyberarkpas.audit.file": "Root\\Database-MySQL-10.0.1.20-root",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-15T17:10:25Z",
+        "cyberarkpas.audit.issuer": "PasswordManager",
+        "cyberarkpas.audit.message": "CPM Verify Password Failed",
+        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 15 10:10:25</Timestamp>\n    <IsoTimestamp>2021-03-15T17:10:25Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>38</MessageID>\n    <Desc>CPM Verify Password Failed</Desc>\n    <Severity>Error</Severity>\n    <Issuer>PasswordManager</Issuer>\n    <Action>CPM Verify Password Failed</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Database-MySQL-10.0.1.20-root</File>\n    <Station>10.0.1.20</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason>ImmediateTask. Failure Description: CACPM344E Verifying Password Safe: partner, Folder: Root, Object: Database-MySQL-10.0.1.20-root failed (try #0). Code: 2103, Error: Error when verifypass to User root on Server . State: HY090 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Invalid string or buffer length\n</Reason>\n    <ExtraDetails>address=10.0.1.20;username=root;</ExtraDetails>\n    <Message>CPM Verify Password Failed</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"MySQL\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"root\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"10.0.1.20\"></CAProperty>\n      <CAProperty Name=\"ResetImmediately\" Value=\"VerifyTask\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"failure\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"0\"></CAProperty>\n      <CAProperty Name=\"LastFailDate\" Value=\"1615828174\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"VerifyTask\"></CAProperty>\n      <CAProperty Name=\"DSN\" Value=\"DSN=mariadb;TCPIP=1;SERVER=localhost;UID=root;PWD=1234;DATABASE=test\"></CAProperty>\n      <CAProperty Name=\"CPMErrorDetails\" Value=\"Error when verifypass to User root on Server . State: HY090 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Invalid string or buffer length\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Database\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>",
+        "cyberarkpas.audit.reason": "ImmediateTask. Failure Description: CACPM344E Verifying Password Safe: partner, Folder: Root, Object: Database-MySQL-10.0.1.20-root failed (try #0). Code: 2103, Error: Error when verifypass to User root on Server . State: HY090 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Invalid string or buffer length\n",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.safe": "partner",
+        "cyberarkpas.audit.severity": "Error",
+        "cyberarkpas.audit.station": "10.0.1.20",
+        "cyberarkpas.audit.timestamp": "Mar 15 10:10:25",
+        "destination.address": "10.0.1.20",
+        "destination.ip": "10.0.1.20",
+        "destination.user.name": "root",
+        "event.action": "cpm verify password failed",
+        "event.category": [
+            "iam"
+        ],
+        "event.code": "38",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.outcome": "failure",
+        "event.reason": "Error when verifypass to User root on Server . State: HY090 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Invalid string or buffer length",
+        "event.severity": 7,
+        "event.timezone": "-02:00",
+        "event.type": [
+            "error"
+        ],
+        "file.path": "Root\\Database-MySQL-10.0.1.20-root",
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 33542,
+        "log.syslog.priority": "7",
+        "network.direction": "internal",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "10.0.1.20"
+        ],
+        "related.user": [
+            "PasswordManager",
+            "root"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "10.0.1.20",
+        "source.ip": "10.0.1.20",
+        "source.user.name": "PasswordManager",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ],
+        "user.name": "PasswordManager"
+    },
+    {
+        "@timestamp": "2021-03-15T17:28:07.000Z",
+        "cyberarkpas.audit.action": "CPM Verify Password Failed",
+        "cyberarkpas.audit.ca_properties.address": "127.0.0.1",
+        "cyberarkpas.audit.ca_properties.cpm_error_details": "Error when verifypass to User root on Server 127.0.0.1. State: IM002 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Data source name not found and no default driver specified",
+        "cyberarkpas.audit.ca_properties.cpm_status": "failure",
+        "cyberarkpas.audit.ca_properties.creation_method": "PVWA",
+        "cyberarkpas.audit.ca_properties.database": "test",
+        "cyberarkpas.audit.ca_properties.device_type": "Database",
+        "cyberarkpas.audit.ca_properties.last_fail_date": "1615829287",
+        "cyberarkpas.audit.ca_properties.last_task": "VerifyTask",
+        "cyberarkpas.audit.ca_properties.policy_id": "MySQL",
+        "cyberarkpas.audit.ca_properties.port": "3306",
+        "cyberarkpas.audit.ca_properties.reset_immediately": "VerifyTask",
+        "cyberarkpas.audit.ca_properties.retries_count": "0",
+        "cyberarkpas.audit.ca_properties.user_name": "root",
+        "cyberarkpas.audit.desc": "CPM Verify Password Failed",
+        "cyberarkpas.audit.extra_details.address": "127.0.0.1",
+        "cyberarkpas.audit.extra_details.username": "root",
+        "cyberarkpas.audit.file": "Root\\Database-MySQL-10.0.1.20-root",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-15T17:28:07Z",
+        "cyberarkpas.audit.issuer": "PasswordManager",
+        "cyberarkpas.audit.message": "CPM Verify Password Failed",
+        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 15 10:28:07</Timestamp>\n    <IsoTimestamp>2021-03-15T17:28:07Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>38</MessageID>\n    <Desc>CPM Verify Password Failed</Desc>\n    <Severity>Error</Severity>\n    <Issuer>PasswordManager</Issuer>\n    <Action>CPM Verify Password Failed</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Database-MySQL-10.0.1.20-root</File>\n    <Station>10.0.1.20</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason>ImmediateTask. Failure Description: CACPM344E Verifying Password Safe: partner, Folder: Root, Object: Database-MySQL-10.0.1.20-root failed (try #0). Code: 2103, Error: Error when verifypass to User root on Server 127.0.0.1. State: IM002 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Data source name not found and no default driver specified\n</Reason>\n    <ExtraDetails>address=127.0.0.1;username=root;</ExtraDetails>\n    <Message>CPM Verify Password Failed</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"MySQL\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"root\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"127.0.0.1\"></CAProperty>\n      <CAProperty Name=\"ResetImmediately\" Value=\"VerifyTask\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"failure\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"0\"></CAProperty>\n      <CAProperty Name=\"LastFailDate\" Value=\"1615829287\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"VerifyTask\"></CAProperty>\n      <CAProperty Name=\"Port\" Value=\"3306\"></CAProperty>\n      <CAProperty Name=\"Database\" Value=\"test\"></CAProperty>\n      <CAProperty Name=\"CPMErrorDetails\" Value=\"Error when verifypass to User root on Server 127.0.0.1. State: IM002 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Data source name not found and no default driver specified\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Database\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>",
+        "cyberarkpas.audit.reason": "ImmediateTask. Failure Description: CACPM344E Verifying Password Safe: partner, Folder: Root, Object: Database-MySQL-10.0.1.20-root failed (try #0). Code: 2103, Error: Error when verifypass to User root on Server 127.0.0.1. State: IM002 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Data source name not found and no default driver specified\n",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.safe": "partner",
+        "cyberarkpas.audit.severity": "Error",
+        "cyberarkpas.audit.station": "10.0.1.20",
+        "cyberarkpas.audit.timestamp": "Mar 15 10:28:07",
+        "destination.address": "127.0.0.1",
+        "destination.ip": "127.0.0.1",
+        "destination.user.name": "root",
+        "event.action": "cpm verify password failed",
+        "event.category": [
+            "iam"
+        ],
+        "event.code": "38",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.outcome": "failure",
+        "event.reason": "Error when verifypass to User root on Server 127.0.0.1. State: IM002 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Data source name not found and no default driver specified",
+        "event.severity": 7,
+        "event.timezone": "-02:00",
+        "event.type": [
+            "error"
+        ],
+        "file.path": "Root\\Database-MySQL-10.0.1.20-root",
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 37627,
+        "log.syslog.priority": "7",
+        "network.direction": "internal",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "10.0.1.20",
+            "127.0.0.1"
+        ],
+        "related.user": [
+            "PasswordManager",
+            "root"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "10.0.1.20",
+        "source.ip": "10.0.1.20",
+        "source.user.name": "PasswordManager",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ],
+        "user.name": "PasswordManager"
+    },
+    {
+        "@timestamp": "2021-03-15T17:33:17.000Z",
+        "cyberarkpas.audit.action": "CPM Verify Password Failed",
+        "cyberarkpas.audit.ca_properties.address": "127.0.0.1",
+        "cyberarkpas.audit.ca_properties.cpm_error_details": "Error when verifypass to User root on Server . State: IM002 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Data source name not found and no default driver specified",
+        "cyberarkpas.audit.ca_properties.cpm_status": "failure",
+        "cyberarkpas.audit.ca_properties.creation_method": "PVWA",
+        "cyberarkpas.audit.ca_properties.database": "test",
+        "cyberarkpas.audit.ca_properties.device_type": "Database",
+        "cyberarkpas.audit.ca_properties.dsn": "mysql",
+        "cyberarkpas.audit.ca_properties.last_fail_date": "1615829597",
+        "cyberarkpas.audit.ca_properties.last_task": "VerifyTask",
+        "cyberarkpas.audit.ca_properties.policy_id": "MySQL",
+        "cyberarkpas.audit.ca_properties.port": "3306",
+        "cyberarkpas.audit.ca_properties.reset_immediately": "VerifyTask",
+        "cyberarkpas.audit.ca_properties.retries_count": "0",
+        "cyberarkpas.audit.ca_properties.user_name": "root",
+        "cyberarkpas.audit.desc": "CPM Verify Password Failed",
+        "cyberarkpas.audit.extra_details.address": "127.0.0.1",
+        "cyberarkpas.audit.extra_details.username": "root",
+        "cyberarkpas.audit.file": "Root\\Database-MySQL-10.0.1.20-root",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-15T17:33:17Z",
+        "cyberarkpas.audit.issuer": "PasswordManager",
+        "cyberarkpas.audit.message": "CPM Verify Password Failed",
+        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 15 10:33:17</Timestamp>\n    <IsoTimestamp>2021-03-15T17:33:17Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>38</MessageID>\n    <Desc>CPM Verify Password Failed</Desc>\n    <Severity>Error</Severity>\n    <Issuer>PasswordManager</Issuer>\n    <Action>CPM Verify Password Failed</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Database-MySQL-10.0.1.20-root</File>\n    <Station>10.0.1.20</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason>ImmediateTask. Failure Description: CACPM344E Verifying Password Safe: partner, Folder: Root, Object: Database-MySQL-10.0.1.20-root failed (try #0). Code: 2103, Error: Error when verifypass to User root on Server . State: IM002 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Data source name not found and no default driver specified\n</Reason>\n    <ExtraDetails>address=127.0.0.1;username=root;</ExtraDetails>\n    <Message>CPM Verify Password Failed</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"MySQL\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"root\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"127.0.0.1\"></CAProperty>\n      <CAProperty Name=\"ResetImmediately\" Value=\"VerifyTask\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"failure\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"0\"></CAProperty>\n      <CAProperty Name=\"LastFailDate\" Value=\"1615829597\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"VerifyTask\"></CAProperty>\n      <CAProperty Name=\"Port\" Value=\"3306\"></CAProperty>\n      <CAProperty Name=\"Database\" Value=\"test\"></CAProperty>\n      <CAProperty Name=\"DSN\" Value=\"mysql\"></CAProperty>\n      <CAProperty Name=\"CPMErrorDetails\" Value=\"Error when verifypass to User root on Server . State: IM002 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Data source name not found and no default driver specified\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Database\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>",
+        "cyberarkpas.audit.reason": "ImmediateTask. Failure Description: CACPM344E Verifying Password Safe: partner, Folder: Root, Object: Database-MySQL-10.0.1.20-root failed (try #0). Code: 2103, Error: Error when verifypass to User root on Server . State: IM002 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Data source name not found and no default driver specified\n",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.safe": "partner",
+        "cyberarkpas.audit.severity": "Error",
+        "cyberarkpas.audit.station": "10.0.1.20",
+        "cyberarkpas.audit.timestamp": "Mar 15 10:33:17",
+        "destination.address": "127.0.0.1",
+        "destination.ip": "127.0.0.1",
+        "destination.user.name": "root",
+        "event.action": "cpm verify password failed",
+        "event.category": [
+            "iam"
+        ],
+        "event.code": "38",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.outcome": "failure",
+        "event.reason": "Error when verifypass to User root on Server . State: IM002 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Data source name not found and no default driver specified",
+        "event.severity": 7,
+        "event.timezone": "-02:00",
+        "event.type": [
+            "error"
+        ],
+        "file.path": "Root\\Database-MySQL-10.0.1.20-root",
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 41831,
+        "log.syslog.priority": "7",
+        "network.direction": "internal",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "10.0.1.20",
+            "127.0.0.1"
+        ],
+        "related.user": [
+            "PasswordManager",
+            "root"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "10.0.1.20",
+        "source.ip": "10.0.1.20",
+        "source.user.name": "PasswordManager",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ],
+        "user.name": "PasswordManager"
+    },
+    {
+        "@timestamp": "2021-03-15T17:38:27.000Z",
+        "cyberarkpas.audit.action": "CPM Verify Password Failed",
+        "cyberarkpas.audit.ca_properties.address": "127.0.0.1",
+        "cyberarkpas.audit.ca_properties.cpm_error_details": "Error when verifypass to User root on Server . State: HY090 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Invalid string or buffer length",
+        "cyberarkpas.audit.ca_properties.cpm_status": "failure",
+        "cyberarkpas.audit.ca_properties.creation_method": "PVWA",
+        "cyberarkpas.audit.ca_properties.database": "test",
+        "cyberarkpas.audit.ca_properties.device_type": "Database",
+        "cyberarkpas.audit.ca_properties.dsn": "Driver={MySQL ODBC 5.3 Unicode Driver};server=%ADDRESS%;user=%USER%;option=3;port=%PORT%;Password=%LOGONPASSWORD%",
+        "cyberarkpas.audit.ca_properties.last_fail_date": "1615829907",
+        "cyberarkpas.audit.ca_properties.last_task": "VerifyTask",
+        "cyberarkpas.audit.ca_properties.policy_id": "MySQL",
+        "cyberarkpas.audit.ca_properties.port": "3306",
+        "cyberarkpas.audit.ca_properties.reset_immediately": "VerifyTask",
+        "cyberarkpas.audit.ca_properties.retries_count": "0",
+        "cyberarkpas.audit.ca_properties.user_name": "root",
+        "cyberarkpas.audit.desc": "CPM Verify Password Failed",
+        "cyberarkpas.audit.extra_details.address": "127.0.0.1",
+        "cyberarkpas.audit.extra_details.username": "root",
+        "cyberarkpas.audit.file": "Root\\Database-MySQL-10.0.1.20-root",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-15T17:38:27Z",
+        "cyberarkpas.audit.issuer": "PasswordManager",
+        "cyberarkpas.audit.message": "CPM Verify Password Failed",
+        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 15 10:38:27</Timestamp>\n    <IsoTimestamp>2021-03-15T17:38:27Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>38</MessageID>\n    <Desc>CPM Verify Password Failed</Desc>\n    <Severity>Error</Severity>\n    <Issuer>PasswordManager</Issuer>\n    <Action>CPM Verify Password Failed</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Database-MySQL-10.0.1.20-root</File>\n    <Station>10.0.1.20</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason>ImmediateTask. Failure Description: CACPM344E Verifying Password Safe: partner, Folder: Root, Object: Database-MySQL-10.0.1.20-root failed (try #0). Code: 2103, Error: Error when verifypass to User root on Server . State: HY090 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Invalid string or buffer length\n</Reason>\n    <ExtraDetails>address=127.0.0.1;username=root;</ExtraDetails>\n    <Message>CPM Verify Password Failed</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"MySQL\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"root\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"127.0.0.1\"></CAProperty>\n      <CAProperty Name=\"ResetImmediately\" Value=\"VerifyTask\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"failure\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"0\"></CAProperty>\n      <CAProperty Name=\"LastFailDate\" Value=\"1615829907\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"VerifyTask\"></CAProperty>\n      <CAProperty Name=\"Port\" Value=\"3306\"></CAProperty>\n      <CAProperty Name=\"Database\" Value=\"test\"></CAProperty>\n      <CAProperty Name=\"DSN\" Value=\"Driver={MySQL ODBC 5.3 Unicode Driver};server=%ADDRESS%;user=%USER%;option=3;port=%PORT%;Password=%LOGONPASSWORD%\"></CAProperty>\n      <CAProperty Name=\"CPMErrorDetails\" Value=\"Error when verifypass to User root on Server . State: HY090 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Invalid string or buffer length\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Database\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>",
+        "cyberarkpas.audit.reason": "ImmediateTask. Failure Description: CACPM344E Verifying Password Safe: partner, Folder: Root, Object: Database-MySQL-10.0.1.20-root failed (try #0). Code: 2103, Error: Error when verifypass to User root on Server . State: HY090 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Invalid string or buffer length\n",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.safe": "partner",
+        "cyberarkpas.audit.severity": "Error",
+        "cyberarkpas.audit.station": "10.0.1.20",
+        "cyberarkpas.audit.timestamp": "Mar 15 10:38:27",
+        "destination.address": "127.0.0.1",
+        "destination.ip": "127.0.0.1",
+        "destination.user.name": "root",
+        "event.action": "cpm verify password failed",
+        "event.category": [
+            "iam"
+        ],
+        "event.code": "38",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.outcome": "failure",
+        "event.reason": "Error when verifypass to User root on Server . State: HY090 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Invalid string or buffer length",
+        "event.severity": 7,
+        "event.timezone": "-02:00",
+        "event.type": [
+            "error"
+        ],
+        "file.path": "Root\\Database-MySQL-10.0.1.20-root",
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 46092,
+        "log.syslog.priority": "7",
+        "network.direction": "internal",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "10.0.1.20",
+            "127.0.0.1"
+        ],
+        "related.user": [
+            "PasswordManager",
+            "root"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "10.0.1.20",
+        "source.ip": "10.0.1.20",
+        "source.user.name": "PasswordManager",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ],
+        "user.name": "PasswordManager"
+    },
+    {
+        "@timestamp": "2021-03-15T18:00:07.000Z",
+        "cyberarkpas.audit.action": "CPM Verify Password Failed",
+        "cyberarkpas.audit.ca_properties.address": "Driver={MySQL ODBC 5.3 Unicode Driver};server=127.0.0.1;user=root;option=3;port=3306;Password=1234",
+        "cyberarkpas.audit.ca_properties.cpm_error_details": "Error when verifypass to User root on Server . State: IM002 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Data source name not found and no default driver specified",
+        "cyberarkpas.audit.ca_properties.cpm_status": "failure",
+        "cyberarkpas.audit.ca_properties.creation_method": "PVWA",
+        "cyberarkpas.audit.ca_properties.database": "test",
+        "cyberarkpas.audit.ca_properties.device_type": "Database",
+        "cyberarkpas.audit.ca_properties.dsn": "mysql",
+        "cyberarkpas.audit.ca_properties.last_fail_date": "1615831206",
+        "cyberarkpas.audit.ca_properties.last_task": "VerifyTask",
+        "cyberarkpas.audit.ca_properties.policy_id": "MySQL",
+        "cyberarkpas.audit.ca_properties.port": "3306",
+        "cyberarkpas.audit.ca_properties.reset_immediately": "VerifyTask",
+        "cyberarkpas.audit.ca_properties.retries_count": "0",
+        "cyberarkpas.audit.ca_properties.user_name": "root",
+        "cyberarkpas.audit.desc": "CPM Verify Password Failed",
+        "cyberarkpas.audit.extra_details.address": "Driver\\={MySQL ODBC 5.3 Unicode Driver}\\;server\\=127.0.0.1\\;user\\=root\\;option\\=3\\;port\\=3306\\;Password\\=1234",
+        "cyberarkpas.audit.extra_details.username": "root",
+        "cyberarkpas.audit.file": "Root\\Database-MySQL-10.0.1.20-root",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-15T18:00:07Z",
+        "cyberarkpas.audit.issuer": "PasswordManager",
+        "cyberarkpas.audit.message": "CPM Verify Password Failed",
+        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 15 11:00:07</Timestamp>\n    <IsoTimestamp>2021-03-15T18:00:07Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>38</MessageID>\n    <Desc>CPM Verify Password Failed</Desc>\n    <Severity>Error</Severity>\n    <Issuer>PasswordManager</Issuer>\n    <Action>CPM Verify Password Failed</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Database-MySQL-10.0.1.20-root</File>\n    <Station>10.0.1.20</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason>ImmediateTask. Failure Description: CACPM344E Verifying Password Safe: partner, Folder: Root, Object: Database-MySQL-10.0.1.20-root failed (try #0). Code: 2103, Error: Error when verifypass to User root on Server . State: IM002 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Data source name not found and no default driver specified\n</Reason>\n    <ExtraDetails>address=Driver\\={MySQL ODBC 5.3 Unicode Driver}\\;server\\=127.0.0.1\\;user\\=root\\;option\\=3\\;port\\=3306\\;Password\\=1234;username=root;</ExtraDetails>\n    <Message>CPM Verify Password Failed</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"MySQL\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"root\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"Driver={MySQL ODBC 5.3 Unicode Driver};server=127.0.0.1;user=root;option=3;port=3306;Password=1234\"></CAProperty>\n      <CAProperty Name=\"ResetImmediately\" Value=\"VerifyTask\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"failure\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"0\"></CAProperty>\n      <CAProperty Name=\"LastFailDate\" Value=\"1615831206\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"VerifyTask\"></CAProperty>\n      <CAProperty Name=\"Port\" Value=\"3306\"></CAProperty>\n      <CAProperty Name=\"Database\" Value=\"test\"></CAProperty>\n      <CAProperty Name=\"DSN\" Value=\"mysql\"></CAProperty>\n      <CAProperty Name=\"CPMErrorDetails\" Value=\"Error when verifypass to User root on Server . State: IM002 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Data source name not found and no default driver specified\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Database\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>",
+        "cyberarkpas.audit.reason": "ImmediateTask. Failure Description: CACPM344E Verifying Password Safe: partner, Folder: Root, Object: Database-MySQL-10.0.1.20-root failed (try #0). Code: 2103, Error: Error when verifypass to User root on Server . State: IM002 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Data source name not found and no default driver specified\n",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.safe": "partner",
+        "cyberarkpas.audit.severity": "Error",
+        "cyberarkpas.audit.station": "10.0.1.20",
+        "cyberarkpas.audit.timestamp": "Mar 15 11:00:07",
+        "destination.address": "Driver={MySQL ODBC 5.3 Unicode Driver};server=127.0.0.1;user=root;option=3;port=3306;Password=1234",
+        "destination.domain": "Driver={MySQL ODBC 5.3 Unicode Driver};server=127.0.0.1;user=root;option=3;port=3306;Password=1234",
+        "destination.user.name": "root",
+        "event.action": "cpm verify password failed",
+        "event.category": [
+            "iam"
+        ],
+        "event.code": "38",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.outcome": "failure",
+        "event.reason": "Error when verifypass to User root on Server . State: IM002 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Data source name not found and no default driver specified",
+        "event.severity": 7,
+        "event.timezone": "-02:00",
+        "event.type": [
+            "error"
+        ],
+        "file.path": "Root\\Database-MySQL-10.0.1.20-root",
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 50461,
+        "log.syslog.priority": "7",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "10.0.1.20"
+        ],
+        "related.user": [
+            "PasswordManager",
+            "root"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "10.0.1.20",
+        "source.ip": "10.0.1.20",
+        "source.user.name": "PasswordManager",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ],
+        "user.name": "PasswordManager"
+    },
+    {
+        "@timestamp": "2021-03-15T18:05:16.000Z",
+        "cyberarkpas.audit.action": "CPM Verify Password Failed",
+        "cyberarkpas.audit.ca_properties.address": "34.66.114.180",
+        "cyberarkpas.audit.ca_properties.cpm_error_details": "Error in verifypass to user 34.66.114.180\\ELASTIC.local\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). ",
+        "cyberarkpas.audit.ca_properties.cpm_status": "failure",
+        "cyberarkpas.audit.ca_properties.creation_method": "PVWA",
+        "cyberarkpas.audit.ca_properties.device_type": "Operating System",
+        "cyberarkpas.audit.ca_properties.last_fail_date": "1615831516",
+        "cyberarkpas.audit.ca_properties.last_task": "VerifyTask",
+        "cyberarkpas.audit.ca_properties.logon_domain": "34.66.114.180",
+        "cyberarkpas.audit.ca_properties.policy_id": "WinDomain",
+        "cyberarkpas.audit.ca_properties.reset_immediately": "VerifyTask",
+        "cyberarkpas.audit.ca_properties.retries_count": "3",
+        "cyberarkpas.audit.ca_properties.user_name": "ELASTIC.local\\bart",
+        "cyberarkpas.audit.desc": "CPM Verify Password Failed",
+        "cyberarkpas.audit.extra_details.address": "34.66.114.180",
+        "cyberarkpas.audit.extra_details.retriescount": "3",
+        "cyberarkpas.audit.extra_details.username": "ELASTIC.local\\bart",
+        "cyberarkpas.audit.file": "Root\\Operating System-WinDomain-34.66.114.180-ELASTICbart",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-15T18:05:16Z",
+        "cyberarkpas.audit.issuer": "PasswordManager",
+        "cyberarkpas.audit.message": "CPM Verify Password Failed",
+        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 15 11:05:16</Timestamp>\n    <IsoTimestamp>2021-03-15T18:05:16Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>38</MessageID>\n    <Desc>CPM Verify Password Failed</Desc>\n    <Severity>Error</Severity>\n    <Issuer>PasswordManager</Issuer>\n    <Action>CPM Verify Password Failed</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Operating System-WinDomain-34.66.114.180-ELASTICbart</File>\n    <Station>10.0.1.20</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason>ImmediateTask,Failure. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-34.66.114.180-ELASTICbart failed (try #3). Code: 2101, Error: Error in verifypass to user 34.66.114.180\\ELASTIC.local\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \n</Reason>\n    <ExtraDetails>address=34.66.114.180;retriescount=3;username=ELASTIC.local\\bart;</ExtraDetails>\n    <Message>CPM Verify Password Failed</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"WinDomain\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"ELASTIC.local\\bart\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.66.114.180\"></CAProperty>\n      <CAProperty Name=\"ResetImmediately\" Value=\"VerifyTask\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"failure\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"3\"></CAProperty>\n      <CAProperty Name=\"LastFailDate\" Value=\"1615831516\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"VerifyTask\"></CAProperty>\n      <CAProperty Name=\"LogonDomain\" Value=\"34.66.114.180\"></CAProperty>\n      <CAProperty Name=\"CPMErrorDetails\" Value=\"Error in verifypass to user 34.66.114.180\\ELASTIC.local\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>",
+        "cyberarkpas.audit.reason": "ImmediateTask,Failure. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-34.66.114.180-ELASTICbart failed (try #3). Code: 2101, Error: Error in verifypass to user 34.66.114.180\\ELASTIC.local\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \n",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.safe": "partner",
+        "cyberarkpas.audit.severity": "Error",
+        "cyberarkpas.audit.station": "10.0.1.20",
+        "cyberarkpas.audit.timestamp": "Mar 15 11:05:16",
+        "destination.address": "34.66.114.180",
+        "destination.geo.city_name": "Council Bluffs",
+        "destination.geo.continent_name": "North America",
+        "destination.geo.country_iso_code": "US",
+        "destination.geo.country_name": "United States",
+        "destination.geo.location.lat": 41.2591,
+        "destination.geo.location.lon": -95.8517,
+        "destination.geo.region_iso_code": "US-IA",
+        "destination.geo.region_name": "Iowa",
+        "destination.ip": "34.66.114.180",
+        "destination.user.name": "ELASTIC.local\\bart",
+        "event.action": "cpm verify password failed",
+        "event.category": [
+            "iam"
+        ],
+        "event.code": "38",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.outcome": "failure",
+        "event.reason": "Error in verifypass to user 34.66.114.180\\ELASTIC.local\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). ",
+        "event.severity": 7,
+        "event.timezone": "-02:00",
+        "event.type": [
+            "error"
+        ],
+        "file.path": "Root\\Operating System-WinDomain-34.66.114.180-ELASTICbart",
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 55122,
+        "log.syslog.priority": "7",
+        "network.direction": "outbound",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "10.0.1.20",
+            "34.66.114.180"
+        ],
+        "related.user": [
+            "PasswordManager",
+            "ELASTIC.local\\bart"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "10.0.1.20",
+        "source.ip": "10.0.1.20",
+        "source.user.name": "PasswordManager",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ],
+        "user.name": "PasswordManager"
+    },
+    {
+        "@timestamp": "2021-03-16T09:50:19.000Z",
+        "cyberarkpas.audit.action": "CPM Verify Password Failed",
+        "cyberarkpas.audit.ca_properties.address": "34.66.114.180",
+        "cyberarkpas.audit.ca_properties.cpm_error_details": "Error in verifypass to user 34.66.114.180\\ELASTIC.local\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). ",
+        "cyberarkpas.audit.ca_properties.cpm_status": "failure",
+        "cyberarkpas.audit.ca_properties.creation_method": "PVWA",
+        "cyberarkpas.audit.ca_properties.device_type": "Operating System",
+        "cyberarkpas.audit.ca_properties.last_fail_date": "1615888216",
+        "cyberarkpas.audit.ca_properties.last_task": "VerifyTask",
+        "cyberarkpas.audit.ca_properties.logon_domain": "34.66.114.180",
+        "cyberarkpas.audit.ca_properties.policy_id": "WinDomain",
+        "cyberarkpas.audit.ca_properties.reset_immediately": "VerifyTask",
+        "cyberarkpas.audit.ca_properties.retries_count": "4",
+        "cyberarkpas.audit.ca_properties.user_name": "ELASTIC.local\\bart",
+        "cyberarkpas.audit.desc": "CPM Verify Password Failed",
+        "cyberarkpas.audit.extra_details.address": "34.66.114.180",
+        "cyberarkpas.audit.extra_details.retriescount": "4",
+        "cyberarkpas.audit.extra_details.username": "ELASTIC.local\\bart",
+        "cyberarkpas.audit.file": "Root\\Operating System-WinDomain-34.66.114.180-ELASTICbart",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-16T09:50:19Z",
+        "cyberarkpas.audit.issuer": "PasswordManager",
+        "cyberarkpas.audit.message": "CPM Verify Password Failed",
+        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 16 02:50:19</Timestamp>\n    <IsoTimestamp>2021-03-16T09:50:19Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>38</MessageID>\n    <Desc>CPM Verify Password Failed</Desc>\n    <Severity>Error</Severity>\n    <Issuer>PasswordManager</Issuer>\n    <Action>CPM Verify Password Failed</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Operating System-WinDomain-34.66.114.180-ELASTICbart</File>\n    <Station>10.0.1.20</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason>ImmediateTask,Failure. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-34.66.114.180-ELASTICbart failed (try #4). Code: 2101, Error: Error in verifypass to user 34.66.114.180\\ELASTIC.local\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \n</Reason>\n    <ExtraDetails>address=34.66.114.180;retriescount=4;username=ELASTIC.local\\bart;</ExtraDetails>\n    <Message>CPM Verify Password Failed</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"WinDomain\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"ELASTIC.local\\bart\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.66.114.180\"></CAProperty>\n      <CAProperty Name=\"ResetImmediately\" Value=\"VerifyTask\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"failure\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"4\"></CAProperty>\n      <CAProperty Name=\"LastFailDate\" Value=\"1615888216\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"VerifyTask\"></CAProperty>\n      <CAProperty Name=\"LogonDomain\" Value=\"34.66.114.180\"></CAProperty>\n      <CAProperty Name=\"CPMErrorDetails\" Value=\"Error in verifypass to user 34.66.114.180\\ELASTIC.local\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>",
+        "cyberarkpas.audit.reason": "ImmediateTask,Failure. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-34.66.114.180-ELASTICbart failed (try #4). Code: 2101, Error: Error in verifypass to user 34.66.114.180\\ELASTIC.local\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \n",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.safe": "partner",
+        "cyberarkpas.audit.severity": "Error",
+        "cyberarkpas.audit.station": "10.0.1.20",
+        "cyberarkpas.audit.timestamp": "Mar 16 02:50:19",
+        "destination.address": "34.66.114.180",
+        "destination.geo.city_name": "Council Bluffs",
+        "destination.geo.continent_name": "North America",
+        "destination.geo.country_iso_code": "US",
+        "destination.geo.country_name": "United States",
+        "destination.geo.location.lat": 41.2591,
+        "destination.geo.location.lon": -95.8517,
+        "destination.geo.region_iso_code": "US-IA",
+        "destination.geo.region_name": "Iowa",
+        "destination.ip": "34.66.114.180",
+        "destination.user.name": "ELASTIC.local\\bart",
+        "event.action": "cpm verify password failed",
+        "event.category": [
+            "iam"
+        ],
+        "event.code": "38",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.outcome": "failure",
+        "event.reason": "Error in verifypass to user 34.66.114.180\\ELASTIC.local\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). ",
+        "event.severity": 7,
+        "event.timezone": "-02:00",
+        "event.type": [
+            "error"
+        ],
+        "file.path": "Root\\Operating System-WinDomain-34.66.114.180-ELASTICbart",
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 59407,
+        "log.syslog.priority": "7",
+        "network.direction": "outbound",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "10.0.1.20",
+            "34.66.114.180"
+        ],
+        "related.user": [
+            "PasswordManager",
+            "ELASTIC.local\\bart"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "10.0.1.20",
+        "source.ip": "10.0.1.20",
+        "source.user.name": "PasswordManager",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ],
+        "user.name": "PasswordManager"
+    }
+]
\ No newline at end of file
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/411_window_title.log b/x-pack/filebeat/module/cyberarkpas/audit/test/411_window_title.log
new file mode 100644
index 00000000000..1bc88cc1bbe
--- /dev/null
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/411_window_title.log
@@ -0,0 +1 @@
+{"format":"elastic","version":"1.0","raw":"<syslog>\n  <audit_record>\n    <Rfc5424>no</Rfc5424>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.6.0000</Version>\n    <MessageID>411</MessageID>\n    <Desc>Window Title</Desc>\n    <Severity>Info</Severity>\n    <Issuer>adm2</Issuer>\n    <Action>Window Title</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>Windows</Safe>\n    <File>Root\\Operating System-WIN-SERVER-LOCAL-dbserver.cyberark.local-Administrator2</File>\n    <Station>10.2.0.5</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails>Command=shutdown.exe, Shutdown Event Tracker;ConnectionComponentId=PSM-RDP;DstHost=dbserver.cyberark.local;ProcessId=4144;ProcessName=shutdown.exe;Protocol=RDP;PSMID=PSMServer_88f6598;RDPOffset=218B;SessionID=a1f46060-1de4-4f56-a8ba-71fdf3140ac1;SrcHost=10.2.0.6;User=Administrator2;VIDOffset=12T;</ExtraDetails>\n    <Message>Window Title</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"WIN-SERVER-LOCAL\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"Administrator2\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"dbserver.cyberark.local\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n      <CAProperty Name=\"LogonDomain\" Value=\"DBServer\"></CAProperty>\n      <CAProperty Name=\"SequenceID\" Value=\"1\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"-1\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"success\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"LastSuccessReconciliation\" Value=\"1604944215\"></CAProperty>\n      <CAProperty Name=\"Customer\" Value=\"EvilCorp\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n</syslog>","syslog":{"audit_record":{"Rfc5424":"no","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.6.0000","MessageID":"411","Desc":"Window Title","Severity":"Info","Issuer":"adm2","Action":"Window Title","SourceUser":"","TargetUser":"","Safe":"Windows","File":"Root\\Operating System-WIN-SERVER-LOCAL-dbserver.cyberark.local-Administrator2","Station":"10.2.0.5","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"Command=shutdown.exe, Shutdown Event Tracker;ConnectionComponentId=PSM-RDP;DstHost=dbserver.cyberark.local;ProcessId=4144;ProcessName=shutdown.exe;Protocol=RDP;PSMID=PSMServer_88f6598;RDPOffset=218B;SessionID=a1f46060-1de4-4f56-a8ba-71fdf3140ac1;SrcHost=10.2.0.6;User=Administrator2;VIDOffset=12T;","IsoTimestamp":"2021-03-16T17:11:42Z","Message":"Window Title","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"WIN-SERVER-LOCAL"},{"Name":"UserName","Value":"Administrator2"},{"Name":"Address","Value":"dbserver.cyberark.local"},{"Name":"DeviceType","Value":"Operating System"},{"Name":"LogonDomain","Value":"DBServer"},{"Name":"SequenceID","Value":"1"},{"Name":"RetriesCount","Value":"-1"},{"Name":"LastTask","Value":"ReconcileTask"},{"Name":"CPMStatus","Value":"success"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"LastSuccessReconciliation","Value":"1604944215"},{"Name":"Customer","Value":"EvilCorp"}]}}}}
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/411_window_title.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/411_window_title.log-expected.json
new file mode 100644
index 00000000000..365c217d660
--- /dev/null
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/411_window_title.log-expected.json
@@ -0,0 +1,84 @@
+[
+    {
+        "@timestamp": "2021-03-16T17:11:42.000Z",
+        "cyberarkpas.audit.action": "Window Title",
+        "cyberarkpas.audit.ca_properties.address": "dbserver.cyberark.local",
+        "cyberarkpas.audit.ca_properties.cpm_status": "success",
+        "cyberarkpas.audit.ca_properties.creation_method": "PVWA",
+        "cyberarkpas.audit.ca_properties.customer": "EvilCorp",
+        "cyberarkpas.audit.ca_properties.device_type": "Operating System",
+        "cyberarkpas.audit.ca_properties.last_success_reconciliation": "1604944215",
+        "cyberarkpas.audit.ca_properties.last_task": "ReconcileTask",
+        "cyberarkpas.audit.ca_properties.logon_domain": "DBServer",
+        "cyberarkpas.audit.ca_properties.policy_id": "WIN-SERVER-LOCAL",
+        "cyberarkpas.audit.ca_properties.retries_count": "-1",
+        "cyberarkpas.audit.ca_properties.sequence_id": "1",
+        "cyberarkpas.audit.ca_properties.user_name": "Administrator2",
+        "cyberarkpas.audit.desc": "Window Title",
+        "cyberarkpas.audit.extra_details.command": "shutdown.exe, Shutdown Event Tracker",
+        "cyberarkpas.audit.extra_details.connection_component_id": "PSM-RDP",
+        "cyberarkpas.audit.extra_details.dst_host": "dbserver.cyberark.local",
+        "cyberarkpas.audit.extra_details.process_id": "4144",
+        "cyberarkpas.audit.extra_details.process_name": "shutdown.exe",
+        "cyberarkpas.audit.extra_details.protocol": "RDP",
+        "cyberarkpas.audit.extra_details.psmid": "PSMServer_88f6598",
+        "cyberarkpas.audit.extra_details.rdp_offset": "218B",
+        "cyberarkpas.audit.extra_details.session_id": "a1f46060-1de4-4f56-a8ba-71fdf3140ac1",
+        "cyberarkpas.audit.extra_details.src_host": "10.2.0.6",
+        "cyberarkpas.audit.extra_details.user": "Administrator2",
+        "cyberarkpas.audit.extra_details.vid_offset": "12T",
+        "cyberarkpas.audit.file": "Root\\Operating System-WIN-SERVER-LOCAL-dbserver.cyberark.local-Administrator2",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-16T17:11:42Z",
+        "cyberarkpas.audit.issuer": "adm2",
+        "cyberarkpas.audit.message": "Window Title",
+        "cyberarkpas.audit.raw": "<syslog>\n  <audit_record>\n    <Rfc5424>no</Rfc5424>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.6.0000</Version>\n    <MessageID>411</MessageID>\n    <Desc>Window Title</Desc>\n    <Severity>Info</Severity>\n    <Issuer>adm2</Issuer>\n    <Action>Window Title</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>Windows</Safe>\n    <File>Root\\Operating System-WIN-SERVER-LOCAL-dbserver.cyberark.local-Administrator2</File>\n    <Station>10.2.0.5</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails>Command=shutdown.exe, Shutdown Event Tracker;ConnectionComponentId=PSM-RDP;DstHost=dbserver.cyberark.local;ProcessId=4144;ProcessName=shutdown.exe;Protocol=RDP;PSMID=PSMServer_88f6598;RDPOffset=218B;SessionID=a1f46060-1de4-4f56-a8ba-71fdf3140ac1;SrcHost=10.2.0.6;User=Administrator2;VIDOffset=12T;</ExtraDetails>\n    <Message>Window Title</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"WIN-SERVER-LOCAL\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"Administrator2\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"dbserver.cyberark.local\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n      <CAProperty Name=\"LogonDomain\" Value=\"DBServer\"></CAProperty>\n      <CAProperty Name=\"SequenceID\" Value=\"1\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"-1\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"success\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"LastSuccessReconciliation\" Value=\"1604944215\"></CAProperty>\n      <CAProperty Name=\"Customer\" Value=\"EvilCorp\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n</syslog>",
+        "cyberarkpas.audit.rfc5424": false,
+        "cyberarkpas.audit.safe": "Windows",
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.station": "10.2.0.5",
+        "destination.address": "dbserver.cyberark.local",
+        "destination.domain": "dbserver.cyberark.local",
+        "destination.user.name": "Administrator2",
+        "event.action": "window title",
+        "event.category": [
+            "process"
+        ],
+        "event.code": "411",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "event.type": [
+            "access",
+            "info"
+        ],
+        "file.path": "Root\\Operating System-WIN-SERVER-LOCAL-dbserver.cyberark.local-Administrator2",
+        "fileset.name": "audit",
+        "input.type": "log",
+        "log.offset": 0,
+        "network.application": "rdp",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.6.0000",
+        "process.name": "shutdown.exe",
+        "process.pid": "4144",
+        "related.ip": [
+            "10.2.0.6",
+            "10.2.0.5"
+        ],
+        "related.user": [
+            "adm2",
+            "Administrator2"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "10.2.0.6",
+        "source.ip": "10.2.0.6",
+        "source.user.name": "adm2",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ],
+        "user.name": "adm2"
+    }
+]
\ No newline at end of file
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/412_keystroke_logging.log b/x-pack/filebeat/module/cyberarkpas/audit/test/412_keystroke_logging.log
new file mode 100644
index 00000000000..e10964e76c2
--- /dev/null
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/412_keystroke_logging.log
@@ -0,0 +1 @@
+<5>1 2021-03-25T11:29:37Z VLT01 {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 25 07:29:37</Timestamp>\n    <IsoTimestamp>2021-03-25T11:29:37Z</IsoTimestamp>\n    <Hostname>VLT01</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>12.0.0000</Version>\n    <MessageID>412</MessageID>\n    <Desc>Keystroke logging</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Keystroke logging</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>MSSQL</Safe>\n    <File>Root\\Database-MSSql-epmsvr01.cybr.com-sa</File>\n    <Station>10.0.0.15</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails>Command=SHOW DATABASES\\;;ConnectionComponentId=PSM-SQLServerMgmtStudio;DataBase=master;DstHost=tgtsvr01.cybr.com;Protocol=SQLNet;PSMID=PSMServer;SessionID=975edc19-ad10-4b42-8098-f26afab40fac;SrcHost=127.0.0.1;TXTOffset=702B;User=sa;VIDOffset=33T;</ExtraDetails>\n    <Message>Keystroke logging</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"MSSql\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"sa\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"tgtsvr01.cybr.com\"></CAProperty>\n      <CAProperty Name=\"Database\" Value=\"master\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Database\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"success\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"-1\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"VerifyTask\"></CAProperty>\n      <CAProperty Name=\"LastSuccessVerification\" Value=\"1616580240\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"LastSuccessChange\" Value=\"1616011980\"></CAProperty>\n      <CAProperty Name=\"Tags\" Value=\"SQL;DB\"></CAProperty>\n      <CAProperty Name=\"Privcloud\" Value=\"privcloud\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 25 07:29:37","IsoTimestamp":"2021-03-25T11:29:37Z","Hostname":"VLT01","Vendor":"Cyber-Ark","Product":"Vault","Version":"12.0.0000","MessageID":"412","Desc":"Keystroke logging","Severity":"Info","Issuer":"Administrator","Action":"Keystroke logging","SourceUser":"","TargetUser":"","Safe":"MSSQL","File":"Root\\Database-MSSql-epmsvr01.cybr.com-sa","Station":"10.0.0.15","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"Command=SHOW DATABASES\\;;ConnectionComponentId=PSM-SQLServerMgmtStudio;DataBase=master;DstHost=tgtsvr01.cybr.com;Protocol=SQLNet;PSMID=PSMServer;SessionID=975edc19-ad10-4b42-8098-f26afab40fac;SrcHost=127.0.0.1;TXTOffset=702B;User=sa;VIDOffset=33T;","Message":"Keystroke logging","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"MSSql"},{"Name":"UserName","Value":"sa"},{"Name":"Address","Value":"tgtsvr01.cybr.com"},{"Name":"Database","Value":"master"},{"Name":"DeviceType","Value":"Database"},{"Name":"CPMStatus","Value":"success"},{"Name":"RetriesCount","Value":"-1"},{"Name":"LastTask","Value":"VerifyTask"},{"Name":"LastSuccessVerification","Value":"1616580240"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"LastSuccessChange","Value":"1616011980"},{"Name":"Tags","Value":"SQL;DB"},{"Name":"Privcloud","Value":"privcloud"}]}}}}
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/412_keystroke_logging.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/412_keystroke_logging.log-expected.json
new file mode 100644
index 00000000000..685a4a0586a
--- /dev/null
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/412_keystroke_logging.log-expected.json
@@ -0,0 +1,85 @@
+[
+    {
+        "@timestamp": "2021-03-25T11:29:37.000Z",
+        "cyberarkpas.audit.action": "Keystroke logging",
+        "cyberarkpas.audit.ca_properties.address": "tgtsvr01.cybr.com",
+        "cyberarkpas.audit.ca_properties.cpm_status": "success",
+        "cyberarkpas.audit.ca_properties.creation_method": "PVWA",
+        "cyberarkpas.audit.ca_properties.database": "master",
+        "cyberarkpas.audit.ca_properties.device_type": "Database",
+        "cyberarkpas.audit.ca_properties.last_success_change": "1616011980",
+        "cyberarkpas.audit.ca_properties.last_success_verification": "1616580240",
+        "cyberarkpas.audit.ca_properties.last_task": "VerifyTask",
+        "cyberarkpas.audit.ca_properties.policy_id": "MSSql",
+        "cyberarkpas.audit.ca_properties.privcloud": "privcloud",
+        "cyberarkpas.audit.ca_properties.retries_count": "-1",
+        "cyberarkpas.audit.ca_properties.tags": "SQL;DB",
+        "cyberarkpas.audit.ca_properties.user_name": "sa",
+        "cyberarkpas.audit.desc": "Keystroke logging",
+        "cyberarkpas.audit.extra_details.command": "SHOW DATABASES\\;",
+        "cyberarkpas.audit.extra_details.connection_component_id": "PSM-SQLServerMgmtStudio",
+        "cyberarkpas.audit.extra_details.data_base": "master",
+        "cyberarkpas.audit.extra_details.dst_host": "tgtsvr01.cybr.com",
+        "cyberarkpas.audit.extra_details.protocol": "SQLNet",
+        "cyberarkpas.audit.extra_details.psmid": "PSMServer",
+        "cyberarkpas.audit.extra_details.session_id": "975edc19-ad10-4b42-8098-f26afab40fac",
+        "cyberarkpas.audit.extra_details.src_host": "127.0.0.1",
+        "cyberarkpas.audit.extra_details.txt_offset": "702B",
+        "cyberarkpas.audit.extra_details.user": "sa",
+        "cyberarkpas.audit.extra_details.vid_offset": "33T",
+        "cyberarkpas.audit.file": "Root\\Database-MSSql-epmsvr01.cybr.com-sa",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-25T11:29:37Z",
+        "cyberarkpas.audit.issuer": "Administrator",
+        "cyberarkpas.audit.message": "Keystroke logging",
+        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 25 07:29:37</Timestamp>\n    <IsoTimestamp>2021-03-25T11:29:37Z</IsoTimestamp>\n    <Hostname>VLT01</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>12.0.0000</Version>\n    <MessageID>412</MessageID>\n    <Desc>Keystroke logging</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Keystroke logging</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>MSSQL</Safe>\n    <File>Root\\Database-MSSql-epmsvr01.cybr.com-sa</File>\n    <Station>10.0.0.15</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails>Command=SHOW DATABASES\\;;ConnectionComponentId=PSM-SQLServerMgmtStudio;DataBase=master;DstHost=tgtsvr01.cybr.com;Protocol=SQLNet;PSMID=PSMServer;SessionID=975edc19-ad10-4b42-8098-f26afab40fac;SrcHost=127.0.0.1;TXTOffset=702B;User=sa;VIDOffset=33T;</ExtraDetails>\n    <Message>Keystroke logging</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"MSSql\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"sa\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"tgtsvr01.cybr.com\"></CAProperty>\n      <CAProperty Name=\"Database\" Value=\"master\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Database\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"success\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"-1\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"VerifyTask\"></CAProperty>\n      <CAProperty Name=\"LastSuccessVerification\" Value=\"1616580240\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"LastSuccessChange\" Value=\"1616011980\"></CAProperty>\n      <CAProperty Name=\"Tags\" Value=\"SQL;DB\"></CAProperty>\n      <CAProperty Name=\"Privcloud\" Value=\"privcloud\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.safe": "MSSQL",
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.station": "10.0.0.15",
+        "cyberarkpas.audit.timestamp": "Mar 25 07:29:37",
+        "destination.address": "tgtsvr01.cybr.com",
+        "destination.domain": "tgtsvr01.cybr.com",
+        "destination.user.name": "sa",
+        "event.action": "keystroke logging",
+        "event.category": [
+            "session"
+        ],
+        "event.code": "412",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "event.type": [
+            "info"
+        ],
+        "file.path": "Root\\Database-MSSql-epmsvr01.cybr.com-sa",
+        "fileset.name": "audit",
+        "host.name": "VLT01",
+        "input.type": "log",
+        "log.offset": 0,
+        "log.syslog.priority": "5",
+        "network.application": "sqlnet",
+        "observer.hostname": "VLT01",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "12.0.0000",
+        "related.ip": [
+            "127.0.0.1",
+            "10.0.0.15"
+        ],
+        "related.user": [
+            "Administrator",
+            "sa"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "127.0.0.1",
+        "source.ip": "127.0.0.1",
+        "source.user.name": "Administrator",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ],
+        "user.name": "Administrator"
+    }
+]
\ No newline at end of file
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/414_cpm_verify_ssh_key.log b/x-pack/filebeat/module/cyberarkpas/audit/test/414_cpm_verify_ssh_key.log
new file mode 100644
index 00000000000..d1548afa3c1
--- /dev/null
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/414_cpm_verify_ssh_key.log
@@ -0,0 +1 @@
+<5>1 2021-03-25T10:04:06Z VLT01 {"format":"elastic","version":"1.0","raw":"<syslog>\n\n <audit_record>\n <Rfc5424>yes</Rfc5424>\n <Timestamp>Mar 25 06:04:06</Timestamp>\n <IsoTimestamp>2021-03-25T10:04:06Z</IsoTimestamp>\n <Hostname>VLT01</Hostname>\n <Vendor>Cyber-Ark</Vendor>\n <Product>Vault</Product>\n <Version>12.0.0000</Version>\n <MessageID>414</MessageID>\n <Desc>CPM Verify SSH Key</Desc>\n <Severity>Info</Severity>\n <Issuer>PasswordManager</Issuer>\n <Action>CPM Verify SSH Key</Action>\n <SourceUser></SourceUser>\n <TargetUser></TargetUser>\n <Safe>Linux SSH Keys</Safe>\n <File>Root\\Operating System-UnixSSHKeys-rhel7.cybr.com-firecall1</File>\n <Station>10.0.0.15</Station>\n <Location></Location>\n <Category></Category>\n <RequestId></RequestId>\n <Reason>VerificationPeriod</Reason>\n <ExtraDetails>address=rhel7.cybr.com;username=firecall1;</ExtraDetails>\n <Message>CPM Verify SSH Key</Message>\n <GatewayStation></GatewayStation>\n <CAProperties>\n <CAProperty Name=\"PolicyID\" Value=\"UnixSSHKeys\"></CAProperty>\n <CAProperty Name=\"UserName\" Value=\"firecall1\"></CAProperty>\n <CAProperty Name=\"Address\" Value=\"rhel7.cybr.com\"></CAProperty>\n <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n <CAProperty Name=\"SequenceID\" Value=\"2\"></CAProperty>\n <CAProperty Name=\"CPMStatus\" Value=\"success\"></CAProperty>\n <CAProperty Name=\"ExtraPass3Name\" Value=\"Operating System-UnixSSH-rhel7.cybr.com-root\"></CAProperty>\n <CAProperty Name=\"ExtraPass3Folder\" Value=\"Root\"></CAProperty>\n <CAProperty Name=\"ExtraPass3Safe\" Value=\"Linux Root\"></CAProperty>\n <CAProperty Name=\"RetriesCount\" Value=\"-1\"></CAProperty>\n <CAProperty Name=\"LastTask\" Value=\"VerifyTask\"></CAProperty>\n <CAProperty Name=\"LastSuccessVerification\" Value=\"1616666646\"></CAProperty>\n <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n <CAProperty Name=\"LastSuccessChange\" Value=\"1582315464\"></CAProperty>\n <CAProperty Name=\"Tags\" Value=\"SSH\"></CAProperty>\n <CAProperty Name=\"Privcloud\" Value=\"privcloud\"></CAProperty>\n </CAProperties>\n </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 25 06:04:06","IsoTimestamp":"2021-03-25T10:04:06Z","Hostname":"VLT01","Vendor":"Cyber-Ark","Product":"Vault","Version":"12.0.0000","MessageID":"414","Desc":"CPM Verify SSH Key","Severity":"Info","Issuer":"PasswordManager","Action":"CPM Verify SSH Key","SourceUser":"","TargetUser":"","Safe":"Linux SSH Keys","File":"Root\\Operating System-UnixSSHKeys-rhel7.cybr.com-firecall1","Station":"10.0.0.15","Location":"","Category":"","RequestId":"","Reason":"VerificationPeriod","ExtraDetails":"address=rhel7.cybr.com;username=firecall1;","Message":"CPM Verify SSH Key","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSHKeys"},{"Name":"UserName","Value":"firecall1"},{"Name":"Address","Value":"rhel7.cybr.com"},{"Name":"DeviceType","Value":"Operating System"},{"Name":"SequenceID","Value":"2"},{"Name":"CPMStatus","Value":"success"},{"Name":"ExtraPass3Name","Value":"Operating System-UnixSSH-rhel7.cybr.com-root"},{"Name":"ExtraPass3Folder","Value":"Root"},{"Name":"ExtraPass3Safe","Value":"Linux Root"},{"Name":"RetriesCount","Value":"-1"},{"Name":"LastTask","Value":"VerifyTask"},{"Name":"LastSuccessVerification","Value":"1616666646"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"LastSuccessChange","Value":"1582315464"},{"Name":"Tags","Value":"SSH"},{"Name":"Privcloud","Value":"privcloud"}]}}}}
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/414_cpm_verify_ssh_key.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/414_cpm_verify_ssh_key.log-expected.json
new file mode 100644
index 00000000000..fe2d5aedaf7
--- /dev/null
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/414_cpm_verify_ssh_key.log-expected.json
@@ -0,0 +1,80 @@
+[
+    {
+        "@timestamp": "2021-03-25T10:04:06.000Z",
+        "cyberarkpas.audit.action": "CPM Verify SSH Key",
+        "cyberarkpas.audit.ca_properties.address": "rhel7.cybr.com",
+        "cyberarkpas.audit.ca_properties.cpm_status": "success",
+        "cyberarkpas.audit.ca_properties.creation_method": "PVWA",
+        "cyberarkpas.audit.ca_properties.device_type": "Operating System",
+        "cyberarkpas.audit.ca_properties.extra_pass3_folder": "Root",
+        "cyberarkpas.audit.ca_properties.extra_pass3_name": "Operating System-UnixSSH-rhel7.cybr.com-root",
+        "cyberarkpas.audit.ca_properties.extra_pass3_safe": "Linux Root",
+        "cyberarkpas.audit.ca_properties.last_success_change": "1582315464",
+        "cyberarkpas.audit.ca_properties.last_success_verification": "1616666646",
+        "cyberarkpas.audit.ca_properties.last_task": "VerifyTask",
+        "cyberarkpas.audit.ca_properties.policy_id": "UnixSSHKeys",
+        "cyberarkpas.audit.ca_properties.privcloud": "privcloud",
+        "cyberarkpas.audit.ca_properties.retries_count": "-1",
+        "cyberarkpas.audit.ca_properties.sequence_id": "2",
+        "cyberarkpas.audit.ca_properties.tags": "SSH",
+        "cyberarkpas.audit.ca_properties.user_name": "firecall1",
+        "cyberarkpas.audit.desc": "CPM Verify SSH Key",
+        "cyberarkpas.audit.extra_details.address": "rhel7.cybr.com",
+        "cyberarkpas.audit.extra_details.username": "firecall1",
+        "cyberarkpas.audit.file": "Root\\Operating System-UnixSSHKeys-rhel7.cybr.com-firecall1",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-25T10:04:06Z",
+        "cyberarkpas.audit.issuer": "PasswordManager",
+        "cyberarkpas.audit.message": "CPM Verify SSH Key",
+        "cyberarkpas.audit.raw": "<syslog>\n\n <audit_record>\n <Rfc5424>yes</Rfc5424>\n <Timestamp>Mar 25 06:04:06</Timestamp>\n <IsoTimestamp>2021-03-25T10:04:06Z</IsoTimestamp>\n <Hostname>VLT01</Hostname>\n <Vendor>Cyber-Ark</Vendor>\n <Product>Vault</Product>\n <Version>12.0.0000</Version>\n <MessageID>414</MessageID>\n <Desc>CPM Verify SSH Key</Desc>\n <Severity>Info</Severity>\n <Issuer>PasswordManager</Issuer>\n <Action>CPM Verify SSH Key</Action>\n <SourceUser></SourceUser>\n <TargetUser></TargetUser>\n <Safe>Linux SSH Keys</Safe>\n <File>Root\\Operating System-UnixSSHKeys-rhel7.cybr.com-firecall1</File>\n <Station>10.0.0.15</Station>\n <Location></Location>\n <Category></Category>\n <RequestId></RequestId>\n <Reason>VerificationPeriod</Reason>\n <ExtraDetails>address=rhel7.cybr.com;username=firecall1;</ExtraDetails>\n <Message>CPM Verify SSH Key</Message>\n <GatewayStation></GatewayStation>\n <CAProperties>\n <CAProperty Name=\"PolicyID\" Value=\"UnixSSHKeys\"></CAProperty>\n <CAProperty Name=\"UserName\" Value=\"firecall1\"></CAProperty>\n <CAProperty Name=\"Address\" Value=\"rhel7.cybr.com\"></CAProperty>\n <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n <CAProperty Name=\"SequenceID\" Value=\"2\"></CAProperty>\n <CAProperty Name=\"CPMStatus\" Value=\"success\"></CAProperty>\n <CAProperty Name=\"ExtraPass3Name\" Value=\"Operating System-UnixSSH-rhel7.cybr.com-root\"></CAProperty>\n <CAProperty Name=\"ExtraPass3Folder\" Value=\"Root\"></CAProperty>\n <CAProperty Name=\"ExtraPass3Safe\" Value=\"Linux Root\"></CAProperty>\n <CAProperty Name=\"RetriesCount\" Value=\"-1\"></CAProperty>\n <CAProperty Name=\"LastTask\" Value=\"VerifyTask\"></CAProperty>\n <CAProperty Name=\"LastSuccessVerification\" Value=\"1616666646\"></CAProperty>\n <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n <CAProperty Name=\"LastSuccessChange\" Value=\"1582315464\"></CAProperty>\n <CAProperty Name=\"Tags\" Value=\"SSH\"></CAProperty>\n <CAProperty Name=\"Privcloud\" Value=\"privcloud\"></CAProperty>\n </CAProperties>\n </audit_record>\n\n</syslog>",
+        "cyberarkpas.audit.reason": "VerificationPeriod",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.safe": "Linux SSH Keys",
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.station": "10.0.0.15",
+        "cyberarkpas.audit.timestamp": "Mar 25 06:04:06",
+        "destination.address": "rhel7.cybr.com",
+        "destination.domain": "rhel7.cybr.com",
+        "destination.user.name": "firecall1",
+        "event.action": "cpm verify ssh key",
+        "event.category": [
+            "iam"
+        ],
+        "event.code": "414",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.outcome": "success",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "event.type": [
+            "admin",
+            "info"
+        ],
+        "file.path": "Root\\Operating System-UnixSSHKeys-rhel7.cybr.com-firecall1",
+        "fileset.name": "audit",
+        "host.name": "VLT01",
+        "input.type": "log",
+        "log.offset": 0,
+        "log.syslog.priority": "5",
+        "observer.hostname": "VLT01",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "12.0.0000",
+        "related.ip": [
+            "10.0.0.15"
+        ],
+        "related.user": [
+            "PasswordManager",
+            "firecall1"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "10.0.0.15",
+        "source.ip": "10.0.0.15",
+        "source.user.name": "PasswordManager",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ],
+        "user.name": "PasswordManager"
+    }
+]
\ No newline at end of file
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/427_store_ssh_key.log b/x-pack/filebeat/module/cyberarkpas/audit/test/427_store_ssh_key.log
new file mode 100644
index 00000000000..8c7361274f6
--- /dev/null
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/427_store_ssh_key.log
@@ -0,0 +1 @@
+<5>1 2021-03-11T16:50:17Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 08:50:17</Timestamp>\n    <IsoTimestamp>2021-03-11T16:50:17Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>427</MessageID>\n    <Desc>Store SSH Key</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Store SSH Key</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>PSM</Safe>\n    <File>Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian</File>\n    <Station>127.0.0.1</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Store SSH Key</Message>\n    <GatewayStation>10.0.1.20</GatewayStation>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 08:50:17","IsoTimestamp":"2021-03-11T16:50:17Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"427","Desc":"Store SSH Key","Severity":"Info","Issuer":"Administrator","Action":"Store SSH Key","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian","Station":"127.0.0.1","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Store SSH Key","GatewayStation":"10.0.1.20"}}}
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/427_store_ssh_key.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/427_store_ssh_key.log-expected.json
new file mode 100644
index 00000000000..50385a481b0
--- /dev/null
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/427_store_ssh_key.log-expected.json
@@ -0,0 +1,49 @@
+[
+    {
+        "@timestamp": "2021-03-11T16:50:17.000Z",
+        "cyberarkpas.audit.action": "Store SSH Key",
+        "cyberarkpas.audit.desc": "Store SSH Key",
+        "cyberarkpas.audit.file": "Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian",
+        "cyberarkpas.audit.gateway_station": "10.0.1.20",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-11T16:50:17Z",
+        "cyberarkpas.audit.issuer": "Administrator",
+        "cyberarkpas.audit.message": "Store SSH Key",
+        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 08:50:17</Timestamp>\n    <IsoTimestamp>2021-03-11T16:50:17Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>427</MessageID>\n    <Desc>Store SSH Key</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Store SSH Key</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>PSM</Safe>\n    <File>Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian</File>\n    <Station>127.0.0.1</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Store SSH Key</Message>\n    <GatewayStation>10.0.1.20</GatewayStation>\n  </audit_record>\n\n</syslog>",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.safe": "PSM",
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.station": "127.0.0.1",
+        "cyberarkpas.audit.timestamp": "Mar 11 08:50:17",
+        "destination.address": "10.0.1.20",
+        "destination.ip": "10.0.1.20",
+        "event.action": "store ssh key",
+        "event.code": "427",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "file.path": "Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian",
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 0,
+        "log.syslog.priority": "5",
+        "network.direction": "internal",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "127.0.0.1",
+            "10.0.1.20"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "127.0.0.1",
+        "source.ip": "127.0.0.1",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ]
+    }
+]
\ No newline at end of file
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/428_retrieve_ssh_key.log b/x-pack/filebeat/module/cyberarkpas/audit/test/428_retrieve_ssh_key.log
new file mode 100644
index 00000000000..1420d0a428e
--- /dev/null
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/428_retrieve_ssh_key.log
@@ -0,0 +1,3 @@
+<5>1 2021-03-11T17:43:44Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 09:43:44</Timestamp>\n    <IsoTimestamp>2021-03-11T17:43:44Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>428</MessageID>\n    <Desc>Retrieve SSH Key</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Retrieve SSH Key</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>PSM</Safe>\n    <File>Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian</File>\n    <Station>127.0.0.1</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason>(Action: Retrieve SSH key)for fun and profit</Reason>\n    <PvwaDetails><RetrieveReason>\n  <General>\n    <UserReason>for fun and profit</UserReason>\n    <RetrieveAction>Retrieve SSH key</RetrieveAction>\n  </General>\n</RetrieveReason></PvwaDetails>\n    <ExtraDetails></ExtraDetails>\n    <Message>Retrieve SSH Key</Message>\n    <GatewayStation>10.0.1.20</GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSHKeys\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"adrian\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 09:43:44","IsoTimestamp":"2021-03-11T17:43:44Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"428","Desc":"Retrieve SSH Key","Severity":"Info","Issuer":"Administrator","Action":"Retrieve SSH Key","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian","Station":"127.0.0.1","Location":"","Category":"","RequestId":"","Reason":"(Action: Retrieve SSH key)for fun and profit","PvwaDetails":{"RetrieveReason":{"General":{"UserReason":"for fun and profit","RetrieveAction":"Retrieve SSH key"}}},"ExtraDetails":"","Message":"Retrieve SSH Key","GatewayStation":"10.0.1.20","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSHKeys"},{"Name":"UserName","Value":"adrian"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}}
+<5>1 2021-03-11T21:08:48Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 13:08:48</Timestamp>\n    <IsoTimestamp>2021-03-11T21:08:48Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>428</MessageID>\n    <Desc>Retrieve SSH Key</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Retrieve SSH Key</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>PSM</Safe>\n    <File>Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian</File>\n    <Station>127.0.0.1</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason>(Action: Connect)testing(Connection to address: 34.123.103.115)</Reason>\n    <PvwaDetails><RetrieveReason>\n  <General>\n    <UserReason>testing</UserReason>\n    <RetrieveAction>Connect</RetrieveAction>\n  </General>\n  <ConnectionDetails>\n    <ConnectionAddress>34.123.103.115</ConnectionAddress>\n  </ConnectionDetails>\n</RetrieveReason></PvwaDetails>\n    <ExtraDetails></ExtraDetails>\n    <Message>Retrieve SSH Key</Message>\n    <GatewayStation>10.0.1.20</GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSHKeys\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"adrian\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 13:08:48","IsoTimestamp":"2021-03-11T21:08:48Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"428","Desc":"Retrieve SSH Key","Severity":"Info","Issuer":"Administrator","Action":"Retrieve SSH Key","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian","Station":"127.0.0.1","Location":"","Category":"","RequestId":"","Reason":"(Action: Connect)testing(Connection to address: 34.123.103.115)","PvwaDetails":{"RetrieveReason":{"General":{"UserReason":"testing","RetrieveAction":"Connect"},"ConnectionDetails":{"ConnectionAddress":"34.123.103.115"}}},"ExtraDetails":"","Message":"Retrieve SSH Key","GatewayStation":"10.0.1.20","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSHKeys"},{"Name":"UserName","Value":"adrian"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}}
+<5>1 2021-03-15T13:18:52Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 15 06:18:52</Timestamp>\n    <IsoTimestamp>2021-03-15T13:18:52Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>428</MessageID>\n    <Desc>Retrieve SSH Key</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Retrieve SSH Key</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>PSM</Safe>\n    <File>Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian</File>\n    <Station>127.0.0.1</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason>(Action: Retrieve SSH key)</Reason>\n    <PvwaDetails><RetrieveReason>\n  <General>\n    <RetrieveAction>Retrieve SSH key</RetrieveAction>\n  </General>\n</RetrieveReason></PvwaDetails>\n    <ExtraDetails></ExtraDetails>\n    <Message>Retrieve SSH Key</Message>\n    <GatewayStation>10.0.1.20</GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSHKeys\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"adrian\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 06:18:52","IsoTimestamp":"2021-03-15T13:18:52Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"428","Desc":"Retrieve SSH Key","Severity":"Info","Issuer":"Administrator","Action":"Retrieve SSH Key","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian","Station":"127.0.0.1","Location":"","Category":"","RequestId":"","Reason":"(Action: Retrieve SSH key)","PvwaDetails":{"RetrieveReason":{"General":{"RetrieveAction":"Retrieve SSH key"}}},"ExtraDetails":"","Message":"Retrieve SSH Key","GatewayStation":"10.0.1.20","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSHKeys"},{"Name":"UserName","Value":"adrian"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}}
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/428_retrieve_ssh_key.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/428_retrieve_ssh_key.log-expected.json
new file mode 100644
index 00000000000..d5b684eb931
--- /dev/null
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/428_retrieve_ssh_key.log-expected.json
@@ -0,0 +1,242 @@
+[
+    {
+        "@timestamp": "2021-03-11T17:43:44.000Z",
+        "cyberarkpas.audit.action": "Retrieve SSH Key",
+        "cyberarkpas.audit.ca_properties.address": "34.123.103.115",
+        "cyberarkpas.audit.ca_properties.creation_method": "PVWA",
+        "cyberarkpas.audit.ca_properties.device_type": "Operating System",
+        "cyberarkpas.audit.ca_properties.policy_id": "UnixSSHKeys",
+        "cyberarkpas.audit.ca_properties.user_name": "adrian",
+        "cyberarkpas.audit.desc": "Retrieve SSH Key",
+        "cyberarkpas.audit.file": "Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian",
+        "cyberarkpas.audit.gateway_station": "10.0.1.20",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-11T17:43:44Z",
+        "cyberarkpas.audit.issuer": "Administrator",
+        "cyberarkpas.audit.message": "Retrieve SSH Key",
+        "cyberarkpas.audit.pvwa_details.retrieve_reason.general.retrieve_action": "Retrieve SSH key",
+        "cyberarkpas.audit.pvwa_details.retrieve_reason.general.user_reason": "for fun and profit",
+        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 09:43:44</Timestamp>\n    <IsoTimestamp>2021-03-11T17:43:44Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>428</MessageID>\n    <Desc>Retrieve SSH Key</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Retrieve SSH Key</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>PSM</Safe>\n    <File>Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian</File>\n    <Station>127.0.0.1</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason>(Action: Retrieve SSH key)for fun and profit</Reason>\n    <PvwaDetails><RetrieveReason>\n  <General>\n    <UserReason>for fun and profit</UserReason>\n    <RetrieveAction>Retrieve SSH key</RetrieveAction>\n  </General>\n</RetrieveReason></PvwaDetails>\n    <ExtraDetails></ExtraDetails>\n    <Message>Retrieve SSH Key</Message>\n    <GatewayStation>10.0.1.20</GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSHKeys\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"adrian\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>",
+        "cyberarkpas.audit.reason": "(Action: Retrieve SSH key)for fun and profit",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.safe": "PSM",
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.station": "127.0.0.1",
+        "cyberarkpas.audit.timestamp": "Mar 11 09:43:44",
+        "destination.address": "34.123.103.115",
+        "destination.geo.city_name": "Council Bluffs",
+        "destination.geo.continent_name": "North America",
+        "destination.geo.country_iso_code": "US",
+        "destination.geo.country_name": "United States",
+        "destination.geo.location.lat": 41.2591,
+        "destination.geo.location.lon": -95.8517,
+        "destination.geo.region_iso_code": "US-IA",
+        "destination.geo.region_name": "Iowa",
+        "destination.ip": "34.123.103.115",
+        "destination.user.name": "adrian",
+        "event.action": "retrieve ssh key",
+        "event.category": [
+            "iam"
+        ],
+        "event.code": "428",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.outcome": "success",
+        "event.reason": "(Action: Retrieve SSH key)for fun and profit",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "event.type": [
+            "admin",
+            "access"
+        ],
+        "file.path": "Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian",
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 0,
+        "log.syslog.priority": "5",
+        "network.direction": "outbound",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "127.0.0.1",
+            "34.123.103.115",
+            "10.0.1.20"
+        ],
+        "related.user": [
+            "Administrator",
+            "adrian"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "127.0.0.1",
+        "source.ip": "127.0.0.1",
+        "source.user.name": "Administrator",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ],
+        "user.name": "Administrator"
+    },
+    {
+        "@timestamp": "2021-03-11T21:08:48.000Z",
+        "cyberarkpas.audit.action": "Retrieve SSH Key",
+        "cyberarkpas.audit.ca_properties.address": "34.123.103.115",
+        "cyberarkpas.audit.ca_properties.creation_method": "PVWA",
+        "cyberarkpas.audit.ca_properties.device_type": "Operating System",
+        "cyberarkpas.audit.ca_properties.policy_id": "UnixSSHKeys",
+        "cyberarkpas.audit.ca_properties.user_name": "adrian",
+        "cyberarkpas.audit.desc": "Retrieve SSH Key",
+        "cyberarkpas.audit.file": "Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian",
+        "cyberarkpas.audit.gateway_station": "10.0.1.20",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-11T21:08:48Z",
+        "cyberarkpas.audit.issuer": "Administrator",
+        "cyberarkpas.audit.message": "Retrieve SSH Key",
+        "cyberarkpas.audit.pvwa_details.retrieve_reason.connection_details.connection_address": "34.123.103.115",
+        "cyberarkpas.audit.pvwa_details.retrieve_reason.general.retrieve_action": "Connect",
+        "cyberarkpas.audit.pvwa_details.retrieve_reason.general.user_reason": "testing",
+        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 13:08:48</Timestamp>\n    <IsoTimestamp>2021-03-11T21:08:48Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>428</MessageID>\n    <Desc>Retrieve SSH Key</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Retrieve SSH Key</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>PSM</Safe>\n    <File>Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian</File>\n    <Station>127.0.0.1</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason>(Action: Connect)testing(Connection to address: 34.123.103.115)</Reason>\n    <PvwaDetails><RetrieveReason>\n  <General>\n    <UserReason>testing</UserReason>\n    <RetrieveAction>Connect</RetrieveAction>\n  </General>\n  <ConnectionDetails>\n    <ConnectionAddress>34.123.103.115</ConnectionAddress>\n  </ConnectionDetails>\n</RetrieveReason></PvwaDetails>\n    <ExtraDetails></ExtraDetails>\n    <Message>Retrieve SSH Key</Message>\n    <GatewayStation>10.0.1.20</GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSHKeys\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"adrian\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>",
+        "cyberarkpas.audit.reason": "(Action: Connect)testing(Connection to address: 34.123.103.115)",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.safe": "PSM",
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.station": "127.0.0.1",
+        "cyberarkpas.audit.timestamp": "Mar 11 13:08:48",
+        "destination.address": "34.123.103.115",
+        "destination.geo.city_name": "Council Bluffs",
+        "destination.geo.continent_name": "North America",
+        "destination.geo.country_iso_code": "US",
+        "destination.geo.country_name": "United States",
+        "destination.geo.location.lat": 41.2591,
+        "destination.geo.location.lon": -95.8517,
+        "destination.geo.region_iso_code": "US-IA",
+        "destination.geo.region_name": "Iowa",
+        "destination.ip": "34.123.103.115",
+        "destination.user.name": "adrian",
+        "event.action": "retrieve ssh key",
+        "event.category": [
+            "iam"
+        ],
+        "event.code": "428",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.outcome": "success",
+        "event.reason": "(Action: Connect)testing(Connection to address: 34.123.103.115)",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "event.type": [
+            "admin",
+            "access"
+        ],
+        "file.path": "Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian",
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 2618,
+        "log.syslog.priority": "5",
+        "network.direction": "outbound",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "127.0.0.1",
+            "34.123.103.115",
+            "10.0.1.20"
+        ],
+        "related.user": [
+            "Administrator",
+            "adrian"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "127.0.0.1",
+        "source.ip": "127.0.0.1",
+        "source.user.name": "Administrator",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ],
+        "user.name": "Administrator"
+    },
+    {
+        "@timestamp": "2021-03-15T13:18:52.000Z",
+        "cyberarkpas.audit.action": "Retrieve SSH Key",
+        "cyberarkpas.audit.ca_properties.address": "34.123.103.115",
+        "cyberarkpas.audit.ca_properties.creation_method": "PVWA",
+        "cyberarkpas.audit.ca_properties.device_type": "Operating System",
+        "cyberarkpas.audit.ca_properties.policy_id": "UnixSSHKeys",
+        "cyberarkpas.audit.ca_properties.user_name": "adrian",
+        "cyberarkpas.audit.desc": "Retrieve SSH Key",
+        "cyberarkpas.audit.file": "Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian",
+        "cyberarkpas.audit.gateway_station": "10.0.1.20",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-15T13:18:52Z",
+        "cyberarkpas.audit.issuer": "Administrator",
+        "cyberarkpas.audit.message": "Retrieve SSH Key",
+        "cyberarkpas.audit.pvwa_details.retrieve_reason.general.retrieve_action": "Retrieve SSH key",
+        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 15 06:18:52</Timestamp>\n    <IsoTimestamp>2021-03-15T13:18:52Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>428</MessageID>\n    <Desc>Retrieve SSH Key</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Retrieve SSH Key</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>PSM</Safe>\n    <File>Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian</File>\n    <Station>127.0.0.1</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason>(Action: Retrieve SSH key)</Reason>\n    <PvwaDetails><RetrieveReason>\n  <General>\n    <RetrieveAction>Retrieve SSH key</RetrieveAction>\n  </General>\n</RetrieveReason></PvwaDetails>\n    <ExtraDetails></ExtraDetails>\n    <Message>Retrieve SSH Key</Message>\n    <GatewayStation>10.0.1.20</GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSHKeys\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"adrian\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>",
+        "cyberarkpas.audit.reason": "(Action: Retrieve SSH key)",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.safe": "PSM",
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.station": "127.0.0.1",
+        "cyberarkpas.audit.timestamp": "Mar 15 06:18:52",
+        "destination.address": "34.123.103.115",
+        "destination.geo.city_name": "Council Bluffs",
+        "destination.geo.continent_name": "North America",
+        "destination.geo.country_iso_code": "US",
+        "destination.geo.country_name": "United States",
+        "destination.geo.location.lat": 41.2591,
+        "destination.geo.location.lon": -95.8517,
+        "destination.geo.region_iso_code": "US-IA",
+        "destination.geo.region_name": "Iowa",
+        "destination.ip": "34.123.103.115",
+        "destination.user.name": "adrian",
+        "event.action": "retrieve ssh key",
+        "event.category": [
+            "iam"
+        ],
+        "event.code": "428",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.outcome": "success",
+        "event.reason": "(Action: Retrieve SSH key)",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "event.type": [
+            "admin",
+            "access"
+        ],
+        "file.path": "Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian",
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 5399,
+        "log.syslog.priority": "5",
+        "network.direction": "outbound",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "127.0.0.1",
+            "34.123.103.115",
+            "10.0.1.20"
+        ],
+        "related.user": [
+            "Administrator",
+            "adrian"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "127.0.0.1",
+        "source.ip": "127.0.0.1",
+        "source.user.name": "Administrator",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ],
+        "user.name": "Administrator"
+    }
+]
\ No newline at end of file
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/449_create_discovery_succeeded.log b/x-pack/filebeat/module/cyberarkpas/audit/test/449_create_discovery_succeeded.log
new file mode 100644
index 00000000000..2101b711cb2
--- /dev/null
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/449_create_discovery_succeeded.log
@@ -0,0 +1 @@
+<5>1 2021-03-14T12:06:35Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 14 05:06:35</Timestamp>\n    <IsoTimestamp>2021-03-14T12:06:35Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>449</MessageID>\n    <Desc>Create Discovery Succeeded</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Create Discovery Succeeded</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe></Safe>\n    <File></File>\n    <Station>10.0.1.20</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason>Status:Success; Discovery:<Windows discovery from ELASTIC.local>; Reason:;</Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Create Discovery Succeeded</Message>\n    <GatewayStation></GatewayStation>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 05:06:35","IsoTimestamp":"2021-03-14T12:06:35Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"449","Desc":"Create Discovery Succeeded","Severity":"Info","Issuer":"Administrator","Action":"Create Discovery Succeeded","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"Status:Success; Discovery:<Windows discovery from ELASTIC.local>; Reason:;","ExtraDetails":"","Message":"Create Discovery Succeeded","GatewayStation":""}}}
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/449_create_discovery_succeeded.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/449_create_discovery_succeeded.log-expected.json
new file mode 100644
index 00000000000..17b939fab90
--- /dev/null
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/449_create_discovery_succeeded.log-expected.json
@@ -0,0 +1,42 @@
+[
+    {
+        "@timestamp": "2021-03-14T12:06:35.000Z",
+        "cyberarkpas.audit.action": "Create Discovery Succeeded",
+        "cyberarkpas.audit.desc": "Create Discovery Succeeded",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-14T12:06:35Z",
+        "cyberarkpas.audit.issuer": "Administrator",
+        "cyberarkpas.audit.message": "Create Discovery Succeeded",
+        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 14 05:06:35</Timestamp>\n    <IsoTimestamp>2021-03-14T12:06:35Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>449</MessageID>\n    <Desc>Create Discovery Succeeded</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Create Discovery Succeeded</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe></Safe>\n    <File></File>\n    <Station>10.0.1.20</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason>Status:Success; Discovery:<Windows discovery from ELASTIC.local>; Reason:;</Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Create Discovery Succeeded</Message>\n    <GatewayStation></GatewayStation>\n  </audit_record>\n\n</syslog>",
+        "cyberarkpas.audit.reason": "Status:Success; Discovery:<Windows discovery from ELASTIC.local>; Reason:;",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.station": "10.0.1.20",
+        "cyberarkpas.audit.timestamp": "Mar 14 05:06:35",
+        "event.action": "create discovery succeeded",
+        "event.code": "449",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 0,
+        "log.syslog.priority": "5",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "10.0.1.20"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "10.0.1.20",
+        "source.ip": "10.0.1.20",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ]
+    }
+]
\ No newline at end of file
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/459_general_audit.log b/x-pack/filebeat/module/cyberarkpas/audit/test/459_general_audit.log
new file mode 100644
index 00000000000..918e0a5df3a
--- /dev/null
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/459_general_audit.log
@@ -0,0 +1,3 @@
+<5>1 2021-03-08T10:19:42Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 08 02:19:42","IsoTimestamp":"2021-03-08T10:19:42Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"459","Desc":"General Audit","Severity":"Info","Issuer":"PasswordManager","Action":"General Audit","SourceUser":"","TargetUser":"","Safe":"Test","File":"Root\\Operating System-WindowsDesktopLocalAccountsRotationalPolicy-10.0.1.20-x_accountB","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"Dual account rotation","ExtraDetails":"DualAccountStatus=Active;Index=2;","Message":"General Audit","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"WinDesktopLocal"},{"Name":"UserName","Value":"x_accountB"},{"Name":"Address","Value":"components"},{"Name":"SequenceID","Value":"24"},{"Name":"CPMStatus","Value":"success"},{"Name":"RetriesCount","Value":"-1"},{"Name":"LastTask","Value":"ChangeTask"},{"Name":"GroupName","Value":"WindowsGroup"},{"Name":"LastSuccessChange","Value":"1614868762"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"},{"Name":"Index","Value":"2"},{"Name":"DualAccountStatus","Value":"Active"},{"Name":"VirtualUsername","Value":"virtual"}]}}}}
+<5>1 2021-03-10T14:38:57Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 06:38:57","IsoTimestamp":"2021-03-10T14:38:57Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"459","Desc":"General Audit","Severity":"Info","Issuer":"PasswordManager","Action":"General Audit","SourceUser":"","TargetUser":"","Safe":"Test","File":"Root\\Operating System-WindowsDesktopLocalAccountsRotationalPolicy-10.0.1.20-x_accountA","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"Dual account rotation","ExtraDetails":"DualAccountStatus=Active;Index=1;","Message":"General Audit","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"WinDesktopLocal"},{"Name":"UserName","Value":"x_accountA"},{"Name":"Address","Value":"components"},{"Name":"SequenceID","Value":"27"},{"Name":"CPMStatus","Value":"success"},{"Name":"RetriesCount","Value":"-1"},{"Name":"LastTask","Value":"ChangeTask"},{"Name":"GroupName","Value":"WindowsGroup"},{"Name":"LastSuccessChange","Value":"1615231204"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"},{"Name":"Index","Value":"1"},{"Name":"DualAccountStatus","Value":"Active"},{"Name":"VirtualUsername","Value":"virtual"}]}}}}
+<5>1 2021-03-14T11:48:26Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 14 04:48:26</Timestamp>\n    <IsoTimestamp>2021-03-14T11:48:26Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>459</MessageID>\n    <Desc>General Audit</Desc>\n    <Severity>Info</Severity>\n    <Issuer>PasswordManager</Issuer>\n    <Action>General Audit</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>Test</Safe>\n    <File>Root\\Operating System-WindowsDesktopLocalAccountsRotationalPolicy-10.0.1.20-x_accountB</File>\n    <Station>10.0.1.20</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason>Dual account rotation</Reason>\n    <ExtraDetails>DualAccountStatus=Active;Index=2;</ExtraDetails>\n    <Message>General Audit</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"WinDesktopLocal\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"x_accountB\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"components\"></CAProperty>\n      <CAProperty Name=\"SequenceID\" Value=\"25\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"success\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"-1\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"ChangeTask\"></CAProperty>\n      <CAProperty Name=\"GroupName\" Value=\"WindowsGroup\"></CAProperty>\n      <CAProperty Name=\"LastSuccessChange\" Value=\"1615419568\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n      <CAProperty Name=\"Index\" Value=\"2\"></CAProperty>\n      <CAProperty Name=\"DualAccountStatus\" Value=\"Active\"></CAProperty>\n      <CAProperty Name=\"VirtualUsername\" Value=\"virtual\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 04:48:26","IsoTimestamp":"2021-03-14T11:48:26Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"459","Desc":"General Audit","Severity":"Info","Issuer":"PasswordManager","Action":"General Audit","SourceUser":"","TargetUser":"","Safe":"Test","File":"Root\\Operating System-WindowsDesktopLocalAccountsRotationalPolicy-10.0.1.20-x_accountB","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"Dual account rotation","ExtraDetails":"DualAccountStatus=Active;Index=2;","Message":"General Audit","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"WinDesktopLocal"},{"Name":"UserName","Value":"x_accountB"},{"Name":"Address","Value":"components"},{"Name":"SequenceID","Value":"25"},{"Name":"CPMStatus","Value":"success"},{"Name":"RetriesCount","Value":"-1"},{"Name":"LastTask","Value":"ChangeTask"},{"Name":"GroupName","Value":"WindowsGroup"},{"Name":"LastSuccessChange","Value":"1615419568"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"},{"Name":"Index","Value":"2"},{"Name":"DualAccountStatus","Value":"Active"},{"Name":"VirtualUsername","Value":"virtual"}]}}}}
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/459_general_audit.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/459_general_audit.log-expected.json
new file mode 100644
index 00000000000..d607b784f41
--- /dev/null
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/459_general_audit.log-expected.json
@@ -0,0 +1,177 @@
+[
+    {
+        "@timestamp": "2021-03-08T10:19:42.000Z",
+        "cyberarkpas.audit.action": "General Audit",
+        "cyberarkpas.audit.ca_properties.address": "components",
+        "cyberarkpas.audit.ca_properties.cpm_status": "success",
+        "cyberarkpas.audit.ca_properties.creation_method": "PVWA",
+        "cyberarkpas.audit.ca_properties.device_type": "Operating System",
+        "cyberarkpas.audit.ca_properties.dual_account_status": "Active",
+        "cyberarkpas.audit.ca_properties.group_name": "WindowsGroup",
+        "cyberarkpas.audit.ca_properties.index": "2",
+        "cyberarkpas.audit.ca_properties.last_success_change": "1614868762",
+        "cyberarkpas.audit.ca_properties.last_task": "ChangeTask",
+        "cyberarkpas.audit.ca_properties.policy_id": "WinDesktopLocal",
+        "cyberarkpas.audit.ca_properties.retries_count": "-1",
+        "cyberarkpas.audit.ca_properties.sequence_id": "24",
+        "cyberarkpas.audit.ca_properties.user_name": "x_accountB",
+        "cyberarkpas.audit.ca_properties.virtual_username": "virtual",
+        "cyberarkpas.audit.desc": "General Audit",
+        "cyberarkpas.audit.extra_details.dual_account_status": "Active",
+        "cyberarkpas.audit.extra_details.index": "2",
+        "cyberarkpas.audit.file": "Root\\Operating System-WindowsDesktopLocalAccountsRotationalPolicy-10.0.1.20-x_accountB",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-08T10:19:42Z",
+        "cyberarkpas.audit.issuer": "PasswordManager",
+        "cyberarkpas.audit.message": "General Audit",
+        "cyberarkpas.audit.reason": "Dual account rotation",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.safe": "Test",
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.station": "10.0.1.20",
+        "cyberarkpas.audit.timestamp": "Mar 08 02:19:42",
+        "event.action": "general audit",
+        "event.code": "459",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "file.path": "Root\\Operating System-WindowsDesktopLocalAccountsRotationalPolicy-10.0.1.20-x_accountB",
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 0,
+        "log.syslog.priority": "5",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "10.0.1.20"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "10.0.1.20",
+        "source.ip": "10.0.1.20",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ]
+    },
+    {
+        "@timestamp": "2021-03-10T14:38:57.000Z",
+        "cyberarkpas.audit.action": "General Audit",
+        "cyberarkpas.audit.ca_properties.address": "components",
+        "cyberarkpas.audit.ca_properties.cpm_status": "success",
+        "cyberarkpas.audit.ca_properties.creation_method": "PVWA",
+        "cyberarkpas.audit.ca_properties.device_type": "Operating System",
+        "cyberarkpas.audit.ca_properties.dual_account_status": "Active",
+        "cyberarkpas.audit.ca_properties.group_name": "WindowsGroup",
+        "cyberarkpas.audit.ca_properties.index": "1",
+        "cyberarkpas.audit.ca_properties.last_success_change": "1615231204",
+        "cyberarkpas.audit.ca_properties.last_task": "ChangeTask",
+        "cyberarkpas.audit.ca_properties.policy_id": "WinDesktopLocal",
+        "cyberarkpas.audit.ca_properties.retries_count": "-1",
+        "cyberarkpas.audit.ca_properties.sequence_id": "27",
+        "cyberarkpas.audit.ca_properties.user_name": "x_accountA",
+        "cyberarkpas.audit.ca_properties.virtual_username": "virtual",
+        "cyberarkpas.audit.desc": "General Audit",
+        "cyberarkpas.audit.extra_details.dual_account_status": "Active",
+        "cyberarkpas.audit.extra_details.index": "1",
+        "cyberarkpas.audit.file": "Root\\Operating System-WindowsDesktopLocalAccountsRotationalPolicy-10.0.1.20-x_accountA",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-10T14:38:57Z",
+        "cyberarkpas.audit.issuer": "PasswordManager",
+        "cyberarkpas.audit.message": "General Audit",
+        "cyberarkpas.audit.reason": "Dual account rotation",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.safe": "Test",
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.station": "10.0.1.20",
+        "cyberarkpas.audit.timestamp": "Mar 10 06:38:57",
+        "event.action": "general audit",
+        "event.code": "459",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "file.path": "Root\\Operating System-WindowsDesktopLocalAccountsRotationalPolicy-10.0.1.20-x_accountA",
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 1325,
+        "log.syslog.priority": "5",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "10.0.1.20"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "10.0.1.20",
+        "source.ip": "10.0.1.20",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ]
+    },
+    {
+        "@timestamp": "2021-03-14T11:48:26.000Z",
+        "cyberarkpas.audit.action": "General Audit",
+        "cyberarkpas.audit.ca_properties.address": "components",
+        "cyberarkpas.audit.ca_properties.cpm_status": "success",
+        "cyberarkpas.audit.ca_properties.creation_method": "PVWA",
+        "cyberarkpas.audit.ca_properties.device_type": "Operating System",
+        "cyberarkpas.audit.ca_properties.dual_account_status": "Active",
+        "cyberarkpas.audit.ca_properties.group_name": "WindowsGroup",
+        "cyberarkpas.audit.ca_properties.index": "2",
+        "cyberarkpas.audit.ca_properties.last_success_change": "1615419568",
+        "cyberarkpas.audit.ca_properties.last_task": "ChangeTask",
+        "cyberarkpas.audit.ca_properties.policy_id": "WinDesktopLocal",
+        "cyberarkpas.audit.ca_properties.retries_count": "-1",
+        "cyberarkpas.audit.ca_properties.sequence_id": "25",
+        "cyberarkpas.audit.ca_properties.user_name": "x_accountB",
+        "cyberarkpas.audit.ca_properties.virtual_username": "virtual",
+        "cyberarkpas.audit.desc": "General Audit",
+        "cyberarkpas.audit.extra_details.dual_account_status": "Active",
+        "cyberarkpas.audit.extra_details.index": "2",
+        "cyberarkpas.audit.file": "Root\\Operating System-WindowsDesktopLocalAccountsRotationalPolicy-10.0.1.20-x_accountB",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-14T11:48:26Z",
+        "cyberarkpas.audit.issuer": "PasswordManager",
+        "cyberarkpas.audit.message": "General Audit",
+        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 14 04:48:26</Timestamp>\n    <IsoTimestamp>2021-03-14T11:48:26Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>459</MessageID>\n    <Desc>General Audit</Desc>\n    <Severity>Info</Severity>\n    <Issuer>PasswordManager</Issuer>\n    <Action>General Audit</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>Test</Safe>\n    <File>Root\\Operating System-WindowsDesktopLocalAccountsRotationalPolicy-10.0.1.20-x_accountB</File>\n    <Station>10.0.1.20</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason>Dual account rotation</Reason>\n    <ExtraDetails>DualAccountStatus=Active;Index=2;</ExtraDetails>\n    <Message>General Audit</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"WinDesktopLocal\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"x_accountB\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"components\"></CAProperty>\n      <CAProperty Name=\"SequenceID\" Value=\"25\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"success\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"-1\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"ChangeTask\"></CAProperty>\n      <CAProperty Name=\"GroupName\" Value=\"WindowsGroup\"></CAProperty>\n      <CAProperty Name=\"LastSuccessChange\" Value=\"1615419568\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n      <CAProperty Name=\"Index\" Value=\"2\"></CAProperty>\n      <CAProperty Name=\"DualAccountStatus\" Value=\"Active\"></CAProperty>\n      <CAProperty Name=\"VirtualUsername\" Value=\"virtual\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>",
+        "cyberarkpas.audit.reason": "Dual account rotation",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.safe": "Test",
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.station": "10.0.1.20",
+        "cyberarkpas.audit.timestamp": "Mar 14 04:48:26",
+        "event.action": "general audit",
+        "event.code": "459",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "file.path": "Root\\Operating System-WindowsDesktopLocalAccountsRotationalPolicy-10.0.1.20-x_accountB",
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 2650,
+        "log.syslog.priority": "5",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "10.0.1.20"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "10.0.1.20",
+        "source.ip": "10.0.1.20",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ]
+    }
+]
\ No newline at end of file
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/467_the_component_public_key_for_jwt_authentication_was_updated.log b/x-pack/filebeat/module/cyberarkpas/audit/test/467_the_component_public_key_for_jwt_authentication_was_updated.log
new file mode 100644
index 00000000000..3888e2be150
--- /dev/null
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/467_the_component_public_key_for_jwt_authentication_was_updated.log
@@ -0,0 +1 @@
+<5>1 2021-03-10T18:14:35Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 10:14:35","IsoTimestamp":"2021-03-10T18:14:35Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"467","Desc":"The component public key for JWT authentication was updated","Severity":"Info","Issuer":"PasswordManager","Action":"The component public key for JWT authentication was updated","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"The component public key for JWT authentication was updated","GatewayStation":""}}}
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/467_the_component_public_key_for_jwt_authentication_was_updated.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/467_the_component_public_key_for_jwt_authentication_was_updated.log-expected.json
new file mode 100644
index 00000000000..18f132b64b3
--- /dev/null
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/467_the_component_public_key_for_jwt_authentication_was_updated.log-expected.json
@@ -0,0 +1,40 @@
+[
+    {
+        "@timestamp": "2021-03-10T18:14:35.000Z",
+        "cyberarkpas.audit.action": "The component public key for JWT authentication was updated",
+        "cyberarkpas.audit.desc": "The component public key for JWT authentication was updated",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-10T18:14:35Z",
+        "cyberarkpas.audit.issuer": "PasswordManager",
+        "cyberarkpas.audit.message": "The component public key for JWT authentication was updated",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.station": "10.0.1.20",
+        "cyberarkpas.audit.timestamp": "Mar 10 10:14:35",
+        "event.action": "the component public key for jwt authentication was updated",
+        "event.code": "467",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 0,
+        "log.syslog.priority": "5",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "10.0.1.20"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "10.0.1.20",
+        "source.ip": "10.0.1.20",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ]
+    }
+]
\ No newline at end of file
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/479_security_warning_the_signature_hash_algorithm_of_the_vault_certificate_is_sha1.log b/x-pack/filebeat/module/cyberarkpas/audit/test/479_security_warning_the_signature_hash_algorithm_of_the_vault_certificate_is_sha1.log
new file mode 100644
index 00000000000..2fe8ec3c4c7
--- /dev/null
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/479_security_warning_the_signature_hash_algorithm_of_the_vault_certificate_is_sha1.log
@@ -0,0 +1,2 @@
+<7>1 2021-03-04T19:10:01Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 04 11:10:01","IsoTimestamp":"2021-03-04T19:10:01Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"479","Desc":"Security warning - The Signature Hash Algorithm of the Vault certificate is SHA1.","Severity":"Error","Issuer":"Builtin","Action":"Security warning - The Signature Hash Algorithm of the Vault certificate is SHA1.","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"0.0.0.0","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Security warning - The Signature Hash Algorithm of the Vault certificate is SHA1.","GatewayStation":""}}}
+Mar 08 07:46:54 VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"no","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"479","Desc":"Security warning - The Signature Hash Algorithm of the Vault certificate is SHA1.","Severity":"Error","Issuer":"Builtin","Action":"Security warning - The Signature Hash Algorithm of the Vault certificate is SHA1.","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"0.0.0.0","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Security warning - The Signature Hash Algorithm of the Vault certificate is SHA1.","GatewayStation":""}}}
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/479_security_warning_the_signature_hash_algorithm_of_the_vault_certificate_is_sha1.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/479_security_warning_the_signature_hash_algorithm_of_the_vault_certificate_is_sha1.log-expected.json
new file mode 100644
index 00000000000..e127969e7f2
--- /dev/null
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/479_security_warning_the_signature_hash_algorithm_of_the_vault_certificate_is_sha1.log-expected.json
@@ -0,0 +1,77 @@
+[
+    {
+        "@timestamp": "2021-03-04T19:10:01.000Z",
+        "cyberarkpas.audit.action": "Security warning - The Signature Hash Algorithm of the Vault certificate is SHA1.",
+        "cyberarkpas.audit.desc": "Security warning - The Signature Hash Algorithm of the Vault certificate is SHA1.",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-04T19:10:01Z",
+        "cyberarkpas.audit.issuer": "Builtin",
+        "cyberarkpas.audit.message": "Security warning - The Signature Hash Algorithm of the Vault certificate is SHA1.",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.severity": "Error",
+        "cyberarkpas.audit.station": "0.0.0.0",
+        "cyberarkpas.audit.timestamp": "Mar 04 11:10:01",
+        "event.action": "security warning - the signature hash algorithm of the vault certificate is sha1.",
+        "event.code": "479",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.severity": 7,
+        "event.timezone": "-02:00",
+        "event.type": "error",
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 0,
+        "log.syslog.priority": "7",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "0.0.0.0"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "0.0.0.0",
+        "source.ip": "0.0.0.0",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ]
+    },
+    {
+        "@timestamp": "2021-03-08T07:46:54.000-02:00",
+        "cyberarkpas.audit.action": "Security warning - The Signature Hash Algorithm of the Vault certificate is SHA1.",
+        "cyberarkpas.audit.desc": "Security warning - The Signature Hash Algorithm of the Vault certificate is SHA1.",
+        "cyberarkpas.audit.issuer": "Builtin",
+        "cyberarkpas.audit.message": "Security warning - The Signature Hash Algorithm of the Vault certificate is SHA1.",
+        "cyberarkpas.audit.rfc5424": false,
+        "cyberarkpas.audit.severity": "Error",
+        "cyberarkpas.audit.station": "0.0.0.0",
+        "event.action": "security warning - the signature hash algorithm of the vault certificate is sha1.",
+        "event.code": "479",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.severity": 7,
+        "event.timezone": "-02:00",
+        "event.type": "error",
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 760,
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "0.0.0.0"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "0.0.0.0",
+        "source.ip": "0.0.0.0",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ]
+    }
+]
\ No newline at end of file
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/482_update_existing_add_account_bulk_operation_succeeded.log b/x-pack/filebeat/module/cyberarkpas/audit/test/482_update_existing_add_account_bulk_operation_succeeded.log
new file mode 100644
index 00000000000..fb620b8f180
--- /dev/null
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/482_update_existing_add_account_bulk_operation_succeeded.log
@@ -0,0 +1 @@
+<5>1 2021-03-10T08:31:49Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 00:31:49","IsoTimestamp":"2021-03-10T08:31:49Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"482","Desc":"Update existing Add Account Bulk Operation succeeded","Severity":"Info","Issuer":"PVWAAppUser","Action":"Update existing Add Account Bulk Operation succeeded","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Update existing Add Account Bulk Operation succeeded","GatewayStation":""}}}
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/482_update_existing_add_account_bulk_operation_succeeded.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/482_update_existing_add_account_bulk_operation_succeeded.log-expected.json
new file mode 100644
index 00000000000..51dc1afc051
--- /dev/null
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/482_update_existing_add_account_bulk_operation_succeeded.log-expected.json
@@ -0,0 +1,40 @@
+[
+    {
+        "@timestamp": "2021-03-10T08:31:49.000Z",
+        "cyberarkpas.audit.action": "Update existing Add Account Bulk Operation succeeded",
+        "cyberarkpas.audit.desc": "Update existing Add Account Bulk Operation succeeded",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-10T08:31:49Z",
+        "cyberarkpas.audit.issuer": "PVWAAppUser",
+        "cyberarkpas.audit.message": "Update existing Add Account Bulk Operation succeeded",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.station": "10.0.1.20",
+        "cyberarkpas.audit.timestamp": "Mar 10 00:31:49",
+        "event.action": "update existing add account bulk operation succeeded",
+        "event.code": "482",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 0,
+        "log.syslog.priority": "5",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "10.0.1.20"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "10.0.1.20",
+        "source.ip": "10.0.1.20",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ]
+    }
+]
\ No newline at end of file
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/4_user_authentication.log b/x-pack/filebeat/module/cyberarkpas/audit/test/4_user_authentication.log
new file mode 100644
index 00000000000..283cc15f94e
--- /dev/null
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/4_user_authentication.log
@@ -0,0 +1,2 @@
+<7>1 2021-03-10T18:42:36Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 10:42:36","IsoTimestamp":"2021-03-10T18:42:36Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"4","Desc":"User Authentication","Severity":"Error","Issuer":"Administrator","Action":"User Authentication","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"User Authentication","GatewayStation":""}}}
+<7>1 2021-03-11T18:03:43Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 10:03:43</Timestamp>\n    <IsoTimestamp>2021-03-11T18:03:43Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>4</MessageID>\n    <Desc>User Authentication</Desc>\n    <Severity>Error</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>User Authentication</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe></Safe>\n    <File></File>\n    <Station>127.0.0.1</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>User Authentication</Message>\n    <GatewayStation>10.0.1.20</GatewayStation>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 10:03:43","IsoTimestamp":"2021-03-11T18:03:43Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"4","Desc":"User Authentication","Severity":"Error","Issuer":"Administrator","Action":"User Authentication","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"127.0.0.1","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"User Authentication","GatewayStation":"10.0.1.20"}}}
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/4_user_authentication.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/4_user_authentication.log-expected.json
new file mode 100644
index 00000000000..5f52c8abe27
--- /dev/null
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/4_user_authentication.log-expected.json
@@ -0,0 +1,114 @@
+[
+    {
+        "@timestamp": "2021-03-10T18:42:36.000Z",
+        "cyberarkpas.audit.action": "User Authentication",
+        "cyberarkpas.audit.desc": "User Authentication",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-10T18:42:36Z",
+        "cyberarkpas.audit.issuer": "Administrator",
+        "cyberarkpas.audit.message": "User Authentication",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.severity": "Error",
+        "cyberarkpas.audit.station": "81.32.170.205",
+        "cyberarkpas.audit.timestamp": "Mar 10 10:42:36",
+        "event.action": "authentication_failure",
+        "event.category": [
+            "authentication"
+        ],
+        "event.code": "4",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.outcome": "failure",
+        "event.severity": 7,
+        "event.timezone": "-02:00",
+        "event.type": [
+            "error"
+        ],
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 0,
+        "log.syslog.priority": "7",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "81.32.170.205"
+        ],
+        "related.user": [
+            "Administrator"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "81.32.170.205",
+        "source.geo.city_name": "Barcelona",
+        "source.geo.continent_name": "Europe",
+        "source.geo.country_iso_code": "ES",
+        "source.geo.country_name": "Spain",
+        "source.geo.location.lat": 41.387,
+        "source.geo.location.lon": 2.1701,
+        "source.geo.region_iso_code": "ES-B",
+        "source.geo.region_name": "Barcelona",
+        "source.ip": "81.32.170.205",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ],
+        "user.name": "Administrator"
+    },
+    {
+        "@timestamp": "2021-03-11T18:03:43.000Z",
+        "cyberarkpas.audit.action": "User Authentication",
+        "cyberarkpas.audit.desc": "User Authentication",
+        "cyberarkpas.audit.gateway_station": "10.0.1.20",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-11T18:03:43Z",
+        "cyberarkpas.audit.issuer": "Administrator",
+        "cyberarkpas.audit.message": "User Authentication",
+        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 10:03:43</Timestamp>\n    <IsoTimestamp>2021-03-11T18:03:43Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>4</MessageID>\n    <Desc>User Authentication</Desc>\n    <Severity>Error</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>User Authentication</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe></Safe>\n    <File></File>\n    <Station>127.0.0.1</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>User Authentication</Message>\n    <GatewayStation>10.0.1.20</GatewayStation>\n  </audit_record>\n\n</syslog>",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.severity": "Error",
+        "cyberarkpas.audit.station": "127.0.0.1",
+        "cyberarkpas.audit.timestamp": "Mar 11 10:03:43",
+        "destination.address": "10.0.1.20",
+        "destination.ip": "10.0.1.20",
+        "event.action": "authentication_failure",
+        "event.category": [
+            "authentication"
+        ],
+        "event.code": "4",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.outcome": "failure",
+        "event.severity": 7,
+        "event.timezone": "-02:00",
+        "event.type": [
+            "error"
+        ],
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 584,
+        "log.syslog.priority": "7",
+        "network.direction": "internal",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "127.0.0.1",
+            "10.0.1.20"
+        ],
+        "related.user": [
+            "Administrator"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "127.0.0.1",
+        "source.ip": "127.0.0.1",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ],
+        "user.name": "Administrator"
+    }
+]
\ No newline at end of file
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/50_store_file.log b/x-pack/filebeat/module/cyberarkpas/audit/test/50_store_file.log
new file mode 100644
index 00000000000..f3d9bd31a39
--- /dev/null
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/50_store_file.log
@@ -0,0 +1,6 @@
+<5>1 2021-03-08T18:24:50Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 08 10:24:50","IsoTimestamp":"2021-03-08T18:24:50Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"50","Desc":"Store File","Severity":"Info","Issuer":"PVWAAppUser","Action":"Store File","SourceUser":"","TargetUser":"","Safe":"PVWAPrivateUserPrefs","File":"Root\\YWRtaW5pc3RyYXRvcg==","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Store File","GatewayStation":""}}}
+<5>1 2021-03-10T09:11:21Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:21","IsoTimestamp":"2021-03-10T09:11:21Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"50","Desc":"Store File","Severity":"Info","Issuer":"Administrator","Action":"Store File","SourceUser":"","TargetUser":"","Safe":"PSMPConf","File":"Root\\syntaxparser-conf.json.1.1","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Store File","GatewayStation":""}}}
+<5>1 2021-03-10T18:36:22Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 10:36:22","IsoTimestamp":"2021-03-10T18:36:22Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"50","Desc":"Store File","Severity":"Info","Issuer":"Administrator","Action":"Store File","SourceUser":"","TargetUser":"","Safe":"PVWAConfig","File":"Root\\PVConfiguration.xml","Station":"127.0.0.1","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Store File","GatewayStation":""}}}
+<5>1 2021-03-10T22:17:56Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 14:17:56","IsoTimestamp":"2021-03-10T22:17:56Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"50","Desc":"Store File","Severity":"Info","Issuer":"Administrator","Action":"Store File","SourceUser":"","TargetUser":"","Safe":"PVWAConfig","File":"ROOT\\PVConfiguration.xml","Station":"35.192.121.42","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Store File","GatewayStation":""}}}
+<5>1 2021-03-11T17:38:27Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 09:38:27</Timestamp>\n    <IsoTimestamp>2021-03-11T17:38:27Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>50</MessageID>\n    <Desc>Store File</Desc>\n    <Severity>Info</Severity>\n    <Issuer>PSMPApp_VAGRANT</Issuer>\n    <Action>Store File</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>PSMRecordings</Safe>\n    <File>root\\87012dcc-8290-11eb-949e-080027efd402.SSH.txt</File>\n    <Station>81.32.170.205</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Store File</Message>\n    <GatewayStation></GatewayStation>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 09:38:27","IsoTimestamp":"2021-03-11T17:38:27Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"50","Desc":"Store File","Severity":"Info","Issuer":"PSMPApp_VAGRANT","Action":"Store File","SourceUser":"","TargetUser":"","Safe":"PSMRecordings","File":"root\\87012dcc-8290-11eb-949e-080027efd402.SSH.txt","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Store File","GatewayStation":""}}}
+<5>1 2021-03-11T19:45:26Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 11:45:26</Timestamp>\n    <IsoTimestamp>2021-03-11T19:45:26Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>50</MessageID>\n    <Desc>Store File</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Store File</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>PVWAConfig</Safe>\n    <File>Root\\PVConfiguration.xml</File>\n    <Station>127.0.0.1</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Store File</Message>\n    <GatewayStation>10.0.1.20</GatewayStation>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 11:45:26","IsoTimestamp":"2021-03-11T19:45:26Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"50","Desc":"Store File","Severity":"Info","Issuer":"Administrator","Action":"Store File","SourceUser":"","TargetUser":"","Safe":"PVWAConfig","File":"Root\\PVConfiguration.xml","Station":"127.0.0.1","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Store File","GatewayStation":"10.0.1.20"}}}
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/50_store_file.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/50_store_file.log-expected.json
new file mode 100644
index 00000000000..1e67b7fbef2
--- /dev/null
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/50_store_file.log-expected.json
@@ -0,0 +1,279 @@
+[
+    {
+        "@timestamp": "2021-03-08T18:24:50.000Z",
+        "cyberarkpas.audit.action": "Store File",
+        "cyberarkpas.audit.desc": "Store File",
+        "cyberarkpas.audit.file": "Root\\YWRtaW5pc3RyYXRvcg==",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-08T18:24:50Z",
+        "cyberarkpas.audit.issuer": "PVWAAppUser",
+        "cyberarkpas.audit.message": "Store File",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.safe": "PVWAPrivateUserPrefs",
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.station": "10.0.1.20",
+        "cyberarkpas.audit.timestamp": "Mar 08 10:24:50",
+        "event.action": "store file",
+        "event.code": "50",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "file.path": "Root\\YWRtaW5pc3RyYXRvcg==",
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 0,
+        "log.syslog.priority": "5",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "10.0.1.20"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "10.0.1.20",
+        "source.ip": "10.0.1.20",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ]
+    },
+    {
+        "@timestamp": "2021-03-10T09:11:21.000Z",
+        "cyberarkpas.audit.action": "Store File",
+        "cyberarkpas.audit.desc": "Store File",
+        "cyberarkpas.audit.file": "Root\\syntaxparser-conf.json.1.1",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-10T09:11:21Z",
+        "cyberarkpas.audit.issuer": "Administrator",
+        "cyberarkpas.audit.message": "Store File",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.safe": "PSMPConf",
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.station": "81.32.170.205",
+        "cyberarkpas.audit.timestamp": "Mar 10 01:11:21",
+        "event.action": "store file",
+        "event.code": "50",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "file.path": "Root\\syntaxparser-conf.json.1.1",
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 597,
+        "log.syslog.priority": "5",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "81.32.170.205"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "81.32.170.205",
+        "source.geo.city_name": "Barcelona",
+        "source.geo.continent_name": "Europe",
+        "source.geo.country_iso_code": "ES",
+        "source.geo.country_name": "Spain",
+        "source.geo.location.lat": 41.387,
+        "source.geo.location.lon": 2.1701,
+        "source.geo.region_iso_code": "ES-B",
+        "source.geo.region_name": "Barcelona",
+        "source.ip": "81.32.170.205",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ]
+    },
+    {
+        "@timestamp": "2021-03-10T18:36:22.000Z",
+        "cyberarkpas.audit.action": "Store File",
+        "cyberarkpas.audit.desc": "Store File",
+        "cyberarkpas.audit.file": "Root\\PVConfiguration.xml",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-10T18:36:22Z",
+        "cyberarkpas.audit.issuer": "Administrator",
+        "cyberarkpas.audit.message": "Store File",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.safe": "PVWAConfig",
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.station": "127.0.0.1",
+        "cyberarkpas.audit.timestamp": "Mar 10 10:36:22",
+        "event.action": "store file",
+        "event.code": "50",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "file.path": "Root\\PVConfiguration.xml",
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 1194,
+        "log.syslog.priority": "5",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "127.0.0.1"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "127.0.0.1",
+        "source.ip": "127.0.0.1",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ]
+    },
+    {
+        "@timestamp": "2021-03-10T22:17:56.000Z",
+        "cyberarkpas.audit.action": "Store File",
+        "cyberarkpas.audit.desc": "Store File",
+        "cyberarkpas.audit.file": "ROOT\\PVConfiguration.xml",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-10T22:17:56Z",
+        "cyberarkpas.audit.issuer": "Administrator",
+        "cyberarkpas.audit.message": "Store File",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.safe": "PVWAConfig",
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.station": "35.192.121.42",
+        "cyberarkpas.audit.timestamp": "Mar 10 14:17:56",
+        "event.action": "store file",
+        "event.code": "50",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "file.path": "ROOT\\PVConfiguration.xml",
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 1782,
+        "log.syslog.priority": "5",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "35.192.121.42"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "35.192.121.42",
+        "source.geo.city_name": "Council Bluffs",
+        "source.geo.continent_name": "North America",
+        "source.geo.country_iso_code": "US",
+        "source.geo.country_name": "United States",
+        "source.geo.location.lat": 41.2591,
+        "source.geo.location.lon": -95.8517,
+        "source.geo.region_iso_code": "US-IA",
+        "source.geo.region_name": "Iowa",
+        "source.ip": "35.192.121.42",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ]
+    },
+    {
+        "@timestamp": "2021-03-11T17:38:27.000Z",
+        "cyberarkpas.audit.action": "Store File",
+        "cyberarkpas.audit.desc": "Store File",
+        "cyberarkpas.audit.file": "root\\87012dcc-8290-11eb-949e-080027efd402.SSH.txt",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-11T17:38:27Z",
+        "cyberarkpas.audit.issuer": "PSMPApp_VAGRANT",
+        "cyberarkpas.audit.message": "Store File",
+        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 09:38:27</Timestamp>\n    <IsoTimestamp>2021-03-11T17:38:27Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>50</MessageID>\n    <Desc>Store File</Desc>\n    <Severity>Info</Severity>\n    <Issuer>PSMPApp_VAGRANT</Issuer>\n    <Action>Store File</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>PSMRecordings</Safe>\n    <File>root\\87012dcc-8290-11eb-949e-080027efd402.SSH.txt</File>\n    <Station>81.32.170.205</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Store File</Message>\n    <GatewayStation></GatewayStation>\n  </audit_record>\n\n</syslog>",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.safe": "PSMRecordings",
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.station": "81.32.170.205",
+        "cyberarkpas.audit.timestamp": "Mar 11 09:38:27",
+        "event.action": "store file",
+        "event.code": "50",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "file.path": "root\\87012dcc-8290-11eb-949e-080027efd402.SSH.txt",
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 2374,
+        "log.syslog.priority": "5",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "81.32.170.205"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "81.32.170.205",
+        "source.geo.city_name": "Barcelona",
+        "source.geo.continent_name": "Europe",
+        "source.geo.country_iso_code": "ES",
+        "source.geo.country_name": "Spain",
+        "source.geo.location.lat": 41.387,
+        "source.geo.location.lon": 2.1701,
+        "source.geo.region_iso_code": "ES-B",
+        "source.geo.region_name": "Barcelona",
+        "source.ip": "81.32.170.205",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ]
+    },
+    {
+        "@timestamp": "2021-03-11T19:45:26.000Z",
+        "cyberarkpas.audit.action": "Store File",
+        "cyberarkpas.audit.desc": "Store File",
+        "cyberarkpas.audit.file": "Root\\PVConfiguration.xml",
+        "cyberarkpas.audit.gateway_station": "10.0.1.20",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-11T19:45:26Z",
+        "cyberarkpas.audit.issuer": "Administrator",
+        "cyberarkpas.audit.message": "Store File",
+        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 11:45:26</Timestamp>\n    <IsoTimestamp>2021-03-11T19:45:26Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>50</MessageID>\n    <Desc>Store File</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Store File</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>PVWAConfig</Safe>\n    <File>Root\\PVConfiguration.xml</File>\n    <Station>127.0.0.1</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Store File</Message>\n    <GatewayStation>10.0.1.20</GatewayStation>\n  </audit_record>\n\n</syslog>",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.safe": "PVWAConfig",
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.station": "127.0.0.1",
+        "cyberarkpas.audit.timestamp": "Mar 11 11:45:26",
+        "destination.address": "10.0.1.20",
+        "destination.ip": "10.0.1.20",
+        "event.action": "store file",
+        "event.code": "50",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "file.path": "Root\\PVConfiguration.xml",
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 3898,
+        "log.syslog.priority": "5",
+        "network.direction": "internal",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "127.0.0.1",
+            "10.0.1.20"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "127.0.0.1",
+        "source.ip": "127.0.0.1",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ]
+    }
+]
\ No newline at end of file
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/51_retrieve_file.log b/x-pack/filebeat/module/cyberarkpas/audit/test/51_retrieve_file.log
new file mode 100644
index 00000000000..8cd3214a84f
--- /dev/null
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/51_retrieve_file.log
@@ -0,0 +1,2 @@
+<5>1 2021-03-04T19:10:05Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 04 11:10:05","IsoTimestamp":"2021-03-04T19:10:05Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"51","Desc":"Retrieve File","Severity":"Info","Issuer":"PasswordManager","Action":"Retrieve File","SourceUser":"","TargetUser":"","Safe":"PasswordManagerShared","File":"Root\\Policies\\Policy-GenericWebApp.ini","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Retrieve File","GatewayStation":""}}}
+<5>1 2021-03-04T19:11:23Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 04 11:11:23","IsoTimestamp":"2021-03-04T19:11:23Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"51","Desc":"Retrieve File","Severity":"Info","Issuer":"Prov_COMPONENTS","Action":"Retrieve File","SourceUser":"","TargetUser":"","Safe":"AppProviderConf","File":"Root\\main_appprovider.conf.Win64.11.04","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Retrieve File","GatewayStation":""}}}
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/51_retrieve_file.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/51_retrieve_file.log-expected.json
new file mode 100644
index 00000000000..d6498eae71e
--- /dev/null
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/51_retrieve_file.log-expected.json
@@ -0,0 +1,84 @@
+[
+    {
+        "@timestamp": "2021-03-04T19:10:05.000Z",
+        "cyberarkpas.audit.action": "Retrieve File",
+        "cyberarkpas.audit.desc": "Retrieve File",
+        "cyberarkpas.audit.file": "Root\\Policies\\Policy-GenericWebApp.ini",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-04T19:10:05Z",
+        "cyberarkpas.audit.issuer": "PasswordManager",
+        "cyberarkpas.audit.message": "Retrieve File",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.safe": "PasswordManagerShared",
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.station": "10.0.1.20",
+        "cyberarkpas.audit.timestamp": "Mar 04 11:10:05",
+        "event.action": "retrieve file",
+        "event.code": "51",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "file.path": "Root\\Policies\\Policy-GenericWebApp.ini",
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 0,
+        "log.syslog.priority": "5",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "10.0.1.20"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "10.0.1.20",
+        "source.ip": "10.0.1.20",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ]
+    },
+    {
+        "@timestamp": "2021-03-04T19:11:23.000Z",
+        "cyberarkpas.audit.action": "Retrieve File",
+        "cyberarkpas.audit.desc": "Retrieve File",
+        "cyberarkpas.audit.file": "Root\\main_appprovider.conf.Win64.11.04",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-04T19:11:23Z",
+        "cyberarkpas.audit.issuer": "Prov_COMPONENTS",
+        "cyberarkpas.audit.message": "Retrieve File",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.safe": "AppProviderConf",
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.station": "10.0.1.20",
+        "cyberarkpas.audit.timestamp": "Mar 04 11:11:23",
+        "event.action": "retrieve file",
+        "event.code": "51",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "file.path": "Root\\main_appprovider.conf.Win64.11.04",
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 625,
+        "log.syslog.priority": "5",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "10.0.1.20"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "10.0.1.20",
+        "source.ip": "10.0.1.20",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ]
+    }
+]
\ No newline at end of file
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/52_delete_file.log b/x-pack/filebeat/module/cyberarkpas/audit/test/52_delete_file.log
new file mode 100644
index 00000000000..d9d8af79da4
--- /dev/null
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/52_delete_file.log
@@ -0,0 +1,10 @@
+<5>1 2021-03-08T18:32:43Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 08 10:32:43","IsoTimestamp":"2021-03-08T18:32:43Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"52","Desc":"Delete File","Severity":"Info","Issuer":"Administrator","Action":"Delete File","SourceUser":"","TargetUser":"","Safe":"Test","File":"Root\\Operating System-WinDesktopLocal-Address-adriansr","Station":"127.0.0.1","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Delete File","GatewayStation":"10.0.1.20","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"WinDesktopLocal"},{"Name":"UserName","Value":"adriansr"},{"Name":"Address","Value":"components"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}}
+<5>1 2021-03-08T18:38:21Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 08 10:38:21","IsoTimestamp":"2021-03-08T18:38:21Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"52","Desc":"Delete File","Severity":"Info","Issuer":"Administrator","Action":"Delete File","SourceUser":"","TargetUser":"","Safe":"VaultInternal","File":"Root\\Operating System-WinServerLocal-components-adriansr","Station":"127.0.0.1","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Delete File","GatewayStation":"10.0.1.20","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"WinServerLocal"},{"Name":"UserName","Value":"adriansr"},{"Name":"Address","Value":"components"},{"Name":"LogonDomain","Value":"COMPONENTS"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}}
+<5>1 2021-03-08T19:20:04Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 08 11:20:04","IsoTimestamp":"2021-03-08T19:20:04Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"52","Desc":"Delete File","Severity":"Info","Issuer":"PasswordManager","Action":"Delete File","SourceUser":"","TargetUser":"","Safe":"PasswordManager_workspace","File":"Root\\Test_4","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Delete File","GatewayStation":""}}}
+<5>1 2021-03-11T18:59:57Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 10:59:57</Timestamp>\n    <IsoTimestamp>2021-03-11T18:59:57Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>52</MessageID>\n    <Desc>Delete File</Desc>\n    <Severity>Info</Severity>\n    <Issuer>PSMApp_ASR-WIN</Issuer>\n    <Action>Delete File</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>PSMSessions</Safe>\n    <File>Root\\c89ca3ba9c76f820fdc58e86f2c854f99d232fcd</File>\n    <Station>35.192.121.42</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Delete File</Message>\n    <GatewayStation></GatewayStation>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 10:59:57","IsoTimestamp":"2021-03-11T18:59:57Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"52","Desc":"Delete File","Severity":"Info","Issuer":"PSMApp_ASR-WIN","Action":"Delete File","SourceUser":"","TargetUser":"","Safe":"PSMSessions","File":"Root\\c89ca3ba9c76f820fdc58e86f2c854f99d232fcd","Station":"35.192.121.42","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Delete File","GatewayStation":""}}}
+<5>1 2021-03-11T19:32:12Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 11:32:12</Timestamp>\n    <IsoTimestamp>2021-03-11T19:32:12Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>52</MessageID>\n    <Desc>Delete File</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Delete File</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>PSMPLiveSessions</Safe>\n    <File>Root\\PSMPApp_VAGRANT.LiveSessions</File>\n    <Station>127.0.0.1</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Delete File</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"_PSMLiveSessions_1\" Value=\"\"></CAProperty>\n      <CAProperty Name=\"_PSMLiveSessions_2\" Value=\"\"></CAProperty>\n      <CAProperty Name=\"_PSMLiveSessions_3\" Value=\"\"></CAProperty>\n      <CAProperty Name=\"_PSMLiveSessions_4\" Value=\"\"></CAProperty>\n      <CAProperty Name=\"_PSMLiveSessions_5\" Value=\"\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 11:32:12","IsoTimestamp":"2021-03-11T19:32:12Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"52","Desc":"Delete File","Severity":"Info","Issuer":"Administrator","Action":"Delete File","SourceUser":"","TargetUser":"","Safe":"PSMPLiveSessions","File":"Root\\PSMPApp_VAGRANT.LiveSessions","Station":"127.0.0.1","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Delete File","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"_PSMLiveSessions_1","Value":""},{"Name":"_PSMLiveSessions_2","Value":""},{"Name":"_PSMLiveSessions_3","Value":""},{"Name":"_PSMLiveSessions_4","Value":""},{"Name":"_PSMLiveSessions_5","Value":""}]}}}}
+<5>1 2021-03-11T21:06:40Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 13:06:40</Timestamp>\n    <IsoTimestamp>2021-03-11T21:06:40Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>52</MessageID>\n    <Desc>Delete File</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Delete File</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>PSM</Safe>\n    <File>Root\\Operating System-WinDomain-35.192.121.42-PSMConnect</File>\n    <Station>127.0.0.1</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Delete File</Message>\n    <GatewayStation>10.0.1.20</GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"WinDomain\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"PSMConnect\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"35.192.121.42\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 13:06:40","IsoTimestamp":"2021-03-11T21:06:40Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"52","Desc":"Delete File","Severity":"Info","Issuer":"Administrator","Action":"Delete File","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\Operating System-WinDomain-35.192.121.42-PSMConnect","Station":"127.0.0.1","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Delete File","GatewayStation":"10.0.1.20","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"WinDomain"},{"Name":"UserName","Value":"PSMConnect"},{"Name":"Address","Value":"35.192.121.42"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}}
+<5>1 2021-03-11T21:06:50Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 13:06:50</Timestamp>\n    <IsoTimestamp>2021-03-11T21:06:50Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>52</MessageID>\n    <Desc>Delete File</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Delete File</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>PSM</Safe>\n    <File>Root\\PSM-ASR-CYBERARK-WI</File>\n    <Station>127.0.0.1</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Delete File</Message>\n    <GatewayStation>10.0.1.20</GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"UserName\" Value=\"PSMConnect\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"10.128.0.65\"></CAProperty>\n      <CAProperty Name=\"LogonDomain\" Value=\"ASR-CYBERARK-WI\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 13:06:50","IsoTimestamp":"2021-03-11T21:06:50Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"52","Desc":"Delete File","Severity":"Info","Issuer":"Administrator","Action":"Delete File","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\PSM-ASR-CYBERARK-WI","Station":"127.0.0.1","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Delete File","GatewayStation":"10.0.1.20","CAProperties":{"CAProperty":[{"Name":"UserName","Value":"PSMConnect"},{"Name":"Address","Value":"10.128.0.65"},{"Name":"LogonDomain","Value":"ASR-CYBERARK-WI"}]}}}}
+<5>1 2021-03-14T12:10:17Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 14 05:10:17</Timestamp>\n    <IsoTimestamp>2021-03-14T12:10:17Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>52</MessageID>\n    <Desc>Delete File</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Delete File</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>PSM</Safe>\n    <File>Root\\PSMAdmin</File>\n    <Station>127.0.0.1</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Delete File</Message>\n    <GatewayStation>10.0.1.20</GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"UserName\" Value=\"PSMAdminConnect\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"169.254.180.25\"></CAProperty>\n      <CAProperty Name=\"LogonDomain\" Value=\"VAGRANT-2012-R2\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 05:10:17","IsoTimestamp":"2021-03-14T12:10:17Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"52","Desc":"Delete File","Severity":"Info","Issuer":"Administrator","Action":"Delete File","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\PSMAdmin","Station":"127.0.0.1","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Delete File","GatewayStation":"10.0.1.20","CAProperties":{"CAProperty":[{"Name":"UserName","Value":"PSMAdminConnect"},{"Name":"Address","Value":"169.254.180.25"},{"Name":"LogonDomain","Value":"VAGRANT-2012-R2"}]}}}}
+<5>1 2021-03-15T15:09:00Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 15 08:09:00</Timestamp>\n    <IsoTimestamp>2021-03-15T15:09:00Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>52</MessageID>\n    <Desc>Delete File</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Delete File</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Database-Oracle-10.128.0.7-adrian</File>\n    <Station>127.0.0.1</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Delete File</Message>\n    <GatewayStation>10.0.1.20</GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"Oracle\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"adrian\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"10.128.0.7\"></CAProperty>\n      <CAProperty Name=\"Port\" Value=\"3306\"></CAProperty>\n      <CAProperty Name=\"Database\" Value=\"test\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Database\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 08:09:00","IsoTimestamp":"2021-03-15T15:09:00Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"52","Desc":"Delete File","Severity":"Info","Issuer":"Administrator","Action":"Delete File","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Database-Oracle-10.128.0.7-adrian","Station":"127.0.0.1","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Delete File","GatewayStation":"10.0.1.20","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"Oracle"},{"Name":"UserName","Value":"adrian"},{"Name":"Address","Value":"10.128.0.7"},{"Name":"Port","Value":"3306"},{"Name":"Database","Value":"test"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Database"}]}}}}
+<5>1 2021-03-15T15:13:59Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 15 08:13:59</Timestamp>\n    <IsoTimestamp>2021-03-15T15:13:59Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>52</MessageID>\n    <Desc>Delete File</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Delete File</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Database-MySQL-10.128.0.7-adrian</File>\n    <Station>127.0.0.1</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Delete File</Message>\n    <GatewayStation>10.0.1.20</GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"MySQL\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"adrian\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"10.128.0.7\"></CAProperty>\n      <CAProperty Name=\"Port\" Value=\"3306\"></CAProperty>\n      <CAProperty Name=\"Database\" Value=\"test\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Database\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 08:13:59","IsoTimestamp":"2021-03-15T15:13:59Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"52","Desc":"Delete File","Severity":"Info","Issuer":"Administrator","Action":"Delete File","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Database-MySQL-10.128.0.7-adrian","Station":"127.0.0.1","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Delete File","GatewayStation":"10.0.1.20","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"MySQL"},{"Name":"UserName","Value":"adrian"},{"Name":"Address","Value":"10.128.0.7"},{"Name":"Port","Value":"3306"},{"Name":"Database","Value":"test"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Database"}]}}}}
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/52_delete_file.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/52_delete_file.log-expected.json
new file mode 100644
index 00000000000..0b07338915f
--- /dev/null
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/52_delete_file.log-expected.json
@@ -0,0 +1,503 @@
+[
+    {
+        "@timestamp": "2021-03-08T18:32:43.000Z",
+        "cyberarkpas.audit.action": "Delete File",
+        "cyberarkpas.audit.ca_properties.address": "components",
+        "cyberarkpas.audit.ca_properties.creation_method": "PVWA",
+        "cyberarkpas.audit.ca_properties.device_type": "Operating System",
+        "cyberarkpas.audit.ca_properties.policy_id": "WinDesktopLocal",
+        "cyberarkpas.audit.ca_properties.user_name": "adriansr",
+        "cyberarkpas.audit.desc": "Delete File",
+        "cyberarkpas.audit.file": "Root\\Operating System-WinDesktopLocal-Address-adriansr",
+        "cyberarkpas.audit.gateway_station": "10.0.1.20",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-08T18:32:43Z",
+        "cyberarkpas.audit.issuer": "Administrator",
+        "cyberarkpas.audit.message": "Delete File",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.safe": "Test",
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.station": "127.0.0.1",
+        "cyberarkpas.audit.timestamp": "Mar 08 10:32:43",
+        "destination.address": "10.0.1.20",
+        "destination.ip": "10.0.1.20",
+        "event.action": "delete file",
+        "event.code": "52",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "file.path": "Root\\Operating System-WinDesktopLocal-Address-adriansr",
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 0,
+        "log.syslog.priority": "5",
+        "network.direction": "internal",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "127.0.0.1",
+            "10.0.1.20"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "127.0.0.1",
+        "source.ip": "127.0.0.1",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ]
+    },
+    {
+        "@timestamp": "2021-03-08T18:38:21.000Z",
+        "cyberarkpas.audit.action": "Delete File",
+        "cyberarkpas.audit.ca_properties.address": "components",
+        "cyberarkpas.audit.ca_properties.creation_method": "PVWA",
+        "cyberarkpas.audit.ca_properties.device_type": "Operating System",
+        "cyberarkpas.audit.ca_properties.logon_domain": "COMPONENTS",
+        "cyberarkpas.audit.ca_properties.policy_id": "WinServerLocal",
+        "cyberarkpas.audit.ca_properties.user_name": "adriansr",
+        "cyberarkpas.audit.desc": "Delete File",
+        "cyberarkpas.audit.file": "Root\\Operating System-WinServerLocal-components-adriansr",
+        "cyberarkpas.audit.gateway_station": "10.0.1.20",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-08T18:38:21Z",
+        "cyberarkpas.audit.issuer": "Administrator",
+        "cyberarkpas.audit.message": "Delete File",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.safe": "VaultInternal",
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.station": "127.0.0.1",
+        "cyberarkpas.audit.timestamp": "Mar 08 10:38:21",
+        "destination.address": "10.0.1.20",
+        "destination.ip": "10.0.1.20",
+        "event.action": "delete file",
+        "event.code": "52",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "file.path": "Root\\Operating System-WinServerLocal-components-adriansr",
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 871,
+        "log.syslog.priority": "5",
+        "network.direction": "internal",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "127.0.0.1",
+            "10.0.1.20"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "127.0.0.1",
+        "source.ip": "127.0.0.1",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ]
+    },
+    {
+        "@timestamp": "2021-03-08T19:20:04.000Z",
+        "cyberarkpas.audit.action": "Delete File",
+        "cyberarkpas.audit.desc": "Delete File",
+        "cyberarkpas.audit.file": "Root\\Test_4",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-08T19:20:04Z",
+        "cyberarkpas.audit.issuer": "PasswordManager",
+        "cyberarkpas.audit.message": "Delete File",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.safe": "PasswordManager_workspace",
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.station": "10.0.1.20",
+        "cyberarkpas.audit.timestamp": "Mar 08 11:20:04",
+        "event.action": "delete file",
+        "event.code": "52",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "file.path": "Root\\Test_4",
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 1796,
+        "log.syslog.priority": "5",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "10.0.1.20"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "10.0.1.20",
+        "source.ip": "10.0.1.20",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ]
+    },
+    {
+        "@timestamp": "2021-03-11T18:59:57.000Z",
+        "cyberarkpas.audit.action": "Delete File",
+        "cyberarkpas.audit.desc": "Delete File",
+        "cyberarkpas.audit.file": "Root\\c89ca3ba9c76f820fdc58e86f2c854f99d232fcd",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-11T18:59:57Z",
+        "cyberarkpas.audit.issuer": "PSMApp_ASR-WIN",
+        "cyberarkpas.audit.message": "Delete File",
+        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 10:59:57</Timestamp>\n    <IsoTimestamp>2021-03-11T18:59:57Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>52</MessageID>\n    <Desc>Delete File</Desc>\n    <Severity>Info</Severity>\n    <Issuer>PSMApp_ASR-WIN</Issuer>\n    <Action>Delete File</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>PSMSessions</Safe>\n    <File>Root\\c89ca3ba9c76f820fdc58e86f2c854f99d232fcd</File>\n    <Station>35.192.121.42</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Delete File</Message>\n    <GatewayStation></GatewayStation>\n  </audit_record>\n\n</syslog>",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.safe": "PSMSessions",
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.station": "35.192.121.42",
+        "cyberarkpas.audit.timestamp": "Mar 11 10:59:57",
+        "event.action": "delete file",
+        "event.code": "52",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "file.path": "Root\\c89ca3ba9c76f820fdc58e86f2c854f99d232fcd",
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 2391,
+        "log.syslog.priority": "5",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "35.192.121.42"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "35.192.121.42",
+        "source.geo.city_name": "Council Bluffs",
+        "source.geo.continent_name": "North America",
+        "source.geo.country_iso_code": "US",
+        "source.geo.country_name": "United States",
+        "source.geo.location.lat": 41.2591,
+        "source.geo.location.lon": -95.8517,
+        "source.geo.region_iso_code": "US-IA",
+        "source.geo.region_name": "Iowa",
+        "source.ip": "35.192.121.42",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ]
+    },
+    {
+        "@timestamp": "2021-03-11T19:32:12.000Z",
+        "cyberarkpas.audit.action": "Delete File",
+        "cyberarkpas.audit.ca_properties.__psm_live_sessions_1": "",
+        "cyberarkpas.audit.ca_properties.__psm_live_sessions_2": "",
+        "cyberarkpas.audit.ca_properties.__psm_live_sessions_3": "",
+        "cyberarkpas.audit.ca_properties.__psm_live_sessions_4": "",
+        "cyberarkpas.audit.ca_properties.__psm_live_sessions_5": "",
+        "cyberarkpas.audit.desc": "Delete File",
+        "cyberarkpas.audit.file": "Root\\PSMPApp_VAGRANT.LiveSessions",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-11T19:32:12Z",
+        "cyberarkpas.audit.issuer": "Administrator",
+        "cyberarkpas.audit.message": "Delete File",
+        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 11:32:12</Timestamp>\n    <IsoTimestamp>2021-03-11T19:32:12Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>52</MessageID>\n    <Desc>Delete File</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Delete File</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>PSMPLiveSessions</Safe>\n    <File>Root\\PSMPApp_VAGRANT.LiveSessions</File>\n    <Station>127.0.0.1</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Delete File</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"_PSMLiveSessions_1\" Value=\"\"></CAProperty>\n      <CAProperty Name=\"_PSMLiveSessions_2\" Value=\"\"></CAProperty>\n      <CAProperty Name=\"_PSMLiveSessions_3\" Value=\"\"></CAProperty>\n      <CAProperty Name=\"_PSMLiveSessions_4\" Value=\"\"></CAProperty>\n      <CAProperty Name=\"_PSMLiveSessions_5\" Value=\"\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.safe": "PSMPLiveSessions",
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.station": "127.0.0.1",
+        "cyberarkpas.audit.timestamp": "Mar 11 11:32:12",
+        "event.action": "delete file",
+        "event.code": "52",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "file.path": "Root\\PSMPApp_VAGRANT.LiveSessions",
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 3907,
+        "log.syslog.priority": "5",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "127.0.0.1"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "127.0.0.1",
+        "source.ip": "127.0.0.1",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ]
+    },
+    {
+        "@timestamp": "2021-03-11T21:06:40.000Z",
+        "cyberarkpas.audit.action": "Delete File",
+        "cyberarkpas.audit.ca_properties.address": "35.192.121.42",
+        "cyberarkpas.audit.ca_properties.creation_method": "PVWA",
+        "cyberarkpas.audit.ca_properties.device_type": "Operating System",
+        "cyberarkpas.audit.ca_properties.policy_id": "WinDomain",
+        "cyberarkpas.audit.ca_properties.user_name": "PSMConnect",
+        "cyberarkpas.audit.desc": "Delete File",
+        "cyberarkpas.audit.file": "Root\\Operating System-WinDomain-35.192.121.42-PSMConnect",
+        "cyberarkpas.audit.gateway_station": "10.0.1.20",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-11T21:06:40Z",
+        "cyberarkpas.audit.issuer": "Administrator",
+        "cyberarkpas.audit.message": "Delete File",
+        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 13:06:40</Timestamp>\n    <IsoTimestamp>2021-03-11T21:06:40Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>52</MessageID>\n    <Desc>Delete File</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Delete File</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>PSM</Safe>\n    <File>Root\\Operating System-WinDomain-35.192.121.42-PSMConnect</File>\n    <Station>127.0.0.1</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Delete File</Message>\n    <GatewayStation>10.0.1.20</GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"WinDomain\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"PSMConnect\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"35.192.121.42\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.safe": "PSM",
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.station": "127.0.0.1",
+        "cyberarkpas.audit.timestamp": "Mar 11 13:06:40",
+        "destination.address": "10.0.1.20",
+        "destination.ip": "10.0.1.20",
+        "event.action": "delete file",
+        "event.code": "52",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "file.path": "Root\\Operating System-WinDomain-35.192.121.42-PSMConnect",
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 6037,
+        "log.syslog.priority": "5",
+        "network.direction": "internal",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "127.0.0.1",
+            "10.0.1.20"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "127.0.0.1",
+        "source.ip": "127.0.0.1",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ]
+    },
+    {
+        "@timestamp": "2021-03-11T21:06:50.000Z",
+        "cyberarkpas.audit.action": "Delete File",
+        "cyberarkpas.audit.ca_properties.address": "10.128.0.65",
+        "cyberarkpas.audit.ca_properties.logon_domain": "ASR-CYBERARK-WI",
+        "cyberarkpas.audit.ca_properties.user_name": "PSMConnect",
+        "cyberarkpas.audit.desc": "Delete File",
+        "cyberarkpas.audit.file": "Root\\PSM-ASR-CYBERARK-WI",
+        "cyberarkpas.audit.gateway_station": "10.0.1.20",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-11T21:06:50Z",
+        "cyberarkpas.audit.issuer": "Administrator",
+        "cyberarkpas.audit.message": "Delete File",
+        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 13:06:50</Timestamp>\n    <IsoTimestamp>2021-03-11T21:06:50Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>52</MessageID>\n    <Desc>Delete File</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Delete File</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>PSM</Safe>\n    <File>Root\\PSM-ASR-CYBERARK-WI</File>\n    <Station>127.0.0.1</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Delete File</Message>\n    <GatewayStation>10.0.1.20</GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"UserName\" Value=\"PSMConnect\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"10.128.0.65\"></CAProperty>\n      <CAProperty Name=\"LogonDomain\" Value=\"ASR-CYBERARK-WI\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.safe": "PSM",
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.station": "127.0.0.1",
+        "cyberarkpas.audit.timestamp": "Mar 11 13:06:50",
+        "destination.address": "10.0.1.20",
+        "destination.ip": "10.0.1.20",
+        "event.action": "delete file",
+        "event.code": "52",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "file.path": "Root\\PSM-ASR-CYBERARK-WI",
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 8223,
+        "log.syslog.priority": "5",
+        "network.direction": "internal",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "127.0.0.1",
+            "10.0.1.20"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "127.0.0.1",
+        "source.ip": "127.0.0.1",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ]
+    },
+    {
+        "@timestamp": "2021-03-14T12:10:17.000Z",
+        "cyberarkpas.audit.action": "Delete File",
+        "cyberarkpas.audit.ca_properties.address": "169.254.180.25",
+        "cyberarkpas.audit.ca_properties.logon_domain": "VAGRANT-2012-R2",
+        "cyberarkpas.audit.ca_properties.user_name": "PSMAdminConnect",
+        "cyberarkpas.audit.desc": "Delete File",
+        "cyberarkpas.audit.file": "Root\\PSMAdmin",
+        "cyberarkpas.audit.gateway_station": "10.0.1.20",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-14T12:10:17Z",
+        "cyberarkpas.audit.issuer": "Administrator",
+        "cyberarkpas.audit.message": "Delete File",
+        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 14 05:10:17</Timestamp>\n    <IsoTimestamp>2021-03-14T12:10:17Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>52</MessageID>\n    <Desc>Delete File</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Delete File</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>PSM</Safe>\n    <File>Root\\PSMAdmin</File>\n    <Station>127.0.0.1</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Delete File</Message>\n    <GatewayStation>10.0.1.20</GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"UserName\" Value=\"PSMAdminConnect\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"169.254.180.25\"></CAProperty>\n      <CAProperty Name=\"LogonDomain\" Value=\"VAGRANT-2012-R2\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.safe": "PSM",
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.station": "127.0.0.1",
+        "cyberarkpas.audit.timestamp": "Mar 14 05:10:17",
+        "destination.address": "10.0.1.20",
+        "destination.ip": "10.0.1.20",
+        "event.action": "delete file",
+        "event.code": "52",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "file.path": "Root\\PSMAdmin",
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 10117,
+        "log.syslog.priority": "5",
+        "network.direction": "internal",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "127.0.0.1",
+            "10.0.1.20"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "127.0.0.1",
+        "source.ip": "127.0.0.1",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ]
+    },
+    {
+        "@timestamp": "2021-03-15T15:09:00.000Z",
+        "cyberarkpas.audit.action": "Delete File",
+        "cyberarkpas.audit.ca_properties.address": "10.128.0.7",
+        "cyberarkpas.audit.ca_properties.creation_method": "PVWA",
+        "cyberarkpas.audit.ca_properties.database": "test",
+        "cyberarkpas.audit.ca_properties.device_type": "Database",
+        "cyberarkpas.audit.ca_properties.policy_id": "Oracle",
+        "cyberarkpas.audit.ca_properties.port": "3306",
+        "cyberarkpas.audit.ca_properties.user_name": "adrian",
+        "cyberarkpas.audit.desc": "Delete File",
+        "cyberarkpas.audit.file": "Root\\Database-Oracle-10.128.0.7-adrian",
+        "cyberarkpas.audit.gateway_station": "10.0.1.20",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-15T15:09:00Z",
+        "cyberarkpas.audit.issuer": "Administrator",
+        "cyberarkpas.audit.message": "Delete File",
+        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 15 08:09:00</Timestamp>\n    <IsoTimestamp>2021-03-15T15:09:00Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>52</MessageID>\n    <Desc>Delete File</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Delete File</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Database-Oracle-10.128.0.7-adrian</File>\n    <Station>127.0.0.1</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Delete File</Message>\n    <GatewayStation>10.0.1.20</GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"Oracle\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"adrian\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"10.128.0.7\"></CAProperty>\n      <CAProperty Name=\"Port\" Value=\"3306\"></CAProperty>\n      <CAProperty Name=\"Database\" Value=\"test\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Database\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.safe": "partner",
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.station": "127.0.0.1",
+        "cyberarkpas.audit.timestamp": "Mar 15 08:09:00",
+        "destination.address": "10.0.1.20",
+        "destination.ip": "10.0.1.20",
+        "event.action": "delete file",
+        "event.code": "52",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "file.path": "Root\\Database-Oracle-10.128.0.7-adrian",
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 12005,
+        "log.syslog.priority": "5",
+        "network.direction": "internal",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "127.0.0.1",
+            "10.0.1.20"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "127.0.0.1",
+        "source.ip": "127.0.0.1",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ]
+    },
+    {
+        "@timestamp": "2021-03-15T15:13:59.000Z",
+        "cyberarkpas.audit.action": "Delete File",
+        "cyberarkpas.audit.ca_properties.address": "10.128.0.7",
+        "cyberarkpas.audit.ca_properties.creation_method": "PVWA",
+        "cyberarkpas.audit.ca_properties.database": "test",
+        "cyberarkpas.audit.ca_properties.device_type": "Database",
+        "cyberarkpas.audit.ca_properties.policy_id": "MySQL",
+        "cyberarkpas.audit.ca_properties.port": "3306",
+        "cyberarkpas.audit.ca_properties.user_name": "adrian",
+        "cyberarkpas.audit.desc": "Delete File",
+        "cyberarkpas.audit.file": "Root\\Database-MySQL-10.128.0.7-adrian",
+        "cyberarkpas.audit.gateway_station": "10.0.1.20",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-15T15:13:59Z",
+        "cyberarkpas.audit.issuer": "Administrator",
+        "cyberarkpas.audit.message": "Delete File",
+        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 15 08:13:59</Timestamp>\n    <IsoTimestamp>2021-03-15T15:13:59Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>52</MessageID>\n    <Desc>Delete File</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Delete File</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Database-MySQL-10.128.0.7-adrian</File>\n    <Station>127.0.0.1</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Delete File</Message>\n    <GatewayStation>10.0.1.20</GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"MySQL\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"adrian\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"10.128.0.7\"></CAProperty>\n      <CAProperty Name=\"Port\" Value=\"3306\"></CAProperty>\n      <CAProperty Name=\"Database\" Value=\"test\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Database\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.safe": "partner",
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.station": "127.0.0.1",
+        "cyberarkpas.audit.timestamp": "Mar 15 08:13:59",
+        "destination.address": "10.0.1.20",
+        "destination.ip": "10.0.1.20",
+        "event.action": "delete file",
+        "event.code": "52",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "file.path": "Root\\Database-MySQL-10.128.0.7-adrian",
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 14321,
+        "log.syslog.priority": "5",
+        "network.direction": "internal",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "127.0.0.1",
+            "10.0.1.20"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "127.0.0.1",
+        "source.ip": "127.0.0.1",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ]
+    }
+]
\ No newline at end of file
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/57_cpm_change_password_failed.log b/x-pack/filebeat/module/cyberarkpas/audit/test/57_cpm_change_password_failed.log
new file mode 100644
index 00000000000..2131bafce3e
--- /dev/null
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/57_cpm_change_password_failed.log
@@ -0,0 +1 @@
+<7>1 2021-03-25T12:00:08Z VLT01 {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 25 08:00:08</Timestamp>\n    <IsoTimestamp>2021-03-25T12:00:08Z</IsoTimestamp>\n    <Hostname>VLT01</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>12.0.0000</Version>\n    <MessageID>57</MessageID>\n    <Desc>CPM Change Password Failed</Desc>\n    <Severity>Error</Severity>\n    <Issuer>PasswordManager</Issuer>\n    <Action>CPM Change Password Failed</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>Linux Accounts</Safe>\n    <File>Root\\Operating System-UnixSSH-rhel7.cybr.com-firecall2</File>\n    <Station>10.0.0.15</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason>ImmediateTask. Failure Description: Execution error. EXT01::A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond. Error code:9002</Reason>\n    <ExtraDetails>address=rhel7.cybr.com;username=firecall2;</ExtraDetails>\n    <Message>CPM Change Password Failed</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSH\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"firecall2\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"rhel7.cybr.com\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n      <CAProperty Name=\"ResetImmediately\" Value=\"ChangeTask\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"failure\"></CAProperty>\n      <CAProperty Name=\"ExtraPass3Name\" Value=\"Operating System-UnixSSH-rhel7.cybr.com-root\"></CAProperty>\n      <CAProperty Name=\"ExtraPass3Folder\" Value=\"Root\"></CAProperty>\n      <CAProperty Name=\"ExtraPass3Safe\" Value=\"Linux Root\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"0\"></CAProperty>\n      <CAProperty Name=\"LastFailDate\" Value=\"1616673608\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"ChangeTask\"></CAProperty>\n      <CAProperty Name=\"LastSuccessVerification\" Value=\"1616580255\"></CAProperty>\n      <CAProperty Name=\"CPMErrorDetails\" Value=\"Execution error. EXT01::A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond. Error code:9002\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"LastSuccessChange\" Value=\"1616011989\"></CAProperty>\n      <CAProperty Name=\"LastSuccessReconciliation\" Value=\"1576120341\"></CAProperty>\n      <CAProperty Name=\"UseSudoOnReconcile\" Value=\"No\"></CAProperty>\n      <CAProperty Name=\"Tags\" Value=\"SSH\"></CAProperty>\n      <CAProperty Name=\"Privcloud\" Value=\"privcloud\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 25 08:00:08","IsoTimestamp":"2021-03-25T12:00:08Z","Hostname":"VLT01","Vendor":"Cyber-Ark","Product":"Vault","Version":"12.0.0000","MessageID":"57","Desc":"CPM Change Password Failed","Severity":"Error","Issuer":"PasswordManager","Action":"CPM Change Password Failed","SourceUser":"","TargetUser":"","Safe":"Linux Accounts","File":"Root\\Operating System-UnixSSH-rhel7.cybr.com-firecall2","Station":"10.0.0.15","Location":"","Category":"","RequestId":"","Reason":"ImmediateTask. Failure Description: Execution error. EXT01::A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond. Error code:9002","ExtraDetails":"address=rhel7.cybr.com;username=firecall2;","Message":"CPM Change Password Failed","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"firecall2"},{"Name":"Address","Value":"rhel7.cybr.com"},{"Name":"DeviceType","Value":"Operating System"},{"Name":"ResetImmediately","Value":"ChangeTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"ExtraPass3Name","Value":"Operating System-UnixSSH-rhel7.cybr.com-root"},{"Name":"ExtraPass3Folder","Value":"Root"},{"Name":"ExtraPass3Safe","Value":"Linux Root"},{"Name":"RetriesCount","Value":"0"},{"Name":"LastFailDate","Value":"1616673608"},{"Name":"LastTask","Value":"ChangeTask"},{"Name":"LastSuccessVerification","Value":"1616580255"},{"Name":"CPMErrorDetails","Value":"Execution error. EXT01::A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond. Error code:9002"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"LastSuccessChange","Value":"1616011989"},{"Name":"LastSuccessReconciliation","Value":"1576120341"},{"Name":"UseSudoOnReconcile","Value":"No"},{"Name":"Tags","Value":"SSH"},{"Name":"Privcloud","Value":"privcloud"}]}}}}
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/57_cpm_change_password_failed.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/57_cpm_change_password_failed.log-expected.json
new file mode 100644
index 00000000000..eaf206946a9
--- /dev/null
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/57_cpm_change_password_failed.log-expected.json
@@ -0,0 +1,85 @@
+[
+    {
+        "@timestamp": "2021-03-25T12:00:08.000Z",
+        "cyberarkpas.audit.action": "CPM Change Password Failed",
+        "cyberarkpas.audit.ca_properties.address": "rhel7.cybr.com",
+        "cyberarkpas.audit.ca_properties.cpm_error_details": "Execution error. EXT01::A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond. Error code:9002",
+        "cyberarkpas.audit.ca_properties.cpm_status": "failure",
+        "cyberarkpas.audit.ca_properties.creation_method": "PVWA",
+        "cyberarkpas.audit.ca_properties.device_type": "Operating System",
+        "cyberarkpas.audit.ca_properties.extra_pass3_folder": "Root",
+        "cyberarkpas.audit.ca_properties.extra_pass3_name": "Operating System-UnixSSH-rhel7.cybr.com-root",
+        "cyberarkpas.audit.ca_properties.extra_pass3_safe": "Linux Root",
+        "cyberarkpas.audit.ca_properties.last_fail_date": "1616673608",
+        "cyberarkpas.audit.ca_properties.last_success_change": "1616011989",
+        "cyberarkpas.audit.ca_properties.last_success_reconciliation": "1576120341",
+        "cyberarkpas.audit.ca_properties.last_success_verification": "1616580255",
+        "cyberarkpas.audit.ca_properties.last_task": "ChangeTask",
+        "cyberarkpas.audit.ca_properties.policy_id": "UnixSSH",
+        "cyberarkpas.audit.ca_properties.privcloud": "privcloud",
+        "cyberarkpas.audit.ca_properties.reset_immediately": "ChangeTask",
+        "cyberarkpas.audit.ca_properties.retries_count": "0",
+        "cyberarkpas.audit.ca_properties.tags": "SSH",
+        "cyberarkpas.audit.ca_properties.use_sudo_on_reconcile": "No",
+        "cyberarkpas.audit.ca_properties.user_name": "firecall2",
+        "cyberarkpas.audit.desc": "CPM Change Password Failed",
+        "cyberarkpas.audit.extra_details.address": "rhel7.cybr.com",
+        "cyberarkpas.audit.extra_details.username": "firecall2",
+        "cyberarkpas.audit.file": "Root\\Operating System-UnixSSH-rhel7.cybr.com-firecall2",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-25T12:00:08Z",
+        "cyberarkpas.audit.issuer": "PasswordManager",
+        "cyberarkpas.audit.message": "CPM Change Password Failed",
+        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 25 08:00:08</Timestamp>\n    <IsoTimestamp>2021-03-25T12:00:08Z</IsoTimestamp>\n    <Hostname>VLT01</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>12.0.0000</Version>\n    <MessageID>57</MessageID>\n    <Desc>CPM Change Password Failed</Desc>\n    <Severity>Error</Severity>\n    <Issuer>PasswordManager</Issuer>\n    <Action>CPM Change Password Failed</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>Linux Accounts</Safe>\n    <File>Root\\Operating System-UnixSSH-rhel7.cybr.com-firecall2</File>\n    <Station>10.0.0.15</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason>ImmediateTask. Failure Description: Execution error. EXT01::A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond. Error code:9002</Reason>\n    <ExtraDetails>address=rhel7.cybr.com;username=firecall2;</ExtraDetails>\n    <Message>CPM Change Password Failed</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSH\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"firecall2\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"rhel7.cybr.com\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n      <CAProperty Name=\"ResetImmediately\" Value=\"ChangeTask\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"failure\"></CAProperty>\n      <CAProperty Name=\"ExtraPass3Name\" Value=\"Operating System-UnixSSH-rhel7.cybr.com-root\"></CAProperty>\n      <CAProperty Name=\"ExtraPass3Folder\" Value=\"Root\"></CAProperty>\n      <CAProperty Name=\"ExtraPass3Safe\" Value=\"Linux Root\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"0\"></CAProperty>\n      <CAProperty Name=\"LastFailDate\" Value=\"1616673608\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"ChangeTask\"></CAProperty>\n      <CAProperty Name=\"LastSuccessVerification\" Value=\"1616580255\"></CAProperty>\n      <CAProperty Name=\"CPMErrorDetails\" Value=\"Execution error. EXT01::A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond. Error code:9002\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"LastSuccessChange\" Value=\"1616011989\"></CAProperty>\n      <CAProperty Name=\"LastSuccessReconciliation\" Value=\"1576120341\"></CAProperty>\n      <CAProperty Name=\"UseSudoOnReconcile\" Value=\"No\"></CAProperty>\n      <CAProperty Name=\"Tags\" Value=\"SSH\"></CAProperty>\n      <CAProperty Name=\"Privcloud\" Value=\"privcloud\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>",
+        "cyberarkpas.audit.reason": "ImmediateTask. Failure Description: Execution error. EXT01::A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond. Error code:9002",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.safe": "Linux Accounts",
+        "cyberarkpas.audit.severity": "Error",
+        "cyberarkpas.audit.station": "10.0.0.15",
+        "cyberarkpas.audit.timestamp": "Mar 25 08:00:08",
+        "destination.address": "rhel7.cybr.com",
+        "destination.domain": "rhel7.cybr.com",
+        "event.action": "cpm change password failed",
+        "event.category": [
+            "iam"
+        ],
+        "event.code": "57",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.outcome": "failure",
+        "event.reason": "Execution error. EXT01::A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond. Error code:9002",
+        "event.severity": 7,
+        "event.timezone": "-02:00",
+        "event.type": [
+            "user",
+            "change",
+            "error"
+        ],
+        "file.path": "Root\\Operating System-UnixSSH-rhel7.cybr.com-firecall2",
+        "fileset.name": "audit",
+        "host.name": "VLT01",
+        "input.type": "log",
+        "log.offset": 0,
+        "log.syslog.priority": "7",
+        "observer.hostname": "VLT01",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "12.0.0000",
+        "related.ip": [
+            "10.0.0.15"
+        ],
+        "related.user": [
+            "PasswordManager",
+            "firecall2"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "10.0.0.15",
+        "source.ip": "10.0.0.15",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ],
+        "user.name": "PasswordManager",
+        "user.target.name": "firecall2"
+    }
+]
\ No newline at end of file
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/59_clear_safe_history.log b/x-pack/filebeat/module/cyberarkpas/audit/test/59_clear_safe_history.log
new file mode 100644
index 00000000000..9b834634185
--- /dev/null
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/59_clear_safe_history.log
@@ -0,0 +1,3 @@
+<5>1 2021-03-04T19:25:02Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 04 11:25:02","IsoTimestamp":"2021-03-04T19:25:02Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"59","Desc":"Clear Safe History","Severity":"Info","Issuer":"PasswordManager","Action":"Clear Safe History","SourceUser":"","TargetUser":"","Safe":"PasswordManager_workspace","File":"","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Clear Safe History","GatewayStation":""}}}
+Mar 08 03:10:31 VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"no","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"59","Desc":"Clear Safe History","Severity":"Info","Issuer":"PasswordManager","Action":"Clear Safe History","SourceUser":"","TargetUser":"","Safe":"PasswordManager_workspace","File":"","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Clear Safe History","GatewayStation":""}}}
+<5>1 2021-03-09T09:00:47Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 09 01:00:47","IsoTimestamp":"2021-03-09T09:00:47Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"59","Desc":"Clear Safe History","Severity":"Info","Issuer":"Batch","Action":"Clear Safe History","SourceUser":"","TargetUser":"","Safe":"System","File":"","Station":"0.0.0.0","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Clear Safe History","GatewayStation":""}}}
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/59_clear_safe_history.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/59_clear_safe_history.log-expected.json
new file mode 100644
index 00000000000..21d71f71183
--- /dev/null
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/59_clear_safe_history.log-expected.json
@@ -0,0 +1,116 @@
+[
+    {
+        "@timestamp": "2021-03-04T19:25:02.000Z",
+        "cyberarkpas.audit.action": "Clear Safe History",
+        "cyberarkpas.audit.desc": "Clear Safe History",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-04T19:25:02Z",
+        "cyberarkpas.audit.issuer": "PasswordManager",
+        "cyberarkpas.audit.message": "Clear Safe History",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.safe": "PasswordManager_workspace",
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.station": "10.0.1.20",
+        "cyberarkpas.audit.timestamp": "Mar 04 11:25:02",
+        "event.action": "clear safe history",
+        "event.code": "59",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 0,
+        "log.syslog.priority": "5",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "10.0.1.20"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "10.0.1.20",
+        "source.ip": "10.0.1.20",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ]
+    },
+    {
+        "@timestamp": "2021-03-08T03:10:31.000-02:00",
+        "cyberarkpas.audit.action": "Clear Safe History",
+        "cyberarkpas.audit.desc": "Clear Safe History",
+        "cyberarkpas.audit.issuer": "PasswordManager",
+        "cyberarkpas.audit.message": "Clear Safe History",
+        "cyberarkpas.audit.rfc5424": false,
+        "cyberarkpas.audit.safe": "PasswordManager_workspace",
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.station": "10.0.1.20",
+        "event.action": "clear safe history",
+        "event.code": "59",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 604,
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "10.0.1.20"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "10.0.1.20",
+        "source.ip": "10.0.1.20",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ]
+    },
+    {
+        "@timestamp": "2021-03-09T09:00:47.000Z",
+        "cyberarkpas.audit.action": "Clear Safe History",
+        "cyberarkpas.audit.desc": "Clear Safe History",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-09T09:00:47Z",
+        "cyberarkpas.audit.issuer": "Batch",
+        "cyberarkpas.audit.message": "Clear Safe History",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.safe": "System",
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.station": "0.0.0.0",
+        "cyberarkpas.audit.timestamp": "Mar 09 01:00:47",
+        "event.action": "clear safe history",
+        "event.code": "59",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 1110,
+        "log.syslog.priority": "5",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "0.0.0.0"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "0.0.0.0",
+        "source.ip": "0.0.0.0",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ]
+    }
+]
\ No newline at end of file
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/60_cpm_reconcile_password_failed.log b/x-pack/filebeat/module/cyberarkpas/audit/test/60_cpm_reconcile_password_failed.log
new file mode 100644
index 00000000000..2a5483207bf
--- /dev/null
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/60_cpm_reconcile_password_failed.log
@@ -0,0 +1,9 @@
+<7>1 2021-03-11T21:12:22Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 13:12:22</Timestamp>\n    <IsoTimestamp>2021-03-11T21:12:22Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>60</MessageID>\n    <Desc>CPM Reconcile Password Failed</Desc>\n    <Severity>Error</Severity>\n    <Issuer>PasswordManager</Issuer>\n    <Action>CPM Reconcile Password Failed</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Operating System-WinDomain-35.192.121.42-ELASTICbart</File>\n    <Station>10.0.1.20</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason>ImmediateTask. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-35.192.121.42-ELASTICbart failed (try #0). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\n</Reason>\n    <ExtraDetails>address=34.66.114.180;username=ELASTIC\\bart;</ExtraDetails>\n    <Message>CPM Reconcile Password Failed</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"WinDomain\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"ELASTIC\\bart\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.66.114.180\"></CAProperty>\n      <CAProperty Name=\"ResetImmediately\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"failure\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"0\"></CAProperty>\n      <CAProperty Name=\"LastFailDate\" Value=\"1615497142\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"LogonDomain\" Value=\"34.66.114.180\"></CAProperty>\n      <CAProperty Name=\"CPMErrorDetails\" Value=\"Parameter Reconcile account is mandatory but has an empty value or is not defined\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 13:12:22","IsoTimestamp":"2021-03-11T21:12:22Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"60","Desc":"CPM Reconcile Password Failed","Severity":"Error","Issuer":"PasswordManager","Action":"CPM Reconcile Password Failed","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-WinDomain-35.192.121.42-ELASTICbart","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"ImmediateTask. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-35.192.121.42-ELASTICbart failed (try #0). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\n","ExtraDetails":"address=34.66.114.180;username=ELASTIC\\bart;","Message":"CPM Reconcile Password Failed","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"WinDomain"},{"Name":"UserName","Value":"ELASTIC\\bart"},{"Name":"Address","Value":"34.66.114.180"},{"Name":"ResetImmediately","Value":"ReconcileTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"0"},{"Name":"LastFailDate","Value":"1615497142"},{"Name":"LastTask","Value":"ReconcileTask"},{"Name":"LogonDomain","Value":"34.66.114.180"},{"Name":"CPMErrorDetails","Value":"Parameter Reconcile account is mandatory but has an empty value or is not defined"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}}
+<7>1 2021-03-14T13:18:15Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 14 06:18:15</Timestamp>\n    <IsoTimestamp>2021-03-14T13:18:15Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>60</MessageID>\n    <Desc>CPM Reconcile Password Failed</Desc>\n    <Severity>Error</Severity>\n    <Issuer>PasswordManager</Issuer>\n    <Action>CPM Reconcile Password Failed</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Operating System-WinDomain-35.192.121.42-ELASTICbart</File>\n    <Station>10.0.1.20</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason>ImmediateTask. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-35.192.121.42-ELASTICbart failed (try #2). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\n</Reason>\n    <ExtraDetails>address=34.66.114.180;retriescount=2;username=ELASTIC\\bart;</ExtraDetails>\n    <Message>CPM Reconcile Password Failed</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"WinDomain\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"ELASTIC\\bart\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.66.114.180\"></CAProperty>\n      <CAProperty Name=\"ResetImmediately\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"failure\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"2\"></CAProperty>\n      <CAProperty Name=\"LastFailDate\" Value=\"1615727895\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"LogonDomain\" Value=\"34.66.114.180\"></CAProperty>\n      <CAProperty Name=\"CPMErrorDetails\" Value=\"Parameter Reconcile account is mandatory but has an empty value or is not defined\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 06:18:15","IsoTimestamp":"2021-03-14T13:18:15Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"60","Desc":"CPM Reconcile Password Failed","Severity":"Error","Issuer":"PasswordManager","Action":"CPM Reconcile Password Failed","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-WinDomain-35.192.121.42-ELASTICbart","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"ImmediateTask. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-35.192.121.42-ELASTICbart failed (try #2). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\n","ExtraDetails":"address=34.66.114.180;retriescount=2;username=ELASTIC\\bart;","Message":"CPM Reconcile Password Failed","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"WinDomain"},{"Name":"UserName","Value":"ELASTIC\\bart"},{"Name":"Address","Value":"34.66.114.180"},{"Name":"ResetImmediately","Value":"ReconcileTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"2"},{"Name":"LastFailDate","Value":"1615727895"},{"Name":"LastTask","Value":"ReconcileTask"},{"Name":"LogonDomain","Value":"34.66.114.180"},{"Name":"CPMErrorDetails","Value":"Parameter Reconcile account is mandatory but has an empty value or is not defined"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}}
+<7>1 2021-03-14T13:46:13Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 14 06:46:13</Timestamp>\n    <IsoTimestamp>2021-03-14T13:46:13Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>60</MessageID>\n    <Desc>CPM Reconcile Password Failed</Desc>\n    <Severity>Error</Severity>\n    <Issuer>PasswordManager</Issuer>\n    <Action>CPM Reconcile Password Failed</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Operating System-UnixSSH-34.123.103.115-testark</File>\n    <Station>10.0.1.20</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason>ImmediateTask. Failure Description: CACPM406E Reconciling Password Safe: partner, Folder: Root, Object: Operating System-UnixSSH-34.123.103.115-testark failed (try #0). Code: 8031, Error: First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\n</Reason>\n    <ExtraDetails>address=34.123.103.115;username=testark;</ExtraDetails>\n    <Message>CPM Reconcile Password Failed</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSH\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"testark\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"ResetImmediately\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"failure\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"0\"></CAProperty>\n      <CAProperty Name=\"LastFailDate\" Value=\"1615729572\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"CPMErrorDetails\" Value=\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 06:46:13","IsoTimestamp":"2021-03-14T13:46:13Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"60","Desc":"CPM Reconcile Password Failed","Severity":"Error","Issuer":"PasswordManager","Action":"CPM Reconcile Password Failed","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-34.123.103.115-testark","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"ImmediateTask. Failure Description: CACPM406E Reconciling Password Safe: partner, Folder: Root, Object: Operating System-UnixSSH-34.123.103.115-testark failed (try #0). Code: 8031, Error: First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\n","ExtraDetails":"address=34.123.103.115;username=testark;","Message":"CPM Reconcile Password Failed","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"testark"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"ResetImmediately","Value":"ReconcileTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"0"},{"Name":"LastFailDate","Value":"1615729572"},{"Name":"LastTask","Value":"ReconcileTask"},{"Name":"CPMErrorDetails","Value":"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}}
+<7>1 2021-03-14T14:49:11Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 14 07:49:11</Timestamp>\n    <IsoTimestamp>2021-03-14T14:49:11Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>60</MessageID>\n    <Desc>CPM Reconcile Password Failed</Desc>\n    <Severity>Error</Severity>\n    <Issuer>PasswordManager</Issuer>\n    <Action>CPM Reconcile Password Failed</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Operating System-WinDomain-35.192.121.42-ELASTICbart</File>\n    <Station>10.0.1.20</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason>ImmediateTask,Failure. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-35.192.121.42-ELASTICbart failed (try #3). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\n</Reason>\n    <ExtraDetails>address=34.66.114.180;retriescount=3;username=ELASTIC\\bart;</ExtraDetails>\n    <Message>CPM Reconcile Password Failed</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"WinDomain\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"ELASTIC\\bart\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.66.114.180\"></CAProperty>\n      <CAProperty Name=\"ResetImmediately\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"failure\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"3\"></CAProperty>\n      <CAProperty Name=\"LastFailDate\" Value=\"1615733350\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"LogonDomain\" Value=\"34.66.114.180\"></CAProperty>\n      <CAProperty Name=\"CPMErrorDetails\" Value=\"Parameter Reconcile account is mandatory but has an empty value or is not defined\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 07:49:11","IsoTimestamp":"2021-03-14T14:49:11Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"60","Desc":"CPM Reconcile Password Failed","Severity":"Error","Issuer":"PasswordManager","Action":"CPM Reconcile Password Failed","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-WinDomain-35.192.121.42-ELASTICbart","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"ImmediateTask,Failure. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-35.192.121.42-ELASTICbart failed (try #3). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\n","ExtraDetails":"address=34.66.114.180;retriescount=3;username=ELASTIC\\bart;","Message":"CPM Reconcile Password Failed","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"WinDomain"},{"Name":"UserName","Value":"ELASTIC\\bart"},{"Name":"Address","Value":"34.66.114.180"},{"Name":"ResetImmediately","Value":"ReconcileTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"3"},{"Name":"LastFailDate","Value":"1615733350"},{"Name":"LastTask","Value":"ReconcileTask"},{"Name":"LogonDomain","Value":"34.66.114.180"},{"Name":"CPMErrorDetails","Value":"Parameter Reconcile account is mandatory but has an empty value or is not defined"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}}
+<7>1 2021-03-15T10:12:18Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 15 03:12:18</Timestamp>\n    <IsoTimestamp>2021-03-15T10:12:18Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>60</MessageID>\n    <Desc>CPM Reconcile Password Failed</Desc>\n    <Severity>Error</Severity>\n    <Issuer>PasswordManager</Issuer>\n    <Action>CPM Reconcile Password Failed</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Operating System-WinDomain-35.192.121.42-ELASTICbart</File>\n    <Station>10.0.1.20</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason>ImmediateTask,Failure. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-35.192.121.42-ELASTICbart failed (try #4). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\n</Reason>\n    <ExtraDetails>address=34.66.114.180;retriescount=4;username=ELASTIC\\bart;</ExtraDetails>\n    <Message>CPM Reconcile Password Failed</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"WinDomain\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"ELASTIC\\bart\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.66.114.180\"></CAProperty>\n      <CAProperty Name=\"ResetImmediately\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"failure\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"4\"></CAProperty>\n      <CAProperty Name=\"LastFailDate\" Value=\"1615803137\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"LogonDomain\" Value=\"34.66.114.180\"></CAProperty>\n      <CAProperty Name=\"CPMErrorDetails\" Value=\"Parameter Reconcile account is mandatory but has an empty value or is not defined\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 03:12:18","IsoTimestamp":"2021-03-15T10:12:18Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"60","Desc":"CPM Reconcile Password Failed","Severity":"Error","Issuer":"PasswordManager","Action":"CPM Reconcile Password Failed","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-WinDomain-35.192.121.42-ELASTICbart","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"ImmediateTask,Failure. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-35.192.121.42-ELASTICbart failed (try #4). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\n","ExtraDetails":"address=34.66.114.180;retriescount=4;username=ELASTIC\\bart;","Message":"CPM Reconcile Password Failed","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"WinDomain"},{"Name":"UserName","Value":"ELASTIC\\bart"},{"Name":"Address","Value":"34.66.114.180"},{"Name":"ResetImmediately","Value":"ReconcileTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"4"},{"Name":"LastFailDate","Value":"1615803137"},{"Name":"LastTask","Value":"ReconcileTask"},{"Name":"LogonDomain","Value":"34.66.114.180"},{"Name":"CPMErrorDetails","Value":"Parameter Reconcile account is mandatory but has an empty value or is not defined"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}}
+<7>1 2021-03-15T10:12:19Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 15 03:12:19</Timestamp>\n    <IsoTimestamp>2021-03-15T10:12:19Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>60</MessageID>\n    <Desc>CPM Reconcile Password Failed</Desc>\n    <Severity>Error</Severity>\n    <Issuer>PasswordManager</Issuer>\n    <Action>CPM Reconcile Password Failed</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Operating System-UnixSSH-34.123.103.115-testark</File>\n    <Station>10.0.1.20</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason>ImmediateTask,Failure. Failure Description: CACPM406E Reconciling Password Safe: partner, Folder: Root, Object: Operating System-UnixSSH-34.123.103.115-testark failed (try #1). Code: 8031, Error: First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\n</Reason>\n    <ExtraDetails>address=34.123.103.115;retriescount=1;username=testark;</ExtraDetails>\n    <Message>CPM Reconcile Password Failed</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSH\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"testark\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"ResetImmediately\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"failure\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"1\"></CAProperty>\n      <CAProperty Name=\"LastFailDate\" Value=\"1615803137\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"CPMErrorDetails\" Value=\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 03:12:19","IsoTimestamp":"2021-03-15T10:12:19Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"60","Desc":"CPM Reconcile Password Failed","Severity":"Error","Issuer":"PasswordManager","Action":"CPM Reconcile Password Failed","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-34.123.103.115-testark","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"ImmediateTask,Failure. Failure Description: CACPM406E Reconciling Password Safe: partner, Folder: Root, Object: Operating System-UnixSSH-34.123.103.115-testark failed (try #1). Code: 8031, Error: First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\n","ExtraDetails":"address=34.123.103.115;retriescount=1;username=testark;","Message":"CPM Reconcile Password Failed","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"testark"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"ResetImmediately","Value":"ReconcileTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"1"},{"Name":"LastFailDate","Value":"1615803137"},{"Name":"LastTask","Value":"ReconcileTask"},{"Name":"CPMErrorDetails","Value":"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}}
+<7>1 2021-03-15T12:57:13Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 15 05:57:13</Timestamp>\n    <IsoTimestamp>2021-03-15T12:57:13Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>60</MessageID>\n    <Desc>CPM Reconcile Password Failed</Desc>\n    <Severity>Error</Severity>\n    <Issuer>PasswordManager</Issuer>\n    <Action>CPM Reconcile Password Failed</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Operating System-WinDomain-35.192.121.42-ELASTICbart</File>\n    <Station>10.0.1.20</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason>ImmediateTask,Failure. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-35.192.121.42-ELASTICbart failed (try #5). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\n</Reason>\n    <ExtraDetails>address=34.66.114.180;retriescount=5;username=ELASTIC\\bart;</ExtraDetails>\n    <Message>CPM Reconcile Password Failed</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"WinDomain\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"ELASTIC\\bart\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.66.114.180\"></CAProperty>\n      <CAProperty Name=\"ResetImmediately\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"failure\"></CAProperty>\n      <CAProperty Name=\"CPMDisabled\" Value=\"(CPM)MaxRetries\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"5\"></CAProperty>\n      <CAProperty Name=\"LastFailDate\" Value=\"1615813031\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"LogonDomain\" Value=\"34.66.114.180\"></CAProperty>\n      <CAProperty Name=\"CPMErrorDetails\" Value=\"Parameter Reconcile account is mandatory but has an empty value or is not defined\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 05:57:13","IsoTimestamp":"2021-03-15T12:57:13Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"60","Desc":"CPM Reconcile Password Failed","Severity":"Error","Issuer":"PasswordManager","Action":"CPM Reconcile Password Failed","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-WinDomain-35.192.121.42-ELASTICbart","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"ImmediateTask,Failure. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-35.192.121.42-ELASTICbart failed (try #5). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\n","ExtraDetails":"address=34.66.114.180;retriescount=5;username=ELASTIC\\bart;","Message":"CPM Reconcile Password Failed","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"WinDomain"},{"Name":"UserName","Value":"ELASTIC\\bart"},{"Name":"Address","Value":"34.66.114.180"},{"Name":"ResetImmediately","Value":"ReconcileTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"CPMDisabled","Value":"(CPM)MaxRetries"},{"Name":"RetriesCount","Value":"5"},{"Name":"LastFailDate","Value":"1615813031"},{"Name":"LastTask","Value":"ReconcileTask"},{"Name":"LogonDomain","Value":"34.66.114.180"},{"Name":"CPMErrorDetails","Value":"Parameter Reconcile account is mandatory but has an empty value or is not defined"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}}
+<7>1 2021-03-15T13:04:27Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 15 06:04:27</Timestamp>\n    <IsoTimestamp>2021-03-15T13:04:27Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>60</MessageID>\n    <Desc>CPM Reconcile Password Failed</Desc>\n    <Severity>Error</Severity>\n    <Issuer>PasswordManager</Issuer>\n    <Action>CPM Reconcile Password Failed</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Operating System-UnixSSH-34.123.103.115-testark</File>\n    <Station>10.0.1.20</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason>ImmediateTask. Failure Description: CACPM406E Reconciling Password Safe: partner, Folder: Root, Object: Operating System-UnixSSH-34.123.103.115-testark failed (try #0). Code: 8031, Error: First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\n</Reason>\n    <ExtraDetails>address=34.123.103.115;username=testark;</ExtraDetails>\n    <Message>CPM Reconcile Password Failed</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSH\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"testark\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"ResetImmediately\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"failure\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"0\"></CAProperty>\n      <CAProperty Name=\"LastFailDate\" Value=\"1615813465\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"LastSuccessVerification\" Value=\"1615803764\"></CAProperty>\n      <CAProperty Name=\"CPMErrorDetails\" Value=\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 06:04:27","IsoTimestamp":"2021-03-15T13:04:27Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"60","Desc":"CPM Reconcile Password Failed","Severity":"Error","Issuer":"PasswordManager","Action":"CPM Reconcile Password Failed","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-34.123.103.115-testark","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"ImmediateTask. Failure Description: CACPM406E Reconciling Password Safe: partner, Folder: Root, Object: Operating System-UnixSSH-34.123.103.115-testark failed (try #0). Code: 8031, Error: First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\n","ExtraDetails":"address=34.123.103.115;username=testark;","Message":"CPM Reconcile Password Failed","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"testark"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"ResetImmediately","Value":"ReconcileTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"0"},{"Name":"LastFailDate","Value":"1615813465"},{"Name":"LastTask","Value":"ReconcileTask"},{"Name":"LastSuccessVerification","Value":"1615803764"},{"Name":"CPMErrorDetails","Value":"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}}
+<7>1 2021-03-15T14:44:37Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 15 07:44:37</Timestamp>\n    <IsoTimestamp>2021-03-15T14:44:37Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>60</MessageID>\n    <Desc>CPM Reconcile Password Failed</Desc>\n    <Severity>Error</Severity>\n    <Issuer>PasswordManager</Issuer>\n    <Action>CPM Reconcile Password Failed</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Operating System-UnixSSH-34.123.103.115-testark</File>\n    <Station>10.0.1.20</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason>ImmediateTask. Failure Description: CACPM406E Reconciling Password Safe: partner, Folder: Root, Object: Operating System-UnixSSH-34.123.103.115-testark failed (try #1). Code: 8031, Error: First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\n</Reason>\n    <ExtraDetails>address=34.123.103.115;retriescount=1;username=testark;</ExtraDetails>\n    <Message>CPM Reconcile Password Failed</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSH\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"testark\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"ResetImmediately\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"failure\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"1\"></CAProperty>\n      <CAProperty Name=\"LastFailDate\" Value=\"1615819476\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"LastSuccessVerification\" Value=\"1615803764\"></CAProperty>\n      <CAProperty Name=\"CPMErrorDetails\" Value=\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n      <CAProperty Name=\"UseSudoOnReconcile\" Value=\"Yes\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 07:44:37","IsoTimestamp":"2021-03-15T14:44:37Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"60","Desc":"CPM Reconcile Password Failed","Severity":"Error","Issuer":"PasswordManager","Action":"CPM Reconcile Password Failed","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-34.123.103.115-testark","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"ImmediateTask. Failure Description: CACPM406E Reconciling Password Safe: partner, Folder: Root, Object: Operating System-UnixSSH-34.123.103.115-testark failed (try #1). Code: 8031, Error: First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\n","ExtraDetails":"address=34.123.103.115;retriescount=1;username=testark;","Message":"CPM Reconcile Password Failed","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"testark"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"ResetImmediately","Value":"ReconcileTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"1"},{"Name":"LastFailDate","Value":"1615819476"},{"Name":"LastTask","Value":"ReconcileTask"},{"Name":"LastSuccessVerification","Value":"1615803764"},{"Name":"CPMErrorDetails","Value":"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"},{"Name":"UseSudoOnReconcile","Value":"Yes"}]}}}}
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/60_cpm_reconcile_password_failed.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/60_cpm_reconcile_password_failed.log-expected.json
new file mode 100644
index 00000000000..1a3d12f5882
--- /dev/null
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/60_cpm_reconcile_password_failed.log-expected.json
@@ -0,0 +1,773 @@
+[
+    {
+        "@timestamp": "2021-03-11T21:12:22.000Z",
+        "cyberarkpas.audit.action": "CPM Reconcile Password Failed",
+        "cyberarkpas.audit.ca_properties.address": "34.66.114.180",
+        "cyberarkpas.audit.ca_properties.cpm_error_details": "Parameter Reconcile account is mandatory but has an empty value or is not defined",
+        "cyberarkpas.audit.ca_properties.cpm_status": "failure",
+        "cyberarkpas.audit.ca_properties.creation_method": "PVWA",
+        "cyberarkpas.audit.ca_properties.device_type": "Operating System",
+        "cyberarkpas.audit.ca_properties.last_fail_date": "1615497142",
+        "cyberarkpas.audit.ca_properties.last_task": "ReconcileTask",
+        "cyberarkpas.audit.ca_properties.logon_domain": "34.66.114.180",
+        "cyberarkpas.audit.ca_properties.policy_id": "WinDomain",
+        "cyberarkpas.audit.ca_properties.reset_immediately": "ReconcileTask",
+        "cyberarkpas.audit.ca_properties.retries_count": "0",
+        "cyberarkpas.audit.ca_properties.user_name": "ELASTIC\\bart",
+        "cyberarkpas.audit.desc": "CPM Reconcile Password Failed",
+        "cyberarkpas.audit.extra_details.address": "34.66.114.180",
+        "cyberarkpas.audit.extra_details.username": "ELASTIC\\bart",
+        "cyberarkpas.audit.file": "Root\\Operating System-WinDomain-35.192.121.42-ELASTICbart",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-11T21:12:22Z",
+        "cyberarkpas.audit.issuer": "PasswordManager",
+        "cyberarkpas.audit.message": "CPM Reconcile Password Failed",
+        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 13:12:22</Timestamp>\n    <IsoTimestamp>2021-03-11T21:12:22Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>60</MessageID>\n    <Desc>CPM Reconcile Password Failed</Desc>\n    <Severity>Error</Severity>\n    <Issuer>PasswordManager</Issuer>\n    <Action>CPM Reconcile Password Failed</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Operating System-WinDomain-35.192.121.42-ELASTICbart</File>\n    <Station>10.0.1.20</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason>ImmediateTask. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-35.192.121.42-ELASTICbart failed (try #0). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\n</Reason>\n    <ExtraDetails>address=34.66.114.180;username=ELASTIC\\bart;</ExtraDetails>\n    <Message>CPM Reconcile Password Failed</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"WinDomain\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"ELASTIC\\bart\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.66.114.180\"></CAProperty>\n      <CAProperty Name=\"ResetImmediately\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"failure\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"0\"></CAProperty>\n      <CAProperty Name=\"LastFailDate\" Value=\"1615497142\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"LogonDomain\" Value=\"34.66.114.180\"></CAProperty>\n      <CAProperty Name=\"CPMErrorDetails\" Value=\"Parameter Reconcile account is mandatory but has an empty value or is not defined\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>",
+        "cyberarkpas.audit.reason": "ImmediateTask. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-35.192.121.42-ELASTICbart failed (try #0). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\n",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.safe": "partner",
+        "cyberarkpas.audit.severity": "Error",
+        "cyberarkpas.audit.station": "10.0.1.20",
+        "cyberarkpas.audit.timestamp": "Mar 11 13:12:22",
+        "destination.address": "34.66.114.180",
+        "destination.geo.city_name": "Council Bluffs",
+        "destination.geo.continent_name": "North America",
+        "destination.geo.country_iso_code": "US",
+        "destination.geo.country_name": "United States",
+        "destination.geo.location.lat": 41.2591,
+        "destination.geo.location.lon": -95.8517,
+        "destination.geo.region_iso_code": "US-IA",
+        "destination.geo.region_name": "Iowa",
+        "destination.ip": "34.66.114.180",
+        "event.action": "cpm reconcile password failed",
+        "event.category": [
+            "iam"
+        ],
+        "event.code": "60",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.outcome": "failure",
+        "event.reason": "Parameter Reconcile account is mandatory but has an empty value or is not defined",
+        "event.severity": 7,
+        "event.timezone": "-02:00",
+        "event.type": [
+            "user",
+            "change",
+            "error"
+        ],
+        "file.path": "Root\\Operating System-WinDomain-35.192.121.42-ELASTICbart",
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 0,
+        "log.syslog.priority": "7",
+        "network.direction": "outbound",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "10.0.1.20",
+            "34.66.114.180"
+        ],
+        "related.user": [
+            "PasswordManager",
+            "ELASTIC\\bart"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "10.0.1.20",
+        "source.ip": "10.0.1.20",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ],
+        "user.name": "PasswordManager",
+        "user.target.name": "ELASTIC\\bart"
+    },
+    {
+        "@timestamp": "2021-03-14T13:18:15.000Z",
+        "cyberarkpas.audit.action": "CPM Reconcile Password Failed",
+        "cyberarkpas.audit.ca_properties.address": "34.66.114.180",
+        "cyberarkpas.audit.ca_properties.cpm_error_details": "Parameter Reconcile account is mandatory but has an empty value or is not defined",
+        "cyberarkpas.audit.ca_properties.cpm_status": "failure",
+        "cyberarkpas.audit.ca_properties.creation_method": "PVWA",
+        "cyberarkpas.audit.ca_properties.device_type": "Operating System",
+        "cyberarkpas.audit.ca_properties.last_fail_date": "1615727895",
+        "cyberarkpas.audit.ca_properties.last_task": "ReconcileTask",
+        "cyberarkpas.audit.ca_properties.logon_domain": "34.66.114.180",
+        "cyberarkpas.audit.ca_properties.policy_id": "WinDomain",
+        "cyberarkpas.audit.ca_properties.reset_immediately": "ReconcileTask",
+        "cyberarkpas.audit.ca_properties.retries_count": "2",
+        "cyberarkpas.audit.ca_properties.user_name": "ELASTIC\\bart",
+        "cyberarkpas.audit.desc": "CPM Reconcile Password Failed",
+        "cyberarkpas.audit.extra_details.address": "34.66.114.180",
+        "cyberarkpas.audit.extra_details.retriescount": "2",
+        "cyberarkpas.audit.extra_details.username": "ELASTIC\\bart",
+        "cyberarkpas.audit.file": "Root\\Operating System-WinDomain-35.192.121.42-ELASTICbart",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-14T13:18:15Z",
+        "cyberarkpas.audit.issuer": "PasswordManager",
+        "cyberarkpas.audit.message": "CPM Reconcile Password Failed",
+        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 14 06:18:15</Timestamp>\n    <IsoTimestamp>2021-03-14T13:18:15Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>60</MessageID>\n    <Desc>CPM Reconcile Password Failed</Desc>\n    <Severity>Error</Severity>\n    <Issuer>PasswordManager</Issuer>\n    <Action>CPM Reconcile Password Failed</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Operating System-WinDomain-35.192.121.42-ELASTICbart</File>\n    <Station>10.0.1.20</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason>ImmediateTask. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-35.192.121.42-ELASTICbart failed (try #2). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\n</Reason>\n    <ExtraDetails>address=34.66.114.180;retriescount=2;username=ELASTIC\\bart;</ExtraDetails>\n    <Message>CPM Reconcile Password Failed</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"WinDomain\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"ELASTIC\\bart\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.66.114.180\"></CAProperty>\n      <CAProperty Name=\"ResetImmediately\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"failure\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"2\"></CAProperty>\n      <CAProperty Name=\"LastFailDate\" Value=\"1615727895\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"LogonDomain\" Value=\"34.66.114.180\"></CAProperty>\n      <CAProperty Name=\"CPMErrorDetails\" Value=\"Parameter Reconcile account is mandatory but has an empty value or is not defined\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>",
+        "cyberarkpas.audit.reason": "ImmediateTask. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-35.192.121.42-ELASTICbart failed (try #2). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\n",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.safe": "partner",
+        "cyberarkpas.audit.severity": "Error",
+        "cyberarkpas.audit.station": "10.0.1.20",
+        "cyberarkpas.audit.timestamp": "Mar 14 06:18:15",
+        "destination.address": "34.66.114.180",
+        "destination.geo.city_name": "Council Bluffs",
+        "destination.geo.continent_name": "North America",
+        "destination.geo.country_iso_code": "US",
+        "destination.geo.country_name": "United States",
+        "destination.geo.location.lat": 41.2591,
+        "destination.geo.location.lon": -95.8517,
+        "destination.geo.region_iso_code": "US-IA",
+        "destination.geo.region_name": "Iowa",
+        "destination.ip": "34.66.114.180",
+        "event.action": "cpm reconcile password failed",
+        "event.category": [
+            "iam"
+        ],
+        "event.code": "60",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.outcome": "failure",
+        "event.reason": "Parameter Reconcile account is mandatory but has an empty value or is not defined",
+        "event.severity": 7,
+        "event.timezone": "-02:00",
+        "event.type": [
+            "user",
+            "change",
+            "error"
+        ],
+        "file.path": "Root\\Operating System-WinDomain-35.192.121.42-ELASTICbart",
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 3917,
+        "log.syslog.priority": "7",
+        "network.direction": "outbound",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "10.0.1.20",
+            "34.66.114.180"
+        ],
+        "related.user": [
+            "PasswordManager",
+            "ELASTIC\\bart"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "10.0.1.20",
+        "source.ip": "10.0.1.20",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ],
+        "user.name": "PasswordManager",
+        "user.target.name": "ELASTIC\\bart"
+    },
+    {
+        "@timestamp": "2021-03-14T13:46:13.000Z",
+        "cyberarkpas.audit.action": "CPM Reconcile Password Failed",
+        "cyberarkpas.audit.ca_properties.address": "34.123.103.115",
+        "cyberarkpas.audit.ca_properties.cpm_error_details": "First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031",
+        "cyberarkpas.audit.ca_properties.cpm_status": "failure",
+        "cyberarkpas.audit.ca_properties.creation_method": "PVWA",
+        "cyberarkpas.audit.ca_properties.device_type": "Operating System",
+        "cyberarkpas.audit.ca_properties.last_fail_date": "1615729572",
+        "cyberarkpas.audit.ca_properties.last_task": "ReconcileTask",
+        "cyberarkpas.audit.ca_properties.policy_id": "UnixSSH",
+        "cyberarkpas.audit.ca_properties.reset_immediately": "ReconcileTask",
+        "cyberarkpas.audit.ca_properties.retries_count": "0",
+        "cyberarkpas.audit.ca_properties.user_name": "testark",
+        "cyberarkpas.audit.desc": "CPM Reconcile Password Failed",
+        "cyberarkpas.audit.extra_details.address": "34.123.103.115",
+        "cyberarkpas.audit.extra_details.username": "testark",
+        "cyberarkpas.audit.file": "Root\\Operating System-UnixSSH-34.123.103.115-testark",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-14T13:46:13Z",
+        "cyberarkpas.audit.issuer": "PasswordManager",
+        "cyberarkpas.audit.message": "CPM Reconcile Password Failed",
+        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 14 06:46:13</Timestamp>\n    <IsoTimestamp>2021-03-14T13:46:13Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>60</MessageID>\n    <Desc>CPM Reconcile Password Failed</Desc>\n    <Severity>Error</Severity>\n    <Issuer>PasswordManager</Issuer>\n    <Action>CPM Reconcile Password Failed</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Operating System-UnixSSH-34.123.103.115-testark</File>\n    <Station>10.0.1.20</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason>ImmediateTask. Failure Description: CACPM406E Reconciling Password Safe: partner, Folder: Root, Object: Operating System-UnixSSH-34.123.103.115-testark failed (try #0). Code: 8031, Error: First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\n</Reason>\n    <ExtraDetails>address=34.123.103.115;username=testark;</ExtraDetails>\n    <Message>CPM Reconcile Password Failed</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSH\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"testark\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"ResetImmediately\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"failure\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"0\"></CAProperty>\n      <CAProperty Name=\"LastFailDate\" Value=\"1615729572\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"CPMErrorDetails\" Value=\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>",
+        "cyberarkpas.audit.reason": "ImmediateTask. Failure Description: CACPM406E Reconciling Password Safe: partner, Folder: Root, Object: Operating System-UnixSSH-34.123.103.115-testark failed (try #0). Code: 8031, Error: First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\n",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.safe": "partner",
+        "cyberarkpas.audit.severity": "Error",
+        "cyberarkpas.audit.station": "10.0.1.20",
+        "cyberarkpas.audit.timestamp": "Mar 14 06:46:13",
+        "destination.address": "34.123.103.115",
+        "destination.geo.city_name": "Council Bluffs",
+        "destination.geo.continent_name": "North America",
+        "destination.geo.country_iso_code": "US",
+        "destination.geo.country_name": "United States",
+        "destination.geo.location.lat": 41.2591,
+        "destination.geo.location.lon": -95.8517,
+        "destination.geo.region_iso_code": "US-IA",
+        "destination.geo.region_name": "Iowa",
+        "destination.ip": "34.123.103.115",
+        "event.action": "cpm reconcile password failed",
+        "event.category": [
+            "iam"
+        ],
+        "event.code": "60",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.outcome": "failure",
+        "event.reason": "First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031",
+        "event.severity": 7,
+        "event.timezone": "-02:00",
+        "event.type": [
+            "user",
+            "change",
+            "error"
+        ],
+        "file.path": "Root\\Operating System-UnixSSH-34.123.103.115-testark",
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 7864,
+        "log.syslog.priority": "7",
+        "network.direction": "outbound",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "10.0.1.20",
+            "34.123.103.115"
+        ],
+        "related.user": [
+            "PasswordManager",
+            "testark"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "10.0.1.20",
+        "source.ip": "10.0.1.20",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ],
+        "user.name": "PasswordManager",
+        "user.target.name": "testark"
+    },
+    {
+        "@timestamp": "2021-03-14T14:49:11.000Z",
+        "cyberarkpas.audit.action": "CPM Reconcile Password Failed",
+        "cyberarkpas.audit.ca_properties.address": "34.66.114.180",
+        "cyberarkpas.audit.ca_properties.cpm_error_details": "Parameter Reconcile account is mandatory but has an empty value or is not defined",
+        "cyberarkpas.audit.ca_properties.cpm_status": "failure",
+        "cyberarkpas.audit.ca_properties.creation_method": "PVWA",
+        "cyberarkpas.audit.ca_properties.device_type": "Operating System",
+        "cyberarkpas.audit.ca_properties.last_fail_date": "1615733350",
+        "cyberarkpas.audit.ca_properties.last_task": "ReconcileTask",
+        "cyberarkpas.audit.ca_properties.logon_domain": "34.66.114.180",
+        "cyberarkpas.audit.ca_properties.policy_id": "WinDomain",
+        "cyberarkpas.audit.ca_properties.reset_immediately": "ReconcileTask",
+        "cyberarkpas.audit.ca_properties.retries_count": "3",
+        "cyberarkpas.audit.ca_properties.user_name": "ELASTIC\\bart",
+        "cyberarkpas.audit.desc": "CPM Reconcile Password Failed",
+        "cyberarkpas.audit.extra_details.address": "34.66.114.180",
+        "cyberarkpas.audit.extra_details.retriescount": "3",
+        "cyberarkpas.audit.extra_details.username": "ELASTIC\\bart",
+        "cyberarkpas.audit.file": "Root\\Operating System-WinDomain-35.192.121.42-ELASTICbart",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-14T14:49:11Z",
+        "cyberarkpas.audit.issuer": "PasswordManager",
+        "cyberarkpas.audit.message": "CPM Reconcile Password Failed",
+        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 14 07:49:11</Timestamp>\n    <IsoTimestamp>2021-03-14T14:49:11Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>60</MessageID>\n    <Desc>CPM Reconcile Password Failed</Desc>\n    <Severity>Error</Severity>\n    <Issuer>PasswordManager</Issuer>\n    <Action>CPM Reconcile Password Failed</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Operating System-WinDomain-35.192.121.42-ELASTICbart</File>\n    <Station>10.0.1.20</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason>ImmediateTask,Failure. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-35.192.121.42-ELASTICbart failed (try #3). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\n</Reason>\n    <ExtraDetails>address=34.66.114.180;retriescount=3;username=ELASTIC\\bart;</ExtraDetails>\n    <Message>CPM Reconcile Password Failed</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"WinDomain\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"ELASTIC\\bart\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.66.114.180\"></CAProperty>\n      <CAProperty Name=\"ResetImmediately\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"failure\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"3\"></CAProperty>\n      <CAProperty Name=\"LastFailDate\" Value=\"1615733350\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"LogonDomain\" Value=\"34.66.114.180\"></CAProperty>\n      <CAProperty Name=\"CPMErrorDetails\" Value=\"Parameter Reconcile account is mandatory but has an empty value or is not defined\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>",
+        "cyberarkpas.audit.reason": "ImmediateTask,Failure. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-35.192.121.42-ELASTICbart failed (try #3). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\n",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.safe": "partner",
+        "cyberarkpas.audit.severity": "Error",
+        "cyberarkpas.audit.station": "10.0.1.20",
+        "cyberarkpas.audit.timestamp": "Mar 14 07:49:11",
+        "destination.address": "34.66.114.180",
+        "destination.geo.city_name": "Council Bluffs",
+        "destination.geo.continent_name": "North America",
+        "destination.geo.country_iso_code": "US",
+        "destination.geo.country_name": "United States",
+        "destination.geo.location.lat": 41.2591,
+        "destination.geo.location.lon": -95.8517,
+        "destination.geo.region_iso_code": "US-IA",
+        "destination.geo.region_name": "Iowa",
+        "destination.ip": "34.66.114.180",
+        "event.action": "cpm reconcile password failed",
+        "event.category": [
+            "iam"
+        ],
+        "event.code": "60",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.outcome": "failure",
+        "event.reason": "Parameter Reconcile account is mandatory but has an empty value or is not defined",
+        "event.severity": 7,
+        "event.timezone": "-02:00",
+        "event.type": [
+            "user",
+            "change",
+            "error"
+        ],
+        "file.path": "Root\\Operating System-WinDomain-35.192.121.42-ELASTICbart",
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 11884,
+        "log.syslog.priority": "7",
+        "network.direction": "outbound",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "10.0.1.20",
+            "34.66.114.180"
+        ],
+        "related.user": [
+            "PasswordManager",
+            "ELASTIC\\bart"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "10.0.1.20",
+        "source.ip": "10.0.1.20",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ],
+        "user.name": "PasswordManager",
+        "user.target.name": "ELASTIC\\bart"
+    },
+    {
+        "@timestamp": "2021-03-15T10:12:18.000Z",
+        "cyberarkpas.audit.action": "CPM Reconcile Password Failed",
+        "cyberarkpas.audit.ca_properties.address": "34.66.114.180",
+        "cyberarkpas.audit.ca_properties.cpm_error_details": "Parameter Reconcile account is mandatory but has an empty value or is not defined",
+        "cyberarkpas.audit.ca_properties.cpm_status": "failure",
+        "cyberarkpas.audit.ca_properties.creation_method": "PVWA",
+        "cyberarkpas.audit.ca_properties.device_type": "Operating System",
+        "cyberarkpas.audit.ca_properties.last_fail_date": "1615803137",
+        "cyberarkpas.audit.ca_properties.last_task": "ReconcileTask",
+        "cyberarkpas.audit.ca_properties.logon_domain": "34.66.114.180",
+        "cyberarkpas.audit.ca_properties.policy_id": "WinDomain",
+        "cyberarkpas.audit.ca_properties.reset_immediately": "ReconcileTask",
+        "cyberarkpas.audit.ca_properties.retries_count": "4",
+        "cyberarkpas.audit.ca_properties.user_name": "ELASTIC\\bart",
+        "cyberarkpas.audit.desc": "CPM Reconcile Password Failed",
+        "cyberarkpas.audit.extra_details.address": "34.66.114.180",
+        "cyberarkpas.audit.extra_details.retriescount": "4",
+        "cyberarkpas.audit.extra_details.username": "ELASTIC\\bart",
+        "cyberarkpas.audit.file": "Root\\Operating System-WinDomain-35.192.121.42-ELASTICbart",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-15T10:12:18Z",
+        "cyberarkpas.audit.issuer": "PasswordManager",
+        "cyberarkpas.audit.message": "CPM Reconcile Password Failed",
+        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 15 03:12:18</Timestamp>\n    <IsoTimestamp>2021-03-15T10:12:18Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>60</MessageID>\n    <Desc>CPM Reconcile Password Failed</Desc>\n    <Severity>Error</Severity>\n    <Issuer>PasswordManager</Issuer>\n    <Action>CPM Reconcile Password Failed</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Operating System-WinDomain-35.192.121.42-ELASTICbart</File>\n    <Station>10.0.1.20</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason>ImmediateTask,Failure. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-35.192.121.42-ELASTICbart failed (try #4). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\n</Reason>\n    <ExtraDetails>address=34.66.114.180;retriescount=4;username=ELASTIC\\bart;</ExtraDetails>\n    <Message>CPM Reconcile Password Failed</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"WinDomain\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"ELASTIC\\bart\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.66.114.180\"></CAProperty>\n      <CAProperty Name=\"ResetImmediately\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"failure\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"4\"></CAProperty>\n      <CAProperty Name=\"LastFailDate\" Value=\"1615803137\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"LogonDomain\" Value=\"34.66.114.180\"></CAProperty>\n      <CAProperty Name=\"CPMErrorDetails\" Value=\"Parameter Reconcile account is mandatory but has an empty value or is not defined\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>",
+        "cyberarkpas.audit.reason": "ImmediateTask,Failure. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-35.192.121.42-ELASTICbart failed (try #4). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\n",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.safe": "partner",
+        "cyberarkpas.audit.severity": "Error",
+        "cyberarkpas.audit.station": "10.0.1.20",
+        "cyberarkpas.audit.timestamp": "Mar 15 03:12:18",
+        "destination.address": "34.66.114.180",
+        "destination.geo.city_name": "Council Bluffs",
+        "destination.geo.continent_name": "North America",
+        "destination.geo.country_iso_code": "US",
+        "destination.geo.country_name": "United States",
+        "destination.geo.location.lat": 41.2591,
+        "destination.geo.location.lon": -95.8517,
+        "destination.geo.region_iso_code": "US-IA",
+        "destination.geo.region_name": "Iowa",
+        "destination.ip": "34.66.114.180",
+        "event.action": "cpm reconcile password failed",
+        "event.category": [
+            "iam"
+        ],
+        "event.code": "60",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.outcome": "failure",
+        "event.reason": "Parameter Reconcile account is mandatory but has an empty value or is not defined",
+        "event.severity": 7,
+        "event.timezone": "-02:00",
+        "event.type": [
+            "user",
+            "change",
+            "error"
+        ],
+        "file.path": "Root\\Operating System-WinDomain-35.192.121.42-ELASTICbart",
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 15847,
+        "log.syslog.priority": "7",
+        "network.direction": "outbound",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "10.0.1.20",
+            "34.66.114.180"
+        ],
+        "related.user": [
+            "PasswordManager",
+            "ELASTIC\\bart"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "10.0.1.20",
+        "source.ip": "10.0.1.20",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ],
+        "user.name": "PasswordManager",
+        "user.target.name": "ELASTIC\\bart"
+    },
+    {
+        "@timestamp": "2021-03-15T10:12:19.000Z",
+        "cyberarkpas.audit.action": "CPM Reconcile Password Failed",
+        "cyberarkpas.audit.ca_properties.address": "34.123.103.115",
+        "cyberarkpas.audit.ca_properties.cpm_error_details": "First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031",
+        "cyberarkpas.audit.ca_properties.cpm_status": "failure",
+        "cyberarkpas.audit.ca_properties.creation_method": "PVWA",
+        "cyberarkpas.audit.ca_properties.device_type": "Operating System",
+        "cyberarkpas.audit.ca_properties.last_fail_date": "1615803137",
+        "cyberarkpas.audit.ca_properties.last_task": "ReconcileTask",
+        "cyberarkpas.audit.ca_properties.policy_id": "UnixSSH",
+        "cyberarkpas.audit.ca_properties.reset_immediately": "ReconcileTask",
+        "cyberarkpas.audit.ca_properties.retries_count": "1",
+        "cyberarkpas.audit.ca_properties.user_name": "testark",
+        "cyberarkpas.audit.desc": "CPM Reconcile Password Failed",
+        "cyberarkpas.audit.extra_details.address": "34.123.103.115",
+        "cyberarkpas.audit.extra_details.retriescount": "1",
+        "cyberarkpas.audit.extra_details.username": "testark",
+        "cyberarkpas.audit.file": "Root\\Operating System-UnixSSH-34.123.103.115-testark",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-15T10:12:19Z",
+        "cyberarkpas.audit.issuer": "PasswordManager",
+        "cyberarkpas.audit.message": "CPM Reconcile Password Failed",
+        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 15 03:12:19</Timestamp>\n    <IsoTimestamp>2021-03-15T10:12:19Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>60</MessageID>\n    <Desc>CPM Reconcile Password Failed</Desc>\n    <Severity>Error</Severity>\n    <Issuer>PasswordManager</Issuer>\n    <Action>CPM Reconcile Password Failed</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Operating System-UnixSSH-34.123.103.115-testark</File>\n    <Station>10.0.1.20</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason>ImmediateTask,Failure. Failure Description: CACPM406E Reconciling Password Safe: partner, Folder: Root, Object: Operating System-UnixSSH-34.123.103.115-testark failed (try #1). Code: 8031, Error: First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\n</Reason>\n    <ExtraDetails>address=34.123.103.115;retriescount=1;username=testark;</ExtraDetails>\n    <Message>CPM Reconcile Password Failed</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSH\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"testark\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"ResetImmediately\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"failure\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"1\"></CAProperty>\n      <CAProperty Name=\"LastFailDate\" Value=\"1615803137\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"CPMErrorDetails\" Value=\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>",
+        "cyberarkpas.audit.reason": "ImmediateTask,Failure. Failure Description: CACPM406E Reconciling Password Safe: partner, Folder: Root, Object: Operating System-UnixSSH-34.123.103.115-testark failed (try #1). Code: 8031, Error: First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\n",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.safe": "partner",
+        "cyberarkpas.audit.severity": "Error",
+        "cyberarkpas.audit.station": "10.0.1.20",
+        "cyberarkpas.audit.timestamp": "Mar 15 03:12:19",
+        "destination.address": "34.123.103.115",
+        "destination.geo.city_name": "Council Bluffs",
+        "destination.geo.continent_name": "North America",
+        "destination.geo.country_iso_code": "US",
+        "destination.geo.country_name": "United States",
+        "destination.geo.location.lat": 41.2591,
+        "destination.geo.location.lon": -95.8517,
+        "destination.geo.region_iso_code": "US-IA",
+        "destination.geo.region_name": "Iowa",
+        "destination.ip": "34.123.103.115",
+        "event.action": "cpm reconcile password failed",
+        "event.category": [
+            "iam"
+        ],
+        "event.code": "60",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.outcome": "failure",
+        "event.reason": "First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031",
+        "event.severity": 7,
+        "event.timezone": "-02:00",
+        "event.type": [
+            "user",
+            "change",
+            "error"
+        ],
+        "file.path": "Root\\Operating System-UnixSSH-34.123.103.115-testark",
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 19810,
+        "log.syslog.priority": "7",
+        "network.direction": "outbound",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "10.0.1.20",
+            "34.123.103.115"
+        ],
+        "related.user": [
+            "PasswordManager",
+            "testark"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "10.0.1.20",
+        "source.ip": "10.0.1.20",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ],
+        "user.name": "PasswordManager",
+        "user.target.name": "testark"
+    },
+    {
+        "@timestamp": "2021-03-15T12:57:13.000Z",
+        "cyberarkpas.audit.action": "CPM Reconcile Password Failed",
+        "cyberarkpas.audit.ca_properties.address": "34.66.114.180",
+        "cyberarkpas.audit.ca_properties.cpm_disabled": "(CPM)MaxRetries",
+        "cyberarkpas.audit.ca_properties.cpm_error_details": "Parameter Reconcile account is mandatory but has an empty value or is not defined",
+        "cyberarkpas.audit.ca_properties.cpm_status": "failure",
+        "cyberarkpas.audit.ca_properties.creation_method": "PVWA",
+        "cyberarkpas.audit.ca_properties.device_type": "Operating System",
+        "cyberarkpas.audit.ca_properties.last_fail_date": "1615813031",
+        "cyberarkpas.audit.ca_properties.last_task": "ReconcileTask",
+        "cyberarkpas.audit.ca_properties.logon_domain": "34.66.114.180",
+        "cyberarkpas.audit.ca_properties.policy_id": "WinDomain",
+        "cyberarkpas.audit.ca_properties.reset_immediately": "ReconcileTask",
+        "cyberarkpas.audit.ca_properties.retries_count": "5",
+        "cyberarkpas.audit.ca_properties.user_name": "ELASTIC\\bart",
+        "cyberarkpas.audit.desc": "CPM Reconcile Password Failed",
+        "cyberarkpas.audit.extra_details.address": "34.66.114.180",
+        "cyberarkpas.audit.extra_details.retriescount": "5",
+        "cyberarkpas.audit.extra_details.username": "ELASTIC\\bart",
+        "cyberarkpas.audit.file": "Root\\Operating System-WinDomain-35.192.121.42-ELASTICbart",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-15T12:57:13Z",
+        "cyberarkpas.audit.issuer": "PasswordManager",
+        "cyberarkpas.audit.message": "CPM Reconcile Password Failed",
+        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 15 05:57:13</Timestamp>\n    <IsoTimestamp>2021-03-15T12:57:13Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>60</MessageID>\n    <Desc>CPM Reconcile Password Failed</Desc>\n    <Severity>Error</Severity>\n    <Issuer>PasswordManager</Issuer>\n    <Action>CPM Reconcile Password Failed</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Operating System-WinDomain-35.192.121.42-ELASTICbart</File>\n    <Station>10.0.1.20</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason>ImmediateTask,Failure. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-35.192.121.42-ELASTICbart failed (try #5). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\n</Reason>\n    <ExtraDetails>address=34.66.114.180;retriescount=5;username=ELASTIC\\bart;</ExtraDetails>\n    <Message>CPM Reconcile Password Failed</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"WinDomain\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"ELASTIC\\bart\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.66.114.180\"></CAProperty>\n      <CAProperty Name=\"ResetImmediately\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"failure\"></CAProperty>\n      <CAProperty Name=\"CPMDisabled\" Value=\"(CPM)MaxRetries\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"5\"></CAProperty>\n      <CAProperty Name=\"LastFailDate\" Value=\"1615813031\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"LogonDomain\" Value=\"34.66.114.180\"></CAProperty>\n      <CAProperty Name=\"CPMErrorDetails\" Value=\"Parameter Reconcile account is mandatory but has an empty value or is not defined\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>",
+        "cyberarkpas.audit.reason": "ImmediateTask,Failure. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-35.192.121.42-ELASTICbart failed (try #5). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\n",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.safe": "partner",
+        "cyberarkpas.audit.severity": "Error",
+        "cyberarkpas.audit.station": "10.0.1.20",
+        "cyberarkpas.audit.timestamp": "Mar 15 05:57:13",
+        "destination.address": "34.66.114.180",
+        "destination.geo.city_name": "Council Bluffs",
+        "destination.geo.continent_name": "North America",
+        "destination.geo.country_iso_code": "US",
+        "destination.geo.country_name": "United States",
+        "destination.geo.location.lat": 41.2591,
+        "destination.geo.location.lon": -95.8517,
+        "destination.geo.region_iso_code": "US-IA",
+        "destination.geo.region_name": "Iowa",
+        "destination.ip": "34.66.114.180",
+        "event.action": "cpm reconcile password failed",
+        "event.category": [
+            "iam"
+        ],
+        "event.code": "60",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.outcome": "failure",
+        "event.reason": "Parameter Reconcile account is mandatory but has an empty value or is not defined",
+        "event.severity": 7,
+        "event.timezone": "-02:00",
+        "event.type": [
+            "user",
+            "change",
+            "error"
+        ],
+        "file.path": "Root\\Operating System-WinDomain-35.192.121.42-ELASTICbart",
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 23876,
+        "log.syslog.priority": "7",
+        "network.direction": "outbound",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "10.0.1.20",
+            "34.66.114.180"
+        ],
+        "related.user": [
+            "PasswordManager",
+            "ELASTIC\\bart"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "10.0.1.20",
+        "source.ip": "10.0.1.20",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ],
+        "user.name": "PasswordManager",
+        "user.target.name": "ELASTIC\\bart"
+    },
+    {
+        "@timestamp": "2021-03-15T13:04:27.000Z",
+        "cyberarkpas.audit.action": "CPM Reconcile Password Failed",
+        "cyberarkpas.audit.ca_properties.address": "34.123.103.115",
+        "cyberarkpas.audit.ca_properties.cpm_error_details": "First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031",
+        "cyberarkpas.audit.ca_properties.cpm_status": "failure",
+        "cyberarkpas.audit.ca_properties.creation_method": "PVWA",
+        "cyberarkpas.audit.ca_properties.device_type": "Operating System",
+        "cyberarkpas.audit.ca_properties.last_fail_date": "1615813465",
+        "cyberarkpas.audit.ca_properties.last_success_verification": "1615803764",
+        "cyberarkpas.audit.ca_properties.last_task": "ReconcileTask",
+        "cyberarkpas.audit.ca_properties.policy_id": "UnixSSH",
+        "cyberarkpas.audit.ca_properties.reset_immediately": "ReconcileTask",
+        "cyberarkpas.audit.ca_properties.retries_count": "0",
+        "cyberarkpas.audit.ca_properties.user_name": "testark",
+        "cyberarkpas.audit.desc": "CPM Reconcile Password Failed",
+        "cyberarkpas.audit.extra_details.address": "34.123.103.115",
+        "cyberarkpas.audit.extra_details.username": "testark",
+        "cyberarkpas.audit.file": "Root\\Operating System-UnixSSH-34.123.103.115-testark",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-15T13:04:27Z",
+        "cyberarkpas.audit.issuer": "PasswordManager",
+        "cyberarkpas.audit.message": "CPM Reconcile Password Failed",
+        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 15 06:04:27</Timestamp>\n    <IsoTimestamp>2021-03-15T13:04:27Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>60</MessageID>\n    <Desc>CPM Reconcile Password Failed</Desc>\n    <Severity>Error</Severity>\n    <Issuer>PasswordManager</Issuer>\n    <Action>CPM Reconcile Password Failed</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Operating System-UnixSSH-34.123.103.115-testark</File>\n    <Station>10.0.1.20</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason>ImmediateTask. Failure Description: CACPM406E Reconciling Password Safe: partner, Folder: Root, Object: Operating System-UnixSSH-34.123.103.115-testark failed (try #0). Code: 8031, Error: First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\n</Reason>\n    <ExtraDetails>address=34.123.103.115;username=testark;</ExtraDetails>\n    <Message>CPM Reconcile Password Failed</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSH\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"testark\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"ResetImmediately\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"failure\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"0\"></CAProperty>\n      <CAProperty Name=\"LastFailDate\" Value=\"1615813465\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"LastSuccessVerification\" Value=\"1615803764\"></CAProperty>\n      <CAProperty Name=\"CPMErrorDetails\" Value=\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>",
+        "cyberarkpas.audit.reason": "ImmediateTask. Failure Description: CACPM406E Reconciling Password Safe: partner, Folder: Root, Object: Operating System-UnixSSH-34.123.103.115-testark failed (try #0). Code: 8031, Error: First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\n",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.safe": "partner",
+        "cyberarkpas.audit.severity": "Error",
+        "cyberarkpas.audit.station": "10.0.1.20",
+        "cyberarkpas.audit.timestamp": "Mar 15 06:04:27",
+        "destination.address": "34.123.103.115",
+        "destination.geo.city_name": "Council Bluffs",
+        "destination.geo.continent_name": "North America",
+        "destination.geo.country_iso_code": "US",
+        "destination.geo.country_name": "United States",
+        "destination.geo.location.lat": 41.2591,
+        "destination.geo.location.lon": -95.8517,
+        "destination.geo.region_iso_code": "US-IA",
+        "destination.geo.region_name": "Iowa",
+        "destination.ip": "34.123.103.115",
+        "event.action": "cpm reconcile password failed",
+        "event.category": [
+            "iam"
+        ],
+        "event.code": "60",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.outcome": "failure",
+        "event.reason": "First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031",
+        "event.severity": 7,
+        "event.timezone": "-02:00",
+        "event.type": [
+            "user",
+            "change",
+            "error"
+        ],
+        "file.path": "Root\\Operating System-UnixSSH-34.123.103.115-testark",
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 27968,
+        "log.syslog.priority": "7",
+        "network.direction": "outbound",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "10.0.1.20",
+            "34.123.103.115"
+        ],
+        "related.user": [
+            "PasswordManager",
+            "testark"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "10.0.1.20",
+        "source.ip": "10.0.1.20",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ],
+        "user.name": "PasswordManager",
+        "user.target.name": "testark"
+    },
+    {
+        "@timestamp": "2021-03-15T14:44:37.000Z",
+        "cyberarkpas.audit.action": "CPM Reconcile Password Failed",
+        "cyberarkpas.audit.ca_properties.address": "34.123.103.115",
+        "cyberarkpas.audit.ca_properties.cpm_error_details": "First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031",
+        "cyberarkpas.audit.ca_properties.cpm_status": "failure",
+        "cyberarkpas.audit.ca_properties.creation_method": "PVWA",
+        "cyberarkpas.audit.ca_properties.device_type": "Operating System",
+        "cyberarkpas.audit.ca_properties.last_fail_date": "1615819476",
+        "cyberarkpas.audit.ca_properties.last_success_verification": "1615803764",
+        "cyberarkpas.audit.ca_properties.last_task": "ReconcileTask",
+        "cyberarkpas.audit.ca_properties.policy_id": "UnixSSH",
+        "cyberarkpas.audit.ca_properties.reset_immediately": "ReconcileTask",
+        "cyberarkpas.audit.ca_properties.retries_count": "1",
+        "cyberarkpas.audit.ca_properties.use_sudo_on_reconcile": "Yes",
+        "cyberarkpas.audit.ca_properties.user_name": "testark",
+        "cyberarkpas.audit.desc": "CPM Reconcile Password Failed",
+        "cyberarkpas.audit.extra_details.address": "34.123.103.115",
+        "cyberarkpas.audit.extra_details.retriescount": "1",
+        "cyberarkpas.audit.extra_details.username": "testark",
+        "cyberarkpas.audit.file": "Root\\Operating System-UnixSSH-34.123.103.115-testark",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-15T14:44:37Z",
+        "cyberarkpas.audit.issuer": "PasswordManager",
+        "cyberarkpas.audit.message": "CPM Reconcile Password Failed",
+        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 15 07:44:37</Timestamp>\n    <IsoTimestamp>2021-03-15T14:44:37Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>60</MessageID>\n    <Desc>CPM Reconcile Password Failed</Desc>\n    <Severity>Error</Severity>\n    <Issuer>PasswordManager</Issuer>\n    <Action>CPM Reconcile Password Failed</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>partner</Safe>\n    <File>Root\\Operating System-UnixSSH-34.123.103.115-testark</File>\n    <Station>10.0.1.20</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason>ImmediateTask. Failure Description: CACPM406E Reconciling Password Safe: partner, Folder: Root, Object: Operating System-UnixSSH-34.123.103.115-testark failed (try #1). Code: 8031, Error: First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\n</Reason>\n    <ExtraDetails>address=34.123.103.115;retriescount=1;username=testark;</ExtraDetails>\n    <Message>CPM Reconcile Password Failed</Message>\n    <GatewayStation></GatewayStation>\n    <CAProperties>\n      <CAProperty Name=\"PolicyID\" Value=\"UnixSSH\"></CAProperty>\n      <CAProperty Name=\"UserName\" Value=\"testark\"></CAProperty>\n      <CAProperty Name=\"Address\" Value=\"34.123.103.115\"></CAProperty>\n      <CAProperty Name=\"ResetImmediately\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"CPMStatus\" Value=\"failure\"></CAProperty>\n      <CAProperty Name=\"RetriesCount\" Value=\"1\"></CAProperty>\n      <CAProperty Name=\"LastFailDate\" Value=\"1615819476\"></CAProperty>\n      <CAProperty Name=\"LastTask\" Value=\"ReconcileTask\"></CAProperty>\n      <CAProperty Name=\"LastSuccessVerification\" Value=\"1615803764\"></CAProperty>\n      <CAProperty Name=\"CPMErrorDetails\" Value=\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"></CAProperty>\n      <CAProperty Name=\"CreationMethod\" Value=\"PVWA\"></CAProperty>\n      <CAProperty Name=\"DeviceType\" Value=\"Operating System\"></CAProperty>\n      <CAProperty Name=\"UseSudoOnReconcile\" Value=\"Yes\"></CAProperty>\n    </CAProperties>\n  </audit_record>\n\n</syslog>",
+        "cyberarkpas.audit.reason": "ImmediateTask. Failure Description: CACPM406E Reconciling Password Safe: partner, Folder: Root, Object: Operating System-UnixSSH-34.123.103.115-testark failed (try #1). Code: 8031, Error: First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\n",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.safe": "partner",
+        "cyberarkpas.audit.severity": "Error",
+        "cyberarkpas.audit.station": "10.0.1.20",
+        "cyberarkpas.audit.timestamp": "Mar 15 07:44:37",
+        "destination.address": "34.123.103.115",
+        "destination.geo.city_name": "Council Bluffs",
+        "destination.geo.continent_name": "North America",
+        "destination.geo.country_iso_code": "US",
+        "destination.geo.country_name": "United States",
+        "destination.geo.location.lat": 41.2591,
+        "destination.geo.location.lon": -95.8517,
+        "destination.geo.region_iso_code": "US-IA",
+        "destination.geo.region_name": "Iowa",
+        "destination.ip": "34.123.103.115",
+        "event.action": "cpm reconcile password failed",
+        "event.category": [
+            "iam"
+        ],
+        "event.code": "60",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.outcome": "failure",
+        "event.reason": "First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031",
+        "event.severity": 7,
+        "event.timezone": "-02:00",
+        "event.type": [
+            "user",
+            "change",
+            "error"
+        ],
+        "file.path": "Root\\Operating System-UnixSSH-34.123.103.115-testark",
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 32131,
+        "log.syslog.priority": "7",
+        "network.direction": "outbound",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "10.0.1.20",
+            "34.123.103.115"
+        ],
+        "related.user": [
+            "PasswordManager",
+            "testark"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "10.0.1.20",
+        "source.ip": "10.0.1.20",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ],
+        "user.name": "PasswordManager",
+        "user.target.name": "testark"
+    }
+]
\ No newline at end of file
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/62_create_file_version.log b/x-pack/filebeat/module/cyberarkpas/audit/test/62_create_file_version.log
new file mode 100644
index 00000000000..0d2f4d0e96e
--- /dev/null
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/62_create_file_version.log
@@ -0,0 +1,8 @@
+<5>1 2021-03-10T09:11:54Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:54","IsoTimestamp":"2021-03-10T09:11:54Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"62","Desc":"Create File Version","Severity":"Info","Issuer":"PSMPApp_localhost.localdomain","Action":"Create File Version","SourceUser":"","TargetUser":"","Safe":"PSMPLiveSessions","File":"Root\\PSMPApp_localhost.localdomain.LiveSessions","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Create File Version","GatewayStation":""}}}
+<5>1 2021-03-10T17:58:05Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 09:58:05","IsoTimestamp":"2021-03-10T17:58:05Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"62","Desc":"Create File Version","Severity":"Info","Issuer":"Administrator","Action":"Create File Version","SourceUser":"","TargetUser":"","Safe":"PSMNotifications","File":"Root\\SessionControl","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Create File Version","GatewayStation":""}}}
+<5>1 2021-03-10T18:46:47Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 10:46:47","IsoTimestamp":"2021-03-10T18:46:47Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"62","Desc":"Create File Version","Severity":"Info","Issuer":"PSMApp_VAGRANT","Action":"Create File Version","SourceUser":"","TargetUser":"","Safe":"PSMLiveSessions","File":"Root\\PSMServer.LiveSessions","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Create File Version","GatewayStation":""}}}
+<5>1 2021-03-10T22:20:12Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 14:20:12","IsoTimestamp":"2021-03-10T22:20:12Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"62","Desc":"Create File Version","Severity":"Info","Issuer":"PSMApp_ASR-WIN","Action":"Create File Version","SourceUser":"","TargetUser":"","Safe":"PSMLiveSessions","File":"Root\\PSM-ASR-CYBERARK-WI.LiveSessions","Station":"35.192.121.42","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Create File Version","GatewayStation":""}}}
+<5>1 2021-03-11T16:50:29Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 08:50:29</Timestamp>\n    <IsoTimestamp>2021-03-11T16:50:29Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>62</MessageID>\n    <Desc>Create File Version</Desc>\n    <Severity>Info</Severity>\n    <Issuer>PVWAAppUser</Issuer>\n    <Action>Create File Version</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>PSMSessions</Safe>\n    <File>Root\\ec7c3e3bd11069dd20a491a6b11bbe293bf4780b</File>\n    <Station>10.0.1.20</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Create File Version</Message>\n    <GatewayStation></GatewayStation>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 08:50:29","IsoTimestamp":"2021-03-11T16:50:29Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"62","Desc":"Create File Version","Severity":"Info","Issuer":"PVWAAppUser","Action":"Create File Version","SourceUser":"","TargetUser":"","Safe":"PSMSessions","File":"Root\\ec7c3e3bd11069dd20a491a6b11bbe293bf4780b","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Create File Version","GatewayStation":""}}}
+<5>1 2021-03-11T16:59:58Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 08:59:58</Timestamp>\n    <IsoTimestamp>2021-03-11T16:59:58Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>62</MessageID>\n    <Desc>Create File Version</Desc>\n    <Severity>Info</Severity>\n    <Issuer>PSMPApp_VAGRANT</Issuer>\n    <Action>Create File Version</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>PSMPLiveSessions</Safe>\n    <File>Root\\PSMPApp_VAGRANT.LiveSessions</File>\n    <Station>81.32.170.205</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Create File Version</Message>\n    <GatewayStation></GatewayStation>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 08:59:58","IsoTimestamp":"2021-03-11T16:59:58Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"62","Desc":"Create File Version","Severity":"Info","Issuer":"PSMPApp_VAGRANT","Action":"Create File Version","SourceUser":"","TargetUser":"","Safe":"PSMPLiveSessions","File":"Root\\PSMPApp_VAGRANT.LiveSessions","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Create File Version","GatewayStation":""}}}
+<5>1 2021-03-14T12:07:32Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 14 05:07:32</Timestamp>\n    <IsoTimestamp>2021-03-14T12:07:32Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>62</MessageID>\n    <Desc>Create File Version</Desc>\n    <Severity>Info</Severity>\n    <Issuer>PasswordManager</Issuer>\n    <Action>Create File Version</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>AccountsFeedDiscoveryLogs</Safe>\n    <File>Root\\Windows discovery from ELASTIC.local_PasswordManager_UID1.log</File>\n    <Station>10.0.1.20</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Create File Version</Message>\n    <GatewayStation>10.0.1.20</GatewayStation>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 05:07:32","IsoTimestamp":"2021-03-14T12:07:32Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"62","Desc":"Create File Version","Severity":"Info","Issuer":"PasswordManager","Action":"Create File Version","SourceUser":"","TargetUser":"","Safe":"AccountsFeedDiscoveryLogs","File":"Root\\Windows discovery from ELASTIC.local_PasswordManager_UID1.log","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Create File Version","GatewayStation":"10.0.1.20"}}}
+<5>1 2021-03-14T12:57:27Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 14 05:57:27</Timestamp>\n    <IsoTimestamp>2021-03-14T12:57:27Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>62</MessageID>\n    <Desc>Create File Version</Desc>\n    <Severity>Info</Severity>\n    <Issuer>PSMPApp_SSH</Issuer>\n    <Action>Create File Version</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>PSMPLiveSessions</Safe>\n    <File>Root\\PSMPApp_SSH.LiveSessions</File>\n    <Station>34.71.250.247</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Create File Version</Message>\n    <GatewayStation></GatewayStation>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 05:57:27","IsoTimestamp":"2021-03-14T12:57:27Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"62","Desc":"Create File Version","Severity":"Info","Issuer":"PSMPApp_SSH","Action":"Create File Version","SourceUser":"","TargetUser":"","Safe":"PSMPLiveSessions","File":"Root\\PSMPApp_SSH.LiveSessions","Station":"34.71.250.247","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Create File Version","GatewayStation":""}}}
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/62_create_file_version.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/62_create_file_version.log-expected.json
new file mode 100644
index 00000000000..e54e87c6c59
--- /dev/null
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/62_create_file_version.log-expected.json
@@ -0,0 +1,386 @@
+[
+    {
+        "@timestamp": "2021-03-10T09:11:54.000Z",
+        "cyberarkpas.audit.action": "Create File Version",
+        "cyberarkpas.audit.desc": "Create File Version",
+        "cyberarkpas.audit.file": "Root\\PSMPApp_localhost.localdomain.LiveSessions",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-10T09:11:54Z",
+        "cyberarkpas.audit.issuer": "PSMPApp_localhost.localdomain",
+        "cyberarkpas.audit.message": "Create File Version",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.safe": "PSMPLiveSessions",
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.station": "81.32.170.205",
+        "cyberarkpas.audit.timestamp": "Mar 10 01:11:54",
+        "event.action": "create file version",
+        "event.code": "62",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "file.path": "Root\\PSMPApp_localhost.localdomain.LiveSessions",
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 0,
+        "log.syslog.priority": "5",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "81.32.170.205"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "81.32.170.205",
+        "source.geo.city_name": "Barcelona",
+        "source.geo.continent_name": "Europe",
+        "source.geo.country_iso_code": "ES",
+        "source.geo.country_name": "Spain",
+        "source.geo.location.lat": 41.387,
+        "source.geo.location.lon": 2.1701,
+        "source.geo.region_iso_code": "ES-B",
+        "source.geo.region_name": "Barcelona",
+        "source.ip": "81.32.170.205",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ]
+    },
+    {
+        "@timestamp": "2021-03-10T17:58:05.000Z",
+        "cyberarkpas.audit.action": "Create File Version",
+        "cyberarkpas.audit.desc": "Create File Version",
+        "cyberarkpas.audit.file": "Root\\SessionControl",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-10T17:58:05Z",
+        "cyberarkpas.audit.issuer": "Administrator",
+        "cyberarkpas.audit.message": "Create File Version",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.safe": "PSMNotifications",
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.station": "81.32.170.205",
+        "cyberarkpas.audit.timestamp": "Mar 10 09:58:05",
+        "event.action": "create file version",
+        "event.code": "62",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "file.path": "Root\\SessionControl",
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 664,
+        "log.syslog.priority": "5",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "81.32.170.205"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "81.32.170.205",
+        "source.geo.city_name": "Barcelona",
+        "source.geo.continent_name": "Europe",
+        "source.geo.country_iso_code": "ES",
+        "source.geo.country_name": "Spain",
+        "source.geo.location.lat": 41.387,
+        "source.geo.location.lon": 2.1701,
+        "source.geo.region_iso_code": "ES-B",
+        "source.geo.region_name": "Barcelona",
+        "source.ip": "81.32.170.205",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ]
+    },
+    {
+        "@timestamp": "2021-03-10T18:46:47.000Z",
+        "cyberarkpas.audit.action": "Create File Version",
+        "cyberarkpas.audit.desc": "Create File Version",
+        "cyberarkpas.audit.file": "Root\\PSMServer.LiveSessions",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-10T18:46:47Z",
+        "cyberarkpas.audit.issuer": "PSMApp_VAGRANT",
+        "cyberarkpas.audit.message": "Create File Version",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.safe": "PSMLiveSessions",
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.station": "81.32.170.205",
+        "cyberarkpas.audit.timestamp": "Mar 10 10:46:47",
+        "event.action": "create file version",
+        "event.code": "62",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "file.path": "Root\\PSMServer.LiveSessions",
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 1284,
+        "log.syslog.priority": "5",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "81.32.170.205"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "81.32.170.205",
+        "source.geo.city_name": "Barcelona",
+        "source.geo.continent_name": "Europe",
+        "source.geo.country_iso_code": "ES",
+        "source.geo.country_name": "Spain",
+        "source.geo.location.lat": 41.387,
+        "source.geo.location.lon": 2.1701,
+        "source.geo.region_iso_code": "ES-B",
+        "source.geo.region_name": "Barcelona",
+        "source.ip": "81.32.170.205",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ]
+    },
+    {
+        "@timestamp": "2021-03-10T22:20:12.000Z",
+        "cyberarkpas.audit.action": "Create File Version",
+        "cyberarkpas.audit.desc": "Create File Version",
+        "cyberarkpas.audit.file": "Root\\PSM-ASR-CYBERARK-WI.LiveSessions",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-10T22:20:12Z",
+        "cyberarkpas.audit.issuer": "PSMApp_ASR-WIN",
+        "cyberarkpas.audit.message": "Create File Version",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.safe": "PSMLiveSessions",
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.station": "35.192.121.42",
+        "cyberarkpas.audit.timestamp": "Mar 10 14:20:12",
+        "event.action": "create file version",
+        "event.code": "62",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "file.path": "Root\\PSM-ASR-CYBERARK-WI.LiveSessions",
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 1912,
+        "log.syslog.priority": "5",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "35.192.121.42"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "35.192.121.42",
+        "source.geo.city_name": "Council Bluffs",
+        "source.geo.continent_name": "North America",
+        "source.geo.country_iso_code": "US",
+        "source.geo.country_name": "United States",
+        "source.geo.location.lat": 41.2591,
+        "source.geo.location.lon": -95.8517,
+        "source.geo.region_iso_code": "US-IA",
+        "source.geo.region_name": "Iowa",
+        "source.ip": "35.192.121.42",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ]
+    },
+    {
+        "@timestamp": "2021-03-11T16:50:29.000Z",
+        "cyberarkpas.audit.action": "Create File Version",
+        "cyberarkpas.audit.desc": "Create File Version",
+        "cyberarkpas.audit.file": "Root\\ec7c3e3bd11069dd20a491a6b11bbe293bf4780b",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-11T16:50:29Z",
+        "cyberarkpas.audit.issuer": "PVWAAppUser",
+        "cyberarkpas.audit.message": "Create File Version",
+        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 08:50:29</Timestamp>\n    <IsoTimestamp>2021-03-11T16:50:29Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>62</MessageID>\n    <Desc>Create File Version</Desc>\n    <Severity>Info</Severity>\n    <Issuer>PVWAAppUser</Issuer>\n    <Action>Create File Version</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>PSMSessions</Safe>\n    <File>Root\\ec7c3e3bd11069dd20a491a6b11bbe293bf4780b</File>\n    <Station>10.0.1.20</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Create File Version</Message>\n    <GatewayStation></GatewayStation>\n  </audit_record>\n\n</syslog>",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.safe": "PSMSessions",
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.station": "10.0.1.20",
+        "cyberarkpas.audit.timestamp": "Mar 11 08:50:29",
+        "event.action": "create file version",
+        "event.code": "62",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "file.path": "Root\\ec7c3e3bd11069dd20a491a6b11bbe293bf4780b",
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 2550,
+        "log.syslog.priority": "5",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "10.0.1.20"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "10.0.1.20",
+        "source.ip": "10.0.1.20",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ]
+    },
+    {
+        "@timestamp": "2021-03-11T16:59:58.000Z",
+        "cyberarkpas.audit.action": "Create File Version",
+        "cyberarkpas.audit.desc": "Create File Version",
+        "cyberarkpas.audit.file": "Root\\PSMPApp_VAGRANT.LiveSessions",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-11T16:59:58Z",
+        "cyberarkpas.audit.issuer": "PSMPApp_VAGRANT",
+        "cyberarkpas.audit.message": "Create File Version",
+        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 08:59:58</Timestamp>\n    <IsoTimestamp>2021-03-11T16:59:58Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>62</MessageID>\n    <Desc>Create File Version</Desc>\n    <Severity>Info</Severity>\n    <Issuer>PSMPApp_VAGRANT</Issuer>\n    <Action>Create File Version</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>PSMPLiveSessions</Safe>\n    <File>Root\\PSMPApp_VAGRANT.LiveSessions</File>\n    <Station>81.32.170.205</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Create File Version</Message>\n    <GatewayStation></GatewayStation>\n  </audit_record>\n\n</syslog>",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.safe": "PSMPLiveSessions",
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.station": "81.32.170.205",
+        "cyberarkpas.audit.timestamp": "Mar 11 08:59:58",
+        "event.action": "create file version",
+        "event.code": "62",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "file.path": "Root\\PSMPApp_VAGRANT.LiveSessions",
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 4100,
+        "log.syslog.priority": "5",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "81.32.170.205"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "81.32.170.205",
+        "source.geo.city_name": "Barcelona",
+        "source.geo.continent_name": "Europe",
+        "source.geo.country_iso_code": "ES",
+        "source.geo.country_name": "Spain",
+        "source.geo.location.lat": 41.387,
+        "source.geo.location.lon": 2.1701,
+        "source.geo.region_iso_code": "ES-B",
+        "source.geo.region_name": "Barcelona",
+        "source.ip": "81.32.170.205",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ]
+    },
+    {
+        "@timestamp": "2021-03-14T12:07:32.000Z",
+        "cyberarkpas.audit.action": "Create File Version",
+        "cyberarkpas.audit.desc": "Create File Version",
+        "cyberarkpas.audit.file": "Root\\Windows discovery from ELASTIC.local_PasswordManager_UID1.log",
+        "cyberarkpas.audit.gateway_station": "10.0.1.20",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-14T12:07:32Z",
+        "cyberarkpas.audit.issuer": "PasswordManager",
+        "cyberarkpas.audit.message": "Create File Version",
+        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 14 05:07:32</Timestamp>\n    <IsoTimestamp>2021-03-14T12:07:32Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>62</MessageID>\n    <Desc>Create File Version</Desc>\n    <Severity>Info</Severity>\n    <Issuer>PasswordManager</Issuer>\n    <Action>Create File Version</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>AccountsFeedDiscoveryLogs</Safe>\n    <File>Root\\Windows discovery from ELASTIC.local_PasswordManager_UID1.log</File>\n    <Station>10.0.1.20</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Create File Version</Message>\n    <GatewayStation>10.0.1.20</GatewayStation>\n  </audit_record>\n\n</syslog>",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.safe": "AccountsFeedDiscoveryLogs",
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.station": "10.0.1.20",
+        "cyberarkpas.audit.timestamp": "Mar 14 05:07:32",
+        "destination.address": "10.0.1.20",
+        "destination.ip": "10.0.1.20",
+        "event.action": "create file version",
+        "event.code": "62",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "file.path": "Root\\Windows discovery from ELASTIC.local_PasswordManager_UID1.log",
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 5652,
+        "log.syslog.priority": "5",
+        "network.direction": "internal",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "10.0.1.20"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "10.0.1.20",
+        "source.ip": "10.0.1.20",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ]
+    },
+    {
+        "@timestamp": "2021-03-14T12:57:27.000Z",
+        "cyberarkpas.audit.action": "Create File Version",
+        "cyberarkpas.audit.desc": "Create File Version",
+        "cyberarkpas.audit.file": "Root\\PSMPApp_SSH.LiveSessions",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-14T12:57:27Z",
+        "cyberarkpas.audit.issuer": "PSMPApp_SSH",
+        "cyberarkpas.audit.message": "Create File Version",
+        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 14 05:57:27</Timestamp>\n    <IsoTimestamp>2021-03-14T12:57:27Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>62</MessageID>\n    <Desc>Create File Version</Desc>\n    <Severity>Info</Severity>\n    <Issuer>PSMPApp_SSH</Issuer>\n    <Action>Create File Version</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>PSMPLiveSessions</Safe>\n    <File>Root\\PSMPApp_SSH.LiveSessions</File>\n    <Station>34.71.250.247</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Create File Version</Message>\n    <GatewayStation></GatewayStation>\n  </audit_record>\n\n</syslog>",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.safe": "PSMPLiveSessions",
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.station": "34.71.250.247",
+        "cyberarkpas.audit.timestamp": "Mar 14 05:57:27",
+        "event.action": "create file version",
+        "event.code": "62",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "file.path": "Root\\PSMPApp_SSH.LiveSessions",
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 7298,
+        "log.syslog.priority": "5",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "34.71.250.247"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "34.71.250.247",
+        "source.geo.city_name": "Council Bluffs",
+        "source.geo.continent_name": "North America",
+        "source.geo.country_iso_code": "US",
+        "source.geo.country_name": "United States",
+        "source.geo.location.lat": 41.2591,
+        "source.geo.location.lon": -95.8517,
+        "source.geo.region_iso_code": "US-IA",
+        "source.geo.region_name": "Iowa",
+        "source.ip": "34.71.250.247",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ]
+    }
+]
\ No newline at end of file
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/7_logon.log b/x-pack/filebeat/module/cyberarkpas/audit/test/7_logon.log
new file mode 100644
index 00000000000..82be0d698c1
--- /dev/null
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/7_logon.log
@@ -0,0 +1,12 @@
+{"format":"elastic","version":"1.0","raw":"<syslog>\n  <audit_record>\n    <Rfc5424>no</Rfc5424>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.6.0000</Version>\n    <MessageID>7</MessageID>\n    <Desc>Logon</Desc>\n    <Severity>Info</Severity>\n    <Issuer>adm2</Issuer>\n    <Action>Logon</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe></Safe>\n    <File></File>\n    <Station>10.2.0.6</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Logon</Message>\n    <GatewayStation>10.2.0.3</GatewayStation>\n  </audit_record>\n</syslog>","syslog":{"audit_record":{"Rfc5424":"no","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.6.0000","MessageID":"7","Desc":"Logon","Severity":"Info","Issuer":"adm2","Action":"Logon","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"10.2.0.6","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Logon","GatewayStation":"10.2.0.3","IsoTimestamp":"2021-03-16T15:01:00Z"}}}
+<5>1 2021-03-04T19:10:05Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 04 11:10:05","IsoTimestamp":"2021-03-04T19:10:05Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"7","Desc":"Logon","Severity":"Info","Issuer":"PasswordManager","Action":"Logon","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Logon","GatewayStation":""}}}
+<5>1 2021-03-04T19:10:20Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 04 11:10:20","IsoTimestamp":"2021-03-04T19:10:20Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"7","Desc":"Logon","Severity":"Info","Issuer":"SCIM-user","Action":"Logon","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Logon","GatewayStation":""}}}
+<5>1 2021-03-04T19:11:20Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 04 11:11:20","IsoTimestamp":"2021-03-04T19:11:20Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"7","Desc":"Logon","Severity":"Info","Issuer":"PVWAGWUser","Action":"Logon","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Logon","GatewayStation":""}}}
+<5>1 2021-03-04T19:11:23Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 04 11:11:23","IsoTimestamp":"2021-03-04T19:11:23Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"7","Desc":"Logon","Severity":"Info","Issuer":"Prov_COMPONENTS","Action":"Logon","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Logon","GatewayStation":""}}}
+<5>1 2021-03-05T10:18:50Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 05 02:18:50","IsoTimestamp":"2021-03-05T10:18:50Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"7","Desc":"Logon","Severity":"Info","Issuer":"PVWAAppUser","Action":"Logon","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Logon","GatewayStation":""}}}
+<5>1 2021-03-08T18:07:51Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 08 10:07:51","IsoTimestamp":"2021-03-08T18:07:51Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"7","Desc":"Logon","Severity":"Info","Issuer":"Administrator","Action":"Logon","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"127.0.0.1","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Logon","GatewayStation":"10.0.1.20"}}}
+<5>1 2021-03-09T08:32:51Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 09 00:32:51","IsoTimestamp":"2021-03-09T08:32:51Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"7","Desc":"Logon","Severity":"Info","Issuer":"Administrator","Action":"Logon","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Logon","GatewayStation":"10.0.1.20"}}}
+<5>1 2021-03-09T10:14:58Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 09 02:14:58","IsoTimestamp":"2021-03-09T10:14:58Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"7","Desc":"Logon","Severity":"Info","Issuer":"Administrator","Action":"Logon","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"37.223.7.45","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Logon","GatewayStation":"10.0.1.20"}}}
+<5>1 2021-03-10T09:11:48Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:48","IsoTimestamp":"2021-03-10T09:11:48Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"7","Desc":"Logon","Severity":"Info","Issuer":"PSMP_ADB_localhost.localdomain","Action":"Logon","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Logon","GatewayStation":""}}}
+<5>1 2021-03-10T09:11:48Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:48","IsoTimestamp":"2021-03-10T09:11:48Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"7","Desc":"Logon","Severity":"Info","Issuer":"PSMPApp_localhost.localdomain","Action":"Logon","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Logon","GatewayStation":""}}}
+<5>1 2021-03-10T09:11:49Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:49","IsoTimestamp":"2021-03-10T09:11:49Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"7","Desc":"Logon","Severity":"Info","Issuer":"PSMPGW_localhost.localdomain","Action":"Logon","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Logon","GatewayStation":""}}}
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/7_logon.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/7_logon.log-expected.json
new file mode 100644
index 00000000000..57223388c5f
--- /dev/null
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/7_logon.log-expected.json
@@ -0,0 +1,659 @@
+[
+    {
+        "@timestamp": "2021-03-16T15:01:00.000Z",
+        "cyberarkpas.audit.action": "Logon",
+        "cyberarkpas.audit.desc": "Logon",
+        "cyberarkpas.audit.gateway_station": "10.2.0.3",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-16T15:01:00Z",
+        "cyberarkpas.audit.issuer": "adm2",
+        "cyberarkpas.audit.message": "Logon",
+        "cyberarkpas.audit.raw": "<syslog>\n  <audit_record>\n    <Rfc5424>no</Rfc5424>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.6.0000</Version>\n    <MessageID>7</MessageID>\n    <Desc>Logon</Desc>\n    <Severity>Info</Severity>\n    <Issuer>adm2</Issuer>\n    <Action>Logon</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe></Safe>\n    <File></File>\n    <Station>10.2.0.6</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Logon</Message>\n    <GatewayStation>10.2.0.3</GatewayStation>\n  </audit_record>\n</syslog>",
+        "cyberarkpas.audit.rfc5424": false,
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.station": "10.2.0.6",
+        "destination.address": "10.2.0.3",
+        "destination.ip": "10.2.0.3",
+        "event.action": "authentication_success",
+        "event.category": [
+            "authentication",
+            "session"
+        ],
+        "event.code": "7",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.outcome": "success",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "event.type": [
+            "start"
+        ],
+        "fileset.name": "audit",
+        "input.type": "log",
+        "log.offset": 0,
+        "network.direction": "internal",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.6.0000",
+        "related.ip": [
+            "10.2.0.6",
+            "10.2.0.3"
+        ],
+        "related.user": [
+            "adm2"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "10.2.0.6",
+        "source.ip": "10.2.0.6",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ],
+        "user.name": "adm2"
+    },
+    {
+        "@timestamp": "2021-03-04T19:10:05.000Z",
+        "cyberarkpas.audit.action": "Logon",
+        "cyberarkpas.audit.desc": "Logon",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-04T19:10:05Z",
+        "cyberarkpas.audit.issuer": "PasswordManager",
+        "cyberarkpas.audit.message": "Logon",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.station": "10.0.1.20",
+        "cyberarkpas.audit.timestamp": "Mar 04 11:10:05",
+        "event.action": "authentication_success",
+        "event.category": [
+            "authentication",
+            "session"
+        ],
+        "event.code": "7",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.outcome": "success",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "event.type": [
+            "start"
+        ],
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 1132,
+        "log.syslog.priority": "5",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "10.0.1.20"
+        ],
+        "related.user": [
+            "PasswordManager"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "10.0.1.20",
+        "source.ip": "10.0.1.20",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ],
+        "user.name": "PasswordManager"
+    },
+    {
+        "@timestamp": "2021-03-04T19:10:20.000Z",
+        "cyberarkpas.audit.action": "Logon",
+        "cyberarkpas.audit.desc": "Logon",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-04T19:10:20Z",
+        "cyberarkpas.audit.issuer": "SCIM-user",
+        "cyberarkpas.audit.message": "Logon",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.station": "10.0.1.20",
+        "cyberarkpas.audit.timestamp": "Mar 04 11:10:20",
+        "event.action": "authentication_success",
+        "event.category": [
+            "authentication",
+            "session"
+        ],
+        "event.code": "7",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.outcome": "success",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "event.type": [
+            "start"
+        ],
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 1671,
+        "log.syslog.priority": "5",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "10.0.1.20"
+        ],
+        "related.user": [
+            "SCIM-user"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "10.0.1.20",
+        "source.ip": "10.0.1.20",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ],
+        "user.name": "SCIM-user"
+    },
+    {
+        "@timestamp": "2021-03-04T19:11:20.000Z",
+        "cyberarkpas.audit.action": "Logon",
+        "cyberarkpas.audit.desc": "Logon",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-04T19:11:20Z",
+        "cyberarkpas.audit.issuer": "PVWAGWUser",
+        "cyberarkpas.audit.message": "Logon",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.station": "10.0.1.20",
+        "cyberarkpas.audit.timestamp": "Mar 04 11:11:20",
+        "event.action": "authentication_success",
+        "event.category": [
+            "authentication",
+            "session"
+        ],
+        "event.code": "7",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.outcome": "success",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "event.type": [
+            "start"
+        ],
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 2204,
+        "log.syslog.priority": "5",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "10.0.1.20"
+        ],
+        "related.user": [
+            "PVWAGWUser"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "10.0.1.20",
+        "source.ip": "10.0.1.20",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ],
+        "user.name": "PVWAGWUser"
+    },
+    {
+        "@timestamp": "2021-03-04T19:11:23.000Z",
+        "cyberarkpas.audit.action": "Logon",
+        "cyberarkpas.audit.desc": "Logon",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-04T19:11:23Z",
+        "cyberarkpas.audit.issuer": "Prov_COMPONENTS",
+        "cyberarkpas.audit.message": "Logon",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.station": "10.0.1.20",
+        "cyberarkpas.audit.timestamp": "Mar 04 11:11:23",
+        "event.action": "authentication_success",
+        "event.category": [
+            "authentication",
+            "session"
+        ],
+        "event.code": "7",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.outcome": "success",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "event.type": [
+            "start"
+        ],
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 2738,
+        "log.syslog.priority": "5",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "10.0.1.20"
+        ],
+        "related.user": [
+            "Prov_COMPONENTS"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "10.0.1.20",
+        "source.ip": "10.0.1.20",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ],
+        "user.name": "Prov_COMPONENTS"
+    },
+    {
+        "@timestamp": "2021-03-05T10:18:50.000Z",
+        "cyberarkpas.audit.action": "Logon",
+        "cyberarkpas.audit.desc": "Logon",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-05T10:18:50Z",
+        "cyberarkpas.audit.issuer": "PVWAAppUser",
+        "cyberarkpas.audit.message": "Logon",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.station": "10.0.1.20",
+        "cyberarkpas.audit.timestamp": "Mar 05 02:18:50",
+        "event.action": "authentication_success",
+        "event.category": [
+            "authentication",
+            "session"
+        ],
+        "event.code": "7",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.outcome": "success",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "event.type": [
+            "start"
+        ],
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 3277,
+        "log.syslog.priority": "5",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "10.0.1.20"
+        ],
+        "related.user": [
+            "PVWAAppUser"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "10.0.1.20",
+        "source.ip": "10.0.1.20",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ],
+        "user.name": "PVWAAppUser"
+    },
+    {
+        "@timestamp": "2021-03-08T18:07:51.000Z",
+        "cyberarkpas.audit.action": "Logon",
+        "cyberarkpas.audit.desc": "Logon",
+        "cyberarkpas.audit.gateway_station": "10.0.1.20",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-08T18:07:51Z",
+        "cyberarkpas.audit.issuer": "Administrator",
+        "cyberarkpas.audit.message": "Logon",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.station": "127.0.0.1",
+        "cyberarkpas.audit.timestamp": "Mar 08 10:07:51",
+        "destination.address": "10.0.1.20",
+        "destination.ip": "10.0.1.20",
+        "event.action": "authentication_success",
+        "event.category": [
+            "authentication",
+            "session"
+        ],
+        "event.code": "7",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.outcome": "success",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "event.type": [
+            "start"
+        ],
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 3812,
+        "log.syslog.priority": "5",
+        "network.direction": "internal",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "127.0.0.1",
+            "10.0.1.20"
+        ],
+        "related.user": [
+            "Administrator"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "127.0.0.1",
+        "source.ip": "127.0.0.1",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ],
+        "user.name": "Administrator"
+    },
+    {
+        "@timestamp": "2021-03-09T08:32:51.000Z",
+        "cyberarkpas.audit.action": "Logon",
+        "cyberarkpas.audit.desc": "Logon",
+        "cyberarkpas.audit.gateway_station": "10.0.1.20",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-09T08:32:51Z",
+        "cyberarkpas.audit.issuer": "Administrator",
+        "cyberarkpas.audit.message": "Logon",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.station": "81.32.170.205",
+        "cyberarkpas.audit.timestamp": "Mar 09 00:32:51",
+        "destination.address": "10.0.1.20",
+        "destination.ip": "10.0.1.20",
+        "event.action": "authentication_success",
+        "event.category": [
+            "authentication",
+            "session"
+        ],
+        "event.code": "7",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.outcome": "success",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "event.type": [
+            "start"
+        ],
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 4358,
+        "log.syslog.priority": "5",
+        "network.direction": "inbound",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "81.32.170.205",
+            "10.0.1.20"
+        ],
+        "related.user": [
+            "Administrator"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "81.32.170.205",
+        "source.geo.city_name": "Barcelona",
+        "source.geo.continent_name": "Europe",
+        "source.geo.country_iso_code": "ES",
+        "source.geo.country_name": "Spain",
+        "source.geo.location.lat": 41.387,
+        "source.geo.location.lon": 2.1701,
+        "source.geo.region_iso_code": "ES-B",
+        "source.geo.region_name": "Barcelona",
+        "source.ip": "81.32.170.205",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ],
+        "user.name": "Administrator"
+    },
+    {
+        "@timestamp": "2021-03-09T10:14:58.000Z",
+        "cyberarkpas.audit.action": "Logon",
+        "cyberarkpas.audit.desc": "Logon",
+        "cyberarkpas.audit.gateway_station": "10.0.1.20",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-09T10:14:58Z",
+        "cyberarkpas.audit.issuer": "Administrator",
+        "cyberarkpas.audit.message": "Logon",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.station": "37.223.7.45",
+        "cyberarkpas.audit.timestamp": "Mar 09 02:14:58",
+        "destination.address": "10.0.1.20",
+        "destination.ip": "10.0.1.20",
+        "event.action": "authentication_success",
+        "event.category": [
+            "authentication",
+            "session"
+        ],
+        "event.code": "7",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.outcome": "success",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "event.type": [
+            "start"
+        ],
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 4908,
+        "log.syslog.priority": "5",
+        "network.direction": "inbound",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "37.223.7.45",
+            "10.0.1.20"
+        ],
+        "related.user": [
+            "Administrator"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "37.223.7.45",
+        "source.geo.city_name": "Barcelona",
+        "source.geo.continent_name": "Europe",
+        "source.geo.country_iso_code": "ES",
+        "source.geo.country_name": "Spain",
+        "source.geo.location.lat": 41.387,
+        "source.geo.location.lon": 2.1701,
+        "source.geo.region_iso_code": "ES-B",
+        "source.geo.region_name": "Barcelona",
+        "source.ip": "37.223.7.45",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ],
+        "user.name": "Administrator"
+    },
+    {
+        "@timestamp": "2021-03-10T09:11:48.000Z",
+        "cyberarkpas.audit.action": "Logon",
+        "cyberarkpas.audit.desc": "Logon",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-10T09:11:48Z",
+        "cyberarkpas.audit.issuer": "PSMP_ADB_localhost.localdomain",
+        "cyberarkpas.audit.message": "Logon",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.station": "81.32.170.205",
+        "cyberarkpas.audit.timestamp": "Mar 10 01:11:48",
+        "event.action": "authentication_success",
+        "event.category": [
+            "authentication",
+            "session"
+        ],
+        "event.code": "7",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.outcome": "success",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "event.type": [
+            "start"
+        ],
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 5456,
+        "log.syslog.priority": "5",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "81.32.170.205"
+        ],
+        "related.user": [
+            "PSMP_ADB_localhost.localdomain"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "81.32.170.205",
+        "source.geo.city_name": "Barcelona",
+        "source.geo.continent_name": "Europe",
+        "source.geo.country_iso_code": "ES",
+        "source.geo.country_name": "Spain",
+        "source.geo.location.lat": 41.387,
+        "source.geo.location.lon": 2.1701,
+        "source.geo.region_iso_code": "ES-B",
+        "source.geo.region_name": "Barcelona",
+        "source.ip": "81.32.170.205",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ],
+        "user.name": "PSMP_ADB_localhost.localdomain"
+    },
+    {
+        "@timestamp": "2021-03-10T09:11:48.000Z",
+        "cyberarkpas.audit.action": "Logon",
+        "cyberarkpas.audit.desc": "Logon",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-10T09:11:48Z",
+        "cyberarkpas.audit.issuer": "PSMPApp_localhost.localdomain",
+        "cyberarkpas.audit.message": "Logon",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.station": "81.32.170.205",
+        "cyberarkpas.audit.timestamp": "Mar 10 01:11:48",
+        "event.action": "authentication_success",
+        "event.category": [
+            "authentication",
+            "session"
+        ],
+        "event.code": "7",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.outcome": "success",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "event.type": [
+            "start"
+        ],
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 6014,
+        "log.syslog.priority": "5",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "81.32.170.205"
+        ],
+        "related.user": [
+            "PSMPApp_localhost.localdomain"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "81.32.170.205",
+        "source.geo.city_name": "Barcelona",
+        "source.geo.continent_name": "Europe",
+        "source.geo.country_iso_code": "ES",
+        "source.geo.country_name": "Spain",
+        "source.geo.location.lat": 41.387,
+        "source.geo.location.lon": 2.1701,
+        "source.geo.region_iso_code": "ES-B",
+        "source.geo.region_name": "Barcelona",
+        "source.ip": "81.32.170.205",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ],
+        "user.name": "PSMPApp_localhost.localdomain"
+    },
+    {
+        "@timestamp": "2021-03-10T09:11:49.000Z",
+        "cyberarkpas.audit.action": "Logon",
+        "cyberarkpas.audit.desc": "Logon",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-10T09:11:49Z",
+        "cyberarkpas.audit.issuer": "PSMPGW_localhost.localdomain",
+        "cyberarkpas.audit.message": "Logon",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.station": "81.32.170.205",
+        "cyberarkpas.audit.timestamp": "Mar 10 01:11:49",
+        "event.action": "authentication_success",
+        "event.category": [
+            "authentication",
+            "session"
+        ],
+        "event.code": "7",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.outcome": "success",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "event.type": [
+            "start"
+        ],
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 6571,
+        "log.syslog.priority": "5",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "81.32.170.205"
+        ],
+        "related.user": [
+            "PSMPGW_localhost.localdomain"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "81.32.170.205",
+        "source.geo.city_name": "Barcelona",
+        "source.geo.continent_name": "Europe",
+        "source.geo.country_iso_code": "ES",
+        "source.geo.country_name": "Spain",
+        "source.geo.location.lat": 41.387,
+        "source.geo.location.lon": 2.1701,
+        "source.geo.region_iso_code": "ES-B",
+        "source.geo.region_name": "Barcelona",
+        "source.ip": "81.32.170.205",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ],
+        "user.name": "PSMPGW_localhost.localdomain"
+    }
+]
\ No newline at end of file
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/88_set_password.log b/x-pack/filebeat/module/cyberarkpas/audit/test/88_set_password.log
new file mode 100644
index 00000000000..308e66ee8c0
--- /dev/null
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/88_set_password.log
@@ -0,0 +1,18 @@
+<5>1 2021-03-04T19:16:19Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 04 11:16:19","IsoTimestamp":"2021-03-04T19:16:19Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"88","Desc":"Set Password","Severity":"Info","Issuer":"PVWAGWUser","Action":"Set Password","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Set Password","GatewayStation":""}}}
+<5>1 2021-03-04T19:16:19Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 04 11:16:19","IsoTimestamp":"2021-03-04T19:16:19Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"88","Desc":"Set Password","Severity":"Info","Issuer":"PVWAAppUser","Action":"Set Password","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Set Password","GatewayStation":""}}}
+Mar 08 02:54:46 VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"no","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"88","Desc":"Set Password","Severity":"Info","Issuer":"PVWAGWUser","Action":"Set Password","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Set Password","GatewayStation":""}}}
+<5>1 2021-03-10T08:29:19Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 00:29:19","IsoTimestamp":"2021-03-10T08:29:19Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"88","Desc":"Set Password","Severity":"Info","Issuer":"Prov_COMPONENTS","Action":"Set Password","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Set Password","GatewayStation":""}}}
+<5>1 2021-03-10T08:29:28Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 00:29:28","IsoTimestamp":"2021-03-10T08:29:28Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"88","Desc":"Set Password","Severity":"Info","Issuer":"PasswordManager","Action":"Set Password","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Set Password","GatewayStation":""}}}
+<5>1 2021-03-10T09:11:52Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:52","IsoTimestamp":"2021-03-10T09:11:52Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"88","Desc":"Set Password","Severity":"Info","Issuer":"PSMPApp_localhost.localdomain","Action":"Set Password","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Set Password","GatewayStation":""}}}
+<5>1 2021-03-10T09:11:52Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:52","IsoTimestamp":"2021-03-10T09:11:52Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"88","Desc":"Set Password","Severity":"Info","Issuer":"PSMPGW_localhost.localdomain","Action":"Set Password","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Set Password","GatewayStation":""}}}
+<5>1 2021-03-10T09:11:55Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:55","IsoTimestamp":"2021-03-10T09:11:55Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"88","Desc":"Set Password","Severity":"Info","Issuer":"PSMP_ADB_localhost.localdomain","Action":"Set Password","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Set Password","GatewayStation":""}}}
+<5>1 2021-03-10T18:46:47Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 10:46:47","IsoTimestamp":"2021-03-10T18:46:47Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"88","Desc":"Set Password","Severity":"Info","Issuer":"PSMApp_VAGRANT","Action":"Set Password","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Set Password","GatewayStation":""}}}
+<5>1 2021-03-10T18:46:47Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 10:46:47","IsoTimestamp":"2021-03-10T18:46:47Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"88","Desc":"Set Password","Severity":"Info","Issuer":"PSMGw_VAGRANT","Action":"Set Password","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Set Password","GatewayStation":""}}}
+<5>1 2021-03-10T22:20:12Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 14:20:12","IsoTimestamp":"2021-03-10T22:20:12Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"88","Desc":"Set Password","Severity":"Info","Issuer":"PSMApp_ASR-WIN","Action":"Set Password","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"35.192.121.42","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Set Password","GatewayStation":""}}}
+<5>1 2021-03-10T22:20:12Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 14:20:12","IsoTimestamp":"2021-03-10T22:20:12Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"88","Desc":"Set Password","Severity":"Info","Issuer":"PSMGw_ASR-WIN","Action":"Set Password","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"35.192.121.42","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Set Password","GatewayStation":""}}}
+<5>1 2021-03-11T16:59:54Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 08:59:54</Timestamp>\n    <IsoTimestamp>2021-03-11T16:59:54Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>88</MessageID>\n    <Desc>Set Password</Desc>\n    <Severity>Info</Severity>\n    <Issuer>PSMPApp_VAGRANT</Issuer>\n    <Action>Set Password</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe></Safe>\n    <File></File>\n    <Station>81.32.170.205</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Set Password</Message>\n    <GatewayStation></GatewayStation>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 08:59:54","IsoTimestamp":"2021-03-11T16:59:54Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"88","Desc":"Set Password","Severity":"Info","Issuer":"PSMPApp_VAGRANT","Action":"Set Password","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Set Password","GatewayStation":""}}}
+<5>1 2021-03-11T16:59:55Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 08:59:55</Timestamp>\n    <IsoTimestamp>2021-03-11T16:59:55Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>88</MessageID>\n    <Desc>Set Password</Desc>\n    <Severity>Info</Severity>\n    <Issuer>PSMPGW_VAGRANT</Issuer>\n    <Action>Set Password</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe></Safe>\n    <File></File>\n    <Station>81.32.170.205</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Set Password</Message>\n    <GatewayStation></GatewayStation>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 08:59:55","IsoTimestamp":"2021-03-11T16:59:55Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"88","Desc":"Set Password","Severity":"Info","Issuer":"PSMPGW_VAGRANT","Action":"Set Password","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Set Password","GatewayStation":""}}}
+<5>1 2021-03-11T20:10:33Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 12:10:33</Timestamp>\n    <IsoTimestamp>2021-03-11T20:10:33Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>88</MessageID>\n    <Desc>Set Password</Desc>\n    <Severity>Info</Severity>\n    <Issuer>PSMApp_ASR-WIN</Issuer>\n    <Action>Set Password</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe></Safe>\n    <File></File>\n    <Station>34.66.114.180</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Set Password</Message>\n    <GatewayStation></GatewayStation>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 12:10:33","IsoTimestamp":"2021-03-11T20:10:33Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"88","Desc":"Set Password","Severity":"Info","Issuer":"PSMApp_ASR-WIN","Action":"Set Password","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"34.66.114.180","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Set Password","GatewayStation":""}}}
+<5>1 2021-03-14T12:57:25Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 14 05:57:25</Timestamp>\n    <IsoTimestamp>2021-03-14T12:57:25Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>88</MessageID>\n    <Desc>Set Password</Desc>\n    <Severity>Info</Severity>\n    <Issuer>PSMPGW_SSH</Issuer>\n    <Action>Set Password</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe></Safe>\n    <File></File>\n    <Station>34.71.250.247</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Set Password</Message>\n    <GatewayStation></GatewayStation>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 05:57:25","IsoTimestamp":"2021-03-14T12:57:25Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"88","Desc":"Set Password","Severity":"Info","Issuer":"PSMPGW_SSH","Action":"Set Password","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"34.71.250.247","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Set Password","GatewayStation":""}}}
+<5>1 2021-03-14T12:57:25Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 14 05:57:25</Timestamp>\n    <IsoTimestamp>2021-03-14T12:57:25Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>88</MessageID>\n    <Desc>Set Password</Desc>\n    <Severity>Info</Severity>\n    <Issuer>PSMPApp_SSH</Issuer>\n    <Action>Set Password</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe></Safe>\n    <File></File>\n    <Station>34.71.250.247</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Set Password</Message>\n    <GatewayStation></GatewayStation>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 05:57:25","IsoTimestamp":"2021-03-14T12:57:25Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"88","Desc":"Set Password","Severity":"Info","Issuer":"PSMPApp_SSH","Action":"Set Password","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"34.71.250.247","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Set Password","GatewayStation":""}}}
+<5>1 2021-03-14T12:57:25Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 14 05:57:25</Timestamp>\n    <IsoTimestamp>2021-03-14T12:57:25Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>88</MessageID>\n    <Desc>Set Password</Desc>\n    <Severity>Info</Severity>\n    <Issuer>PSMP_ADB_asr-cyberark-psm-ssh</Issuer>\n    <Action>Set Password</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe></Safe>\n    <File></File>\n    <Station>34.71.250.247</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Set Password</Message>\n    <GatewayStation></GatewayStation>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 05:57:25","IsoTimestamp":"2021-03-14T12:57:25Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"88","Desc":"Set Password","Severity":"Info","Issuer":"PSMP_ADB_asr-cyberark-psm-ssh","Action":"Set Password","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"34.71.250.247","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Set Password","GatewayStation":""}}}
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/88_set_password.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/88_set_password.log-expected.json
new file mode 100644
index 00000000000..4a6304a3371
--- /dev/null
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/88_set_password.log-expected.json
@@ -0,0 +1,793 @@
+[
+    {
+        "@timestamp": "2021-03-04T19:16:19.000Z",
+        "cyberarkpas.audit.action": "Set Password",
+        "cyberarkpas.audit.desc": "Set Password",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-04T19:16:19Z",
+        "cyberarkpas.audit.issuer": "PVWAGWUser",
+        "cyberarkpas.audit.message": "Set Password",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.station": "10.0.1.20",
+        "cyberarkpas.audit.timestamp": "Mar 04 11:16:19",
+        "event.action": "set password",
+        "event.code": "88",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 0,
+        "log.syslog.priority": "5",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "10.0.1.20"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "10.0.1.20",
+        "source.ip": "10.0.1.20",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ]
+    },
+    {
+        "@timestamp": "2021-03-04T19:16:19.000Z",
+        "cyberarkpas.audit.action": "Set Password",
+        "cyberarkpas.audit.desc": "Set Password",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-04T19:16:19Z",
+        "cyberarkpas.audit.issuer": "PVWAAppUser",
+        "cyberarkpas.audit.message": "Set Password",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.station": "10.0.1.20",
+        "cyberarkpas.audit.timestamp": "Mar 04 11:16:19",
+        "event.action": "set password",
+        "event.code": "88",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 556,
+        "log.syslog.priority": "5",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "10.0.1.20"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "10.0.1.20",
+        "source.ip": "10.0.1.20",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ]
+    },
+    {
+        "@timestamp": "2021-03-08T02:54:46.000-02:00",
+        "cyberarkpas.audit.action": "Set Password",
+        "cyberarkpas.audit.desc": "Set Password",
+        "cyberarkpas.audit.issuer": "PVWAGWUser",
+        "cyberarkpas.audit.message": "Set Password",
+        "cyberarkpas.audit.rfc5424": false,
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.station": "10.0.1.20",
+        "event.action": "set password",
+        "event.code": "88",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 1113,
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "10.0.1.20"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "10.0.1.20",
+        "source.ip": "10.0.1.20",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ]
+    },
+    {
+        "@timestamp": "2021-03-10T08:29:19.000Z",
+        "cyberarkpas.audit.action": "Set Password",
+        "cyberarkpas.audit.desc": "Set Password",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-10T08:29:19Z",
+        "cyberarkpas.audit.issuer": "Prov_COMPONENTS",
+        "cyberarkpas.audit.message": "Set Password",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.station": "10.0.1.20",
+        "cyberarkpas.audit.timestamp": "Mar 10 00:29:19",
+        "event.action": "set password",
+        "event.code": "88",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 1571,
+        "log.syslog.priority": "5",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "10.0.1.20"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "10.0.1.20",
+        "source.ip": "10.0.1.20",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ]
+    },
+    {
+        "@timestamp": "2021-03-10T08:29:28.000Z",
+        "cyberarkpas.audit.action": "Set Password",
+        "cyberarkpas.audit.desc": "Set Password",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-10T08:29:28Z",
+        "cyberarkpas.audit.issuer": "PasswordManager",
+        "cyberarkpas.audit.message": "Set Password",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.station": "10.0.1.20",
+        "cyberarkpas.audit.timestamp": "Mar 10 00:29:28",
+        "event.action": "set password",
+        "event.code": "88",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 2132,
+        "log.syslog.priority": "5",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "10.0.1.20"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "10.0.1.20",
+        "source.ip": "10.0.1.20",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ]
+    },
+    {
+        "@timestamp": "2021-03-10T09:11:52.000Z",
+        "cyberarkpas.audit.action": "Set Password",
+        "cyberarkpas.audit.desc": "Set Password",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-10T09:11:52Z",
+        "cyberarkpas.audit.issuer": "PSMPApp_localhost.localdomain",
+        "cyberarkpas.audit.message": "Set Password",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.station": "81.32.170.205",
+        "cyberarkpas.audit.timestamp": "Mar 10 01:11:52",
+        "event.action": "set password",
+        "event.code": "88",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 2693,
+        "log.syslog.priority": "5",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "81.32.170.205"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "81.32.170.205",
+        "source.geo.city_name": "Barcelona",
+        "source.geo.continent_name": "Europe",
+        "source.geo.country_iso_code": "ES",
+        "source.geo.country_name": "Spain",
+        "source.geo.location.lat": 41.387,
+        "source.geo.location.lon": 2.1701,
+        "source.geo.region_iso_code": "ES-B",
+        "source.geo.region_name": "Barcelona",
+        "source.ip": "81.32.170.205",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ]
+    },
+    {
+        "@timestamp": "2021-03-10T09:11:52.000Z",
+        "cyberarkpas.audit.action": "Set Password",
+        "cyberarkpas.audit.desc": "Set Password",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-10T09:11:52Z",
+        "cyberarkpas.audit.issuer": "PSMPGW_localhost.localdomain",
+        "cyberarkpas.audit.message": "Set Password",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.station": "81.32.170.205",
+        "cyberarkpas.audit.timestamp": "Mar 10 01:11:52",
+        "event.action": "set password",
+        "event.code": "88",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 3272,
+        "log.syslog.priority": "5",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "81.32.170.205"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "81.32.170.205",
+        "source.geo.city_name": "Barcelona",
+        "source.geo.continent_name": "Europe",
+        "source.geo.country_iso_code": "ES",
+        "source.geo.country_name": "Spain",
+        "source.geo.location.lat": 41.387,
+        "source.geo.location.lon": 2.1701,
+        "source.geo.region_iso_code": "ES-B",
+        "source.geo.region_name": "Barcelona",
+        "source.ip": "81.32.170.205",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ]
+    },
+    {
+        "@timestamp": "2021-03-10T09:11:55.000Z",
+        "cyberarkpas.audit.action": "Set Password",
+        "cyberarkpas.audit.desc": "Set Password",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-10T09:11:55Z",
+        "cyberarkpas.audit.issuer": "PSMP_ADB_localhost.localdomain",
+        "cyberarkpas.audit.message": "Set Password",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.station": "81.32.170.205",
+        "cyberarkpas.audit.timestamp": "Mar 10 01:11:55",
+        "event.action": "set password",
+        "event.code": "88",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 3850,
+        "log.syslog.priority": "5",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "81.32.170.205"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "81.32.170.205",
+        "source.geo.city_name": "Barcelona",
+        "source.geo.continent_name": "Europe",
+        "source.geo.country_iso_code": "ES",
+        "source.geo.country_name": "Spain",
+        "source.geo.location.lat": 41.387,
+        "source.geo.location.lon": 2.1701,
+        "source.geo.region_iso_code": "ES-B",
+        "source.geo.region_name": "Barcelona",
+        "source.ip": "81.32.170.205",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ]
+    },
+    {
+        "@timestamp": "2021-03-10T18:46:47.000Z",
+        "cyberarkpas.audit.action": "Set Password",
+        "cyberarkpas.audit.desc": "Set Password",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-10T18:46:47Z",
+        "cyberarkpas.audit.issuer": "PSMApp_VAGRANT",
+        "cyberarkpas.audit.message": "Set Password",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.station": "81.32.170.205",
+        "cyberarkpas.audit.timestamp": "Mar 10 10:46:47",
+        "event.action": "set password",
+        "event.code": "88",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 4430,
+        "log.syslog.priority": "5",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "81.32.170.205"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "81.32.170.205",
+        "source.geo.city_name": "Barcelona",
+        "source.geo.continent_name": "Europe",
+        "source.geo.country_iso_code": "ES",
+        "source.geo.country_name": "Spain",
+        "source.geo.location.lat": 41.387,
+        "source.geo.location.lon": 2.1701,
+        "source.geo.region_iso_code": "ES-B",
+        "source.geo.region_name": "Barcelona",
+        "source.ip": "81.32.170.205",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ]
+    },
+    {
+        "@timestamp": "2021-03-10T18:46:47.000Z",
+        "cyberarkpas.audit.action": "Set Password",
+        "cyberarkpas.audit.desc": "Set Password",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-10T18:46:47Z",
+        "cyberarkpas.audit.issuer": "PSMGw_VAGRANT",
+        "cyberarkpas.audit.message": "Set Password",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.station": "81.32.170.205",
+        "cyberarkpas.audit.timestamp": "Mar 10 10:46:47",
+        "event.action": "set password",
+        "event.code": "88",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 4994,
+        "log.syslog.priority": "5",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "81.32.170.205"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "81.32.170.205",
+        "source.geo.city_name": "Barcelona",
+        "source.geo.continent_name": "Europe",
+        "source.geo.country_iso_code": "ES",
+        "source.geo.country_name": "Spain",
+        "source.geo.location.lat": 41.387,
+        "source.geo.location.lon": 2.1701,
+        "source.geo.region_iso_code": "ES-B",
+        "source.geo.region_name": "Barcelona",
+        "source.ip": "81.32.170.205",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ]
+    },
+    {
+        "@timestamp": "2021-03-10T22:20:12.000Z",
+        "cyberarkpas.audit.action": "Set Password",
+        "cyberarkpas.audit.desc": "Set Password",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-10T22:20:12Z",
+        "cyberarkpas.audit.issuer": "PSMApp_ASR-WIN",
+        "cyberarkpas.audit.message": "Set Password",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.station": "35.192.121.42",
+        "cyberarkpas.audit.timestamp": "Mar 10 14:20:12",
+        "event.action": "set password",
+        "event.code": "88",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 5557,
+        "log.syslog.priority": "5",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "35.192.121.42"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "35.192.121.42",
+        "source.geo.city_name": "Council Bluffs",
+        "source.geo.continent_name": "North America",
+        "source.geo.country_iso_code": "US",
+        "source.geo.country_name": "United States",
+        "source.geo.location.lat": 41.2591,
+        "source.geo.location.lon": -95.8517,
+        "source.geo.region_iso_code": "US-IA",
+        "source.geo.region_name": "Iowa",
+        "source.ip": "35.192.121.42",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ]
+    },
+    {
+        "@timestamp": "2021-03-10T22:20:12.000Z",
+        "cyberarkpas.audit.action": "Set Password",
+        "cyberarkpas.audit.desc": "Set Password",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-10T22:20:12Z",
+        "cyberarkpas.audit.issuer": "PSMGw_ASR-WIN",
+        "cyberarkpas.audit.message": "Set Password",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.station": "35.192.121.42",
+        "cyberarkpas.audit.timestamp": "Mar 10 14:20:12",
+        "event.action": "set password",
+        "event.code": "88",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 6121,
+        "log.syslog.priority": "5",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "35.192.121.42"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "35.192.121.42",
+        "source.geo.city_name": "Council Bluffs",
+        "source.geo.continent_name": "North America",
+        "source.geo.country_iso_code": "US",
+        "source.geo.country_name": "United States",
+        "source.geo.location.lat": 41.2591,
+        "source.geo.location.lon": -95.8517,
+        "source.geo.region_iso_code": "US-IA",
+        "source.geo.region_name": "Iowa",
+        "source.ip": "35.192.121.42",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ]
+    },
+    {
+        "@timestamp": "2021-03-11T16:59:54.000Z",
+        "cyberarkpas.audit.action": "Set Password",
+        "cyberarkpas.audit.desc": "Set Password",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-11T16:59:54Z",
+        "cyberarkpas.audit.issuer": "PSMPApp_VAGRANT",
+        "cyberarkpas.audit.message": "Set Password",
+        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 08:59:54</Timestamp>\n    <IsoTimestamp>2021-03-11T16:59:54Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>88</MessageID>\n    <Desc>Set Password</Desc>\n    <Severity>Info</Severity>\n    <Issuer>PSMPApp_VAGRANT</Issuer>\n    <Action>Set Password</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe></Safe>\n    <File></File>\n    <Station>81.32.170.205</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Set Password</Message>\n    <GatewayStation></GatewayStation>\n  </audit_record>\n\n</syslog>",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.station": "81.32.170.205",
+        "cyberarkpas.audit.timestamp": "Mar 11 08:59:54",
+        "event.action": "set password",
+        "event.code": "88",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 6684,
+        "log.syslog.priority": "5",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "81.32.170.205"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "81.32.170.205",
+        "source.geo.city_name": "Barcelona",
+        "source.geo.continent_name": "Europe",
+        "source.geo.country_iso_code": "ES",
+        "source.geo.country_name": "Spain",
+        "source.geo.location.lat": 41.387,
+        "source.geo.location.lon": 2.1701,
+        "source.geo.region_iso_code": "ES-B",
+        "source.geo.region_name": "Barcelona",
+        "source.ip": "81.32.170.205",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ]
+    },
+    {
+        "@timestamp": "2021-03-11T16:59:55.000Z",
+        "cyberarkpas.audit.action": "Set Password",
+        "cyberarkpas.audit.desc": "Set Password",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-11T16:59:55Z",
+        "cyberarkpas.audit.issuer": "PSMPGW_VAGRANT",
+        "cyberarkpas.audit.message": "Set Password",
+        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 08:59:55</Timestamp>\n    <IsoTimestamp>2021-03-11T16:59:55Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>88</MessageID>\n    <Desc>Set Password</Desc>\n    <Severity>Info</Severity>\n    <Issuer>PSMPGW_VAGRANT</Issuer>\n    <Action>Set Password</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe></Safe>\n    <File></File>\n    <Station>81.32.170.205</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Set Password</Message>\n    <GatewayStation></GatewayStation>\n  </audit_record>\n\n</syslog>",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.station": "81.32.170.205",
+        "cyberarkpas.audit.timestamp": "Mar 11 08:59:55",
+        "event.action": "set password",
+        "event.code": "88",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 8094,
+        "log.syslog.priority": "5",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "81.32.170.205"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "81.32.170.205",
+        "source.geo.city_name": "Barcelona",
+        "source.geo.continent_name": "Europe",
+        "source.geo.country_iso_code": "ES",
+        "source.geo.country_name": "Spain",
+        "source.geo.location.lat": 41.387,
+        "source.geo.location.lon": 2.1701,
+        "source.geo.region_iso_code": "ES-B",
+        "source.geo.region_name": "Barcelona",
+        "source.ip": "81.32.170.205",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ]
+    },
+    {
+        "@timestamp": "2021-03-11T20:10:33.000Z",
+        "cyberarkpas.audit.action": "Set Password",
+        "cyberarkpas.audit.desc": "Set Password",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-11T20:10:33Z",
+        "cyberarkpas.audit.issuer": "PSMApp_ASR-WIN",
+        "cyberarkpas.audit.message": "Set Password",
+        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 12:10:33</Timestamp>\n    <IsoTimestamp>2021-03-11T20:10:33Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>88</MessageID>\n    <Desc>Set Password</Desc>\n    <Severity>Info</Severity>\n    <Issuer>PSMApp_ASR-WIN</Issuer>\n    <Action>Set Password</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe></Safe>\n    <File></File>\n    <Station>34.66.114.180</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Set Password</Message>\n    <GatewayStation></GatewayStation>\n  </audit_record>\n\n</syslog>",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.station": "34.66.114.180",
+        "cyberarkpas.audit.timestamp": "Mar 11 12:10:33",
+        "event.action": "set password",
+        "event.code": "88",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 9502,
+        "log.syslog.priority": "5",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "34.66.114.180"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "34.66.114.180",
+        "source.geo.city_name": "Council Bluffs",
+        "source.geo.continent_name": "North America",
+        "source.geo.country_iso_code": "US",
+        "source.geo.country_name": "United States",
+        "source.geo.location.lat": 41.2591,
+        "source.geo.location.lon": -95.8517,
+        "source.geo.region_iso_code": "US-IA",
+        "source.geo.region_name": "Iowa",
+        "source.ip": "34.66.114.180",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ]
+    },
+    {
+        "@timestamp": "2021-03-14T12:57:25.000Z",
+        "cyberarkpas.audit.action": "Set Password",
+        "cyberarkpas.audit.desc": "Set Password",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-14T12:57:25Z",
+        "cyberarkpas.audit.issuer": "PSMPGW_SSH",
+        "cyberarkpas.audit.message": "Set Password",
+        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 14 05:57:25</Timestamp>\n    <IsoTimestamp>2021-03-14T12:57:25Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>88</MessageID>\n    <Desc>Set Password</Desc>\n    <Severity>Info</Severity>\n    <Issuer>PSMPGW_SSH</Issuer>\n    <Action>Set Password</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe></Safe>\n    <File></File>\n    <Station>34.71.250.247</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Set Password</Message>\n    <GatewayStation></GatewayStation>\n  </audit_record>\n\n</syslog>",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.station": "34.71.250.247",
+        "cyberarkpas.audit.timestamp": "Mar 14 05:57:25",
+        "event.action": "set password",
+        "event.code": "88",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 10910,
+        "log.syslog.priority": "5",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "34.71.250.247"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "34.71.250.247",
+        "source.geo.city_name": "Council Bluffs",
+        "source.geo.continent_name": "North America",
+        "source.geo.country_iso_code": "US",
+        "source.geo.country_name": "United States",
+        "source.geo.location.lat": 41.2591,
+        "source.geo.location.lon": -95.8517,
+        "source.geo.region_iso_code": "US-IA",
+        "source.geo.region_name": "Iowa",
+        "source.ip": "34.71.250.247",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ]
+    },
+    {
+        "@timestamp": "2021-03-14T12:57:25.000Z",
+        "cyberarkpas.audit.action": "Set Password",
+        "cyberarkpas.audit.desc": "Set Password",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-14T12:57:25Z",
+        "cyberarkpas.audit.issuer": "PSMPApp_SSH",
+        "cyberarkpas.audit.message": "Set Password",
+        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 14 05:57:25</Timestamp>\n    <IsoTimestamp>2021-03-14T12:57:25Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>88</MessageID>\n    <Desc>Set Password</Desc>\n    <Severity>Info</Severity>\n    <Issuer>PSMPApp_SSH</Issuer>\n    <Action>Set Password</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe></Safe>\n    <File></File>\n    <Station>34.71.250.247</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Set Password</Message>\n    <GatewayStation></GatewayStation>\n  </audit_record>\n\n</syslog>",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.station": "34.71.250.247",
+        "cyberarkpas.audit.timestamp": "Mar 14 05:57:25",
+        "event.action": "set password",
+        "event.code": "88",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 12310,
+        "log.syslog.priority": "5",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "34.71.250.247"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "34.71.250.247",
+        "source.geo.city_name": "Council Bluffs",
+        "source.geo.continent_name": "North America",
+        "source.geo.country_iso_code": "US",
+        "source.geo.country_name": "United States",
+        "source.geo.location.lat": 41.2591,
+        "source.geo.location.lon": -95.8517,
+        "source.geo.region_iso_code": "US-IA",
+        "source.geo.region_name": "Iowa",
+        "source.ip": "34.71.250.247",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ]
+    },
+    {
+        "@timestamp": "2021-03-14T12:57:25.000Z",
+        "cyberarkpas.audit.action": "Set Password",
+        "cyberarkpas.audit.desc": "Set Password",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-14T12:57:25Z",
+        "cyberarkpas.audit.issuer": "PSMP_ADB_asr-cyberark-psm-ssh",
+        "cyberarkpas.audit.message": "Set Password",
+        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 14 05:57:25</Timestamp>\n    <IsoTimestamp>2021-03-14T12:57:25Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>88</MessageID>\n    <Desc>Set Password</Desc>\n    <Severity>Info</Severity>\n    <Issuer>PSMP_ADB_asr-cyberark-psm-ssh</Issuer>\n    <Action>Set Password</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe></Safe>\n    <File></File>\n    <Station>34.71.250.247</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Set Password</Message>\n    <GatewayStation></GatewayStation>\n  </audit_record>\n\n</syslog>",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.station": "34.71.250.247",
+        "cyberarkpas.audit.timestamp": "Mar 14 05:57:25",
+        "event.action": "set password",
+        "event.code": "88",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 13712,
+        "log.syslog.priority": "5",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "34.71.250.247"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "34.71.250.247",
+        "source.geo.city_name": "Council Bluffs",
+        "source.geo.continent_name": "North America",
+        "source.geo.country_iso_code": "US",
+        "source.geo.country_name": "United States",
+        "source.geo.location.lat": 41.2591,
+        "source.geo.location.lon": -95.8517,
+        "source.geo.region_iso_code": "US-IA",
+        "source.geo.region_name": "Iowa",
+        "source.ip": "34.71.250.247",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ]
+    }
+]
\ No newline at end of file
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/8_logoff.log b/x-pack/filebeat/module/cyberarkpas/audit/test/8_logoff.log
new file mode 100644
index 00000000000..55eeab9c1a7
--- /dev/null
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/8_logoff.log
@@ -0,0 +1,15 @@
+<5>1 2021-03-08T18:19:15Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 08 10:19:15","IsoTimestamp":"2021-03-08T18:19:15Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"8","Desc":"Logoff","Severity":"Info","Issuer":"Administrator","Action":"Logoff","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Logoff","GatewayStation":""}}}
+<5>1 2021-03-08T18:59:23Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 08 10:59:23","IsoTimestamp":"2021-03-08T18:59:23Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"8","Desc":"Logoff","Severity":"Info","Issuer":"Administrator","Action":"Logoff","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"127.0.0.1","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Logoff","GatewayStation":""}}}
+<5>1 2021-03-10T08:28:28Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 00:28:28","IsoTimestamp":"2021-03-10T08:28:28Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"8","Desc":"Logoff","Severity":"Info","Issuer":"PasswordManager","Action":"Logoff","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Logoff","GatewayStation":""}}}
+<5>1 2021-03-10T08:28:29Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 00:28:29","IsoTimestamp":"2021-03-10T08:28:29Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"8","Desc":"Logoff","Severity":"Info","Issuer":"Prov_COMPONENTS","Action":"Logoff","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Logoff","GatewayStation":""}}}
+<5>1 2021-03-10T08:28:30Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 00:28:30","IsoTimestamp":"2021-03-10T08:28:30Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"8","Desc":"Logoff","Severity":"Info","Issuer":"PVWAGWUser","Action":"Logoff","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Logoff","GatewayStation":""}}}
+<5>1 2021-03-10T08:28:30Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 00:28:30","IsoTimestamp":"2021-03-10T08:28:30Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"8","Desc":"Logoff","Severity":"Info","Issuer":"PVWAAppUser","Action":"Logoff","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Logoff","GatewayStation":""}}}
+<5>1 2021-03-10T09:11:33Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:33","IsoTimestamp":"2021-03-10T09:11:33Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"8","Desc":"Logoff","Severity":"Info","Issuer":"Administrator","Action":"Logoff","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Logoff","GatewayStation":""}}}
+<5>1 2021-03-10T09:12:20Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:12:20","IsoTimestamp":"2021-03-10T09:12:20Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"8","Desc":"Logoff","Severity":"Info","Issuer":"PSMP_ADB_localhost.localdomain","Action":"Logoff","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Logoff","GatewayStation":""}}}
+<5>1 2021-03-10T09:12:27Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:12:27","IsoTimestamp":"2021-03-10T09:12:27Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"8","Desc":"Logoff","Severity":"Info","Issuer":"PSMPGW_localhost.localdomain","Action":"Logoff","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Logoff","GatewayStation":""}}}
+<5>1 2021-03-10T22:17:27Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 14:17:27","IsoTimestamp":"2021-03-10T22:17:27Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"8","Desc":"Logoff","Severity":"Info","Issuer":"Administrator","Action":"Logoff","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"35.192.121.42","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Logoff","GatewayStation":""}}}
+<5>1 2021-03-11T17:38:13Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 09:38:13</Timestamp>\n    <IsoTimestamp>2021-03-11T17:38:13Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>8</MessageID>\n    <Desc>Logoff</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Logoff</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe></Safe>\n    <File></File>\n    <Station>127.0.0.1</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Logoff</Message>\n    <GatewayStation>81.32.170.205</GatewayStation>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 09:38:13","IsoTimestamp":"2021-03-11T17:38:13Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"8","Desc":"Logoff","Severity":"Info","Issuer":"Administrator","Action":"Logoff","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"127.0.0.1","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Logoff","GatewayStation":"81.32.170.205"}}}
+<5>1 2021-03-11T17:48:28Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 09:48:28</Timestamp>\n    <IsoTimestamp>2021-03-11T17:48:28Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>8</MessageID>\n    <Desc>Logoff</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Logoff</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe></Safe>\n    <File></File>\n    <Station>10.0.2.2</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Logoff</Message>\n    <GatewayStation>81.32.170.205</GatewayStation>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 09:48:28","IsoTimestamp":"2021-03-11T17:48:28Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"8","Desc":"Logoff","Severity":"Info","Issuer":"Administrator","Action":"Logoff","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"10.0.2.2","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Logoff","GatewayStation":"81.32.170.205"}}}
+<5>1 2021-03-11T17:49:06Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 09:49:06</Timestamp>\n    <IsoTimestamp>2021-03-11T17:49:06Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>8</MessageID>\n    <Desc>Logoff</Desc>\n    <Severity>Info</Severity>\n    <Issuer>PSMPGW_VAGRANT</Issuer>\n    <Action>Logoff</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe></Safe>\n    <File></File>\n    <Station>81.32.170.205</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Logoff</Message>\n    <GatewayStation></GatewayStation>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 09:49:06","IsoTimestamp":"2021-03-11T17:49:06Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"8","Desc":"Logoff","Severity":"Info","Issuer":"PSMPGW_VAGRANT","Action":"Logoff","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Logoff","GatewayStation":""}}}
+<5>1 2021-03-14T12:57:20Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 14 05:57:20</Timestamp>\n    <IsoTimestamp>2021-03-14T12:57:20Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>8</MessageID>\n    <Desc>Logoff</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Logoff</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe></Safe>\n    <File></File>\n    <Station>34.71.250.247</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Logoff</Message>\n    <GatewayStation></GatewayStation>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 05:57:20","IsoTimestamp":"2021-03-14T12:57:20Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"8","Desc":"Logoff","Severity":"Info","Issuer":"Administrator","Action":"Logoff","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"34.71.250.247","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Logoff","GatewayStation":""}}}
+<5>1 2021-03-14T13:49:36Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 14 06:49:36</Timestamp>\n    <IsoTimestamp>2021-03-14T13:49:36Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>8</MessageID>\n    <Desc>Logoff</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Logoff</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe></Safe>\n    <File></File>\n    <Station>81.32.170.205</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Logoff</Message>\n    <GatewayStation>34.71.250.247</GatewayStation>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 06:49:36","IsoTimestamp":"2021-03-14T13:49:36Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"8","Desc":"Logoff","Severity":"Info","Issuer":"Administrator","Action":"Logoff","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Logoff","GatewayStation":"34.71.250.247"}}}
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/8_logoff.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/8_logoff.log-expected.json
new file mode 100644
index 00000000000..32dcc1c6653
--- /dev/null
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/8_logoff.log-expected.json
@@ -0,0 +1,852 @@
+[
+    {
+        "@timestamp": "2021-03-08T18:19:15.000Z",
+        "cyberarkpas.audit.action": "Logoff",
+        "cyberarkpas.audit.desc": "Logoff",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-08T18:19:15Z",
+        "cyberarkpas.audit.issuer": "Administrator",
+        "cyberarkpas.audit.message": "Logoff",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.station": "10.0.1.20",
+        "cyberarkpas.audit.timestamp": "Mar 08 10:19:15",
+        "event.action": "logoff",
+        "event.category": [
+            "authentication",
+            "session"
+        ],
+        "event.code": "8",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.outcome": "success",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "event.type": [
+            "end"
+        ],
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 0,
+        "log.syslog.priority": "5",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "10.0.1.20"
+        ],
+        "related.user": [
+            "Administrator"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "10.0.1.20",
+        "source.ip": "10.0.1.20",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ],
+        "user.name": "Administrator"
+    },
+    {
+        "@timestamp": "2021-03-08T18:59:23.000Z",
+        "cyberarkpas.audit.action": "Logoff",
+        "cyberarkpas.audit.desc": "Logoff",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-08T18:59:23Z",
+        "cyberarkpas.audit.issuer": "Administrator",
+        "cyberarkpas.audit.message": "Logoff",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.station": "127.0.0.1",
+        "cyberarkpas.audit.timestamp": "Mar 08 10:59:23",
+        "event.action": "logoff",
+        "event.category": [
+            "authentication",
+            "session"
+        ],
+        "event.code": "8",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.outcome": "success",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "event.type": [
+            "end"
+        ],
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 540,
+        "log.syslog.priority": "5",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "127.0.0.1"
+        ],
+        "related.user": [
+            "Administrator"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "127.0.0.1",
+        "source.ip": "127.0.0.1",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ],
+        "user.name": "Administrator"
+    },
+    {
+        "@timestamp": "2021-03-10T08:28:28.000Z",
+        "cyberarkpas.audit.action": "Logoff",
+        "cyberarkpas.audit.desc": "Logoff",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-10T08:28:28Z",
+        "cyberarkpas.audit.issuer": "PasswordManager",
+        "cyberarkpas.audit.message": "Logoff",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.station": "10.0.1.20",
+        "cyberarkpas.audit.timestamp": "Mar 10 00:28:28",
+        "event.action": "logoff",
+        "event.category": [
+            "authentication",
+            "session"
+        ],
+        "event.code": "8",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.outcome": "success",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "event.type": [
+            "end"
+        ],
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 1080,
+        "log.syslog.priority": "5",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "10.0.1.20"
+        ],
+        "related.user": [
+            "PasswordManager"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "10.0.1.20",
+        "source.ip": "10.0.1.20",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ],
+        "user.name": "PasswordManager"
+    },
+    {
+        "@timestamp": "2021-03-10T08:28:29.000Z",
+        "cyberarkpas.audit.action": "Logoff",
+        "cyberarkpas.audit.desc": "Logoff",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-10T08:28:29Z",
+        "cyberarkpas.audit.issuer": "Prov_COMPONENTS",
+        "cyberarkpas.audit.message": "Logoff",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.station": "10.0.1.20",
+        "cyberarkpas.audit.timestamp": "Mar 10 00:28:29",
+        "event.action": "logoff",
+        "event.category": [
+            "authentication",
+            "session"
+        ],
+        "event.code": "8",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.outcome": "success",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "event.type": [
+            "end"
+        ],
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 1622,
+        "log.syslog.priority": "5",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "10.0.1.20"
+        ],
+        "related.user": [
+            "Prov_COMPONENTS"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "10.0.1.20",
+        "source.ip": "10.0.1.20",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ],
+        "user.name": "Prov_COMPONENTS"
+    },
+    {
+        "@timestamp": "2021-03-10T08:28:30.000Z",
+        "cyberarkpas.audit.action": "Logoff",
+        "cyberarkpas.audit.desc": "Logoff",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-10T08:28:30Z",
+        "cyberarkpas.audit.issuer": "PVWAGWUser",
+        "cyberarkpas.audit.message": "Logoff",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.station": "10.0.1.20",
+        "cyberarkpas.audit.timestamp": "Mar 10 00:28:30",
+        "event.action": "logoff",
+        "event.category": [
+            "authentication",
+            "session"
+        ],
+        "event.code": "8",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.outcome": "success",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "event.type": [
+            "end"
+        ],
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 2164,
+        "log.syslog.priority": "5",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "10.0.1.20"
+        ],
+        "related.user": [
+            "PVWAGWUser"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "10.0.1.20",
+        "source.ip": "10.0.1.20",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ],
+        "user.name": "PVWAGWUser"
+    },
+    {
+        "@timestamp": "2021-03-10T08:28:30.000Z",
+        "cyberarkpas.audit.action": "Logoff",
+        "cyberarkpas.audit.desc": "Logoff",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-10T08:28:30Z",
+        "cyberarkpas.audit.issuer": "PVWAAppUser",
+        "cyberarkpas.audit.message": "Logoff",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.station": "10.0.1.20",
+        "cyberarkpas.audit.timestamp": "Mar 10 00:28:30",
+        "event.action": "logoff",
+        "event.category": [
+            "authentication",
+            "session"
+        ],
+        "event.code": "8",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.outcome": "success",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "event.type": [
+            "end"
+        ],
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 2701,
+        "log.syslog.priority": "5",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "10.0.1.20"
+        ],
+        "related.user": [
+            "PVWAAppUser"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "10.0.1.20",
+        "source.ip": "10.0.1.20",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ],
+        "user.name": "PVWAAppUser"
+    },
+    {
+        "@timestamp": "2021-03-10T09:11:33.000Z",
+        "cyberarkpas.audit.action": "Logoff",
+        "cyberarkpas.audit.desc": "Logoff",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-10T09:11:33Z",
+        "cyberarkpas.audit.issuer": "Administrator",
+        "cyberarkpas.audit.message": "Logoff",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.station": "81.32.170.205",
+        "cyberarkpas.audit.timestamp": "Mar 10 01:11:33",
+        "event.action": "logoff",
+        "event.category": [
+            "authentication",
+            "session"
+        ],
+        "event.code": "8",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.outcome": "success",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "event.type": [
+            "end"
+        ],
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 3239,
+        "log.syslog.priority": "5",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "81.32.170.205"
+        ],
+        "related.user": [
+            "Administrator"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "81.32.170.205",
+        "source.geo.city_name": "Barcelona",
+        "source.geo.continent_name": "Europe",
+        "source.geo.country_iso_code": "ES",
+        "source.geo.country_name": "Spain",
+        "source.geo.location.lat": 41.387,
+        "source.geo.location.lon": 2.1701,
+        "source.geo.region_iso_code": "ES-B",
+        "source.geo.region_name": "Barcelona",
+        "source.ip": "81.32.170.205",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ],
+        "user.name": "Administrator"
+    },
+    {
+        "@timestamp": "2021-03-10T09:12:20.000Z",
+        "cyberarkpas.audit.action": "Logoff",
+        "cyberarkpas.audit.desc": "Logoff",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-10T09:12:20Z",
+        "cyberarkpas.audit.issuer": "PSMP_ADB_localhost.localdomain",
+        "cyberarkpas.audit.message": "Logoff",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.station": "81.32.170.205",
+        "cyberarkpas.audit.timestamp": "Mar 10 01:12:20",
+        "event.action": "logoff",
+        "event.category": [
+            "authentication",
+            "session"
+        ],
+        "event.code": "8",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.outcome": "success",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "event.type": [
+            "end"
+        ],
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 3783,
+        "log.syslog.priority": "5",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "81.32.170.205"
+        ],
+        "related.user": [
+            "PSMP_ADB_localhost.localdomain"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "81.32.170.205",
+        "source.geo.city_name": "Barcelona",
+        "source.geo.continent_name": "Europe",
+        "source.geo.country_iso_code": "ES",
+        "source.geo.country_name": "Spain",
+        "source.geo.location.lat": 41.387,
+        "source.geo.location.lon": 2.1701,
+        "source.geo.region_iso_code": "ES-B",
+        "source.geo.region_name": "Barcelona",
+        "source.ip": "81.32.170.205",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ],
+        "user.name": "PSMP_ADB_localhost.localdomain"
+    },
+    {
+        "@timestamp": "2021-03-10T09:12:27.000Z",
+        "cyberarkpas.audit.action": "Logoff",
+        "cyberarkpas.audit.desc": "Logoff",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-10T09:12:27Z",
+        "cyberarkpas.audit.issuer": "PSMPGW_localhost.localdomain",
+        "cyberarkpas.audit.message": "Logoff",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.station": "81.32.170.205",
+        "cyberarkpas.audit.timestamp": "Mar 10 01:12:27",
+        "event.action": "logoff",
+        "event.category": [
+            "authentication",
+            "session"
+        ],
+        "event.code": "8",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.outcome": "success",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "event.type": [
+            "end"
+        ],
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 4344,
+        "log.syslog.priority": "5",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "81.32.170.205"
+        ],
+        "related.user": [
+            "PSMPGW_localhost.localdomain"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "81.32.170.205",
+        "source.geo.city_name": "Barcelona",
+        "source.geo.continent_name": "Europe",
+        "source.geo.country_iso_code": "ES",
+        "source.geo.country_name": "Spain",
+        "source.geo.location.lat": 41.387,
+        "source.geo.location.lon": 2.1701,
+        "source.geo.region_iso_code": "ES-B",
+        "source.geo.region_name": "Barcelona",
+        "source.ip": "81.32.170.205",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ],
+        "user.name": "PSMPGW_localhost.localdomain"
+    },
+    {
+        "@timestamp": "2021-03-10T22:17:27.000Z",
+        "cyberarkpas.audit.action": "Logoff",
+        "cyberarkpas.audit.desc": "Logoff",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-10T22:17:27Z",
+        "cyberarkpas.audit.issuer": "Administrator",
+        "cyberarkpas.audit.message": "Logoff",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.station": "35.192.121.42",
+        "cyberarkpas.audit.timestamp": "Mar 10 14:17:27",
+        "event.action": "logoff",
+        "event.category": [
+            "authentication",
+            "session"
+        ],
+        "event.code": "8",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.outcome": "success",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "event.type": [
+            "end"
+        ],
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 4903,
+        "log.syslog.priority": "5",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "35.192.121.42"
+        ],
+        "related.user": [
+            "Administrator"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "35.192.121.42",
+        "source.geo.city_name": "Council Bluffs",
+        "source.geo.continent_name": "North America",
+        "source.geo.country_iso_code": "US",
+        "source.geo.country_name": "United States",
+        "source.geo.location.lat": 41.2591,
+        "source.geo.location.lon": -95.8517,
+        "source.geo.region_iso_code": "US-IA",
+        "source.geo.region_name": "Iowa",
+        "source.ip": "35.192.121.42",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ],
+        "user.name": "Administrator"
+    },
+    {
+        "@timestamp": "2021-03-11T17:38:13.000Z",
+        "cyberarkpas.audit.action": "Logoff",
+        "cyberarkpas.audit.desc": "Logoff",
+        "cyberarkpas.audit.gateway_station": "81.32.170.205",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-11T17:38:13Z",
+        "cyberarkpas.audit.issuer": "Administrator",
+        "cyberarkpas.audit.message": "Logoff",
+        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 09:38:13</Timestamp>\n    <IsoTimestamp>2021-03-11T17:38:13Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>8</MessageID>\n    <Desc>Logoff</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Logoff</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe></Safe>\n    <File></File>\n    <Station>127.0.0.1</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Logoff</Message>\n    <GatewayStation>81.32.170.205</GatewayStation>\n  </audit_record>\n\n</syslog>",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.station": "127.0.0.1",
+        "cyberarkpas.audit.timestamp": "Mar 11 09:38:13",
+        "destination.address": "81.32.170.205",
+        "destination.geo.city_name": "Barcelona",
+        "destination.geo.continent_name": "Europe",
+        "destination.geo.country_iso_code": "ES",
+        "destination.geo.country_name": "Spain",
+        "destination.geo.location.lat": 41.387,
+        "destination.geo.location.lon": 2.1701,
+        "destination.geo.region_iso_code": "ES-B",
+        "destination.geo.region_name": "Barcelona",
+        "destination.ip": "81.32.170.205",
+        "event.action": "logoff",
+        "event.category": [
+            "authentication",
+            "session"
+        ],
+        "event.code": "8",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.outcome": "success",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "event.type": [
+            "end"
+        ],
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 5447,
+        "log.syslog.priority": "5",
+        "network.direction": "outbound",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "127.0.0.1",
+            "81.32.170.205"
+        ],
+        "related.user": [
+            "Administrator"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "127.0.0.1",
+        "source.ip": "127.0.0.1",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ],
+        "user.name": "Administrator"
+    },
+    {
+        "@timestamp": "2021-03-11T17:48:28.000Z",
+        "cyberarkpas.audit.action": "Logoff",
+        "cyberarkpas.audit.desc": "Logoff",
+        "cyberarkpas.audit.gateway_station": "81.32.170.205",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-11T17:48:28Z",
+        "cyberarkpas.audit.issuer": "Administrator",
+        "cyberarkpas.audit.message": "Logoff",
+        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 09:48:28</Timestamp>\n    <IsoTimestamp>2021-03-11T17:48:28Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>8</MessageID>\n    <Desc>Logoff</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Logoff</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe></Safe>\n    <File></File>\n    <Station>10.0.2.2</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Logoff</Message>\n    <GatewayStation>81.32.170.205</GatewayStation>\n  </audit_record>\n\n</syslog>",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.station": "10.0.2.2",
+        "cyberarkpas.audit.timestamp": "Mar 11 09:48:28",
+        "destination.address": "81.32.170.205",
+        "destination.geo.city_name": "Barcelona",
+        "destination.geo.continent_name": "Europe",
+        "destination.geo.country_iso_code": "ES",
+        "destination.geo.country_name": "Spain",
+        "destination.geo.location.lat": 41.387,
+        "destination.geo.location.lon": 2.1701,
+        "destination.geo.region_iso_code": "ES-B",
+        "destination.geo.region_name": "Barcelona",
+        "destination.ip": "81.32.170.205",
+        "event.action": "logoff",
+        "event.category": [
+            "authentication",
+            "session"
+        ],
+        "event.code": "8",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.outcome": "success",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "event.type": [
+            "end"
+        ],
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 6833,
+        "log.syslog.priority": "5",
+        "network.direction": "outbound",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "10.0.2.2",
+            "81.32.170.205"
+        ],
+        "related.user": [
+            "Administrator"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "10.0.2.2",
+        "source.ip": "10.0.2.2",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ],
+        "user.name": "Administrator"
+    },
+    {
+        "@timestamp": "2021-03-11T17:49:06.000Z",
+        "cyberarkpas.audit.action": "Logoff",
+        "cyberarkpas.audit.desc": "Logoff",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-11T17:49:06Z",
+        "cyberarkpas.audit.issuer": "PSMPGW_VAGRANT",
+        "cyberarkpas.audit.message": "Logoff",
+        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 09:49:06</Timestamp>\n    <IsoTimestamp>2021-03-11T17:49:06Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>8</MessageID>\n    <Desc>Logoff</Desc>\n    <Severity>Info</Severity>\n    <Issuer>PSMPGW_VAGRANT</Issuer>\n    <Action>Logoff</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe></Safe>\n    <File></File>\n    <Station>81.32.170.205</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Logoff</Message>\n    <GatewayStation></GatewayStation>\n  </audit_record>\n\n</syslog>",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.station": "81.32.170.205",
+        "cyberarkpas.audit.timestamp": "Mar 11 09:49:06",
+        "event.action": "logoff",
+        "event.category": [
+            "authentication",
+            "session"
+        ],
+        "event.code": "8",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.outcome": "success",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "event.type": [
+            "end"
+        ],
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 8217,
+        "log.syslog.priority": "5",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "81.32.170.205"
+        ],
+        "related.user": [
+            "PSMPGW_VAGRANT"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "81.32.170.205",
+        "source.geo.city_name": "Barcelona",
+        "source.geo.continent_name": "Europe",
+        "source.geo.country_iso_code": "ES",
+        "source.geo.country_name": "Spain",
+        "source.geo.location.lat": 41.387,
+        "source.geo.location.lon": 2.1701,
+        "source.geo.region_iso_code": "ES-B",
+        "source.geo.region_name": "Barcelona",
+        "source.ip": "81.32.170.205",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ],
+        "user.name": "PSMPGW_VAGRANT"
+    },
+    {
+        "@timestamp": "2021-03-14T12:57:20.000Z",
+        "cyberarkpas.audit.action": "Logoff",
+        "cyberarkpas.audit.desc": "Logoff",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-14T12:57:20Z",
+        "cyberarkpas.audit.issuer": "Administrator",
+        "cyberarkpas.audit.message": "Logoff",
+        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 14 05:57:20</Timestamp>\n    <IsoTimestamp>2021-03-14T12:57:20Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>8</MessageID>\n    <Desc>Logoff</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Logoff</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe></Safe>\n    <File></File>\n    <Station>34.71.250.247</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Logoff</Message>\n    <GatewayStation></GatewayStation>\n  </audit_record>\n\n</syslog>",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.station": "34.71.250.247",
+        "cyberarkpas.audit.timestamp": "Mar 14 05:57:20",
+        "event.action": "logoff",
+        "event.category": [
+            "authentication",
+            "session"
+        ],
+        "event.code": "8",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.outcome": "success",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "event.type": [
+            "end"
+        ],
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 9587,
+        "log.syslog.priority": "5",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "34.71.250.247"
+        ],
+        "related.user": [
+            "Administrator"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "34.71.250.247",
+        "source.geo.city_name": "Council Bluffs",
+        "source.geo.continent_name": "North America",
+        "source.geo.country_iso_code": "US",
+        "source.geo.country_name": "United States",
+        "source.geo.location.lat": 41.2591,
+        "source.geo.location.lon": -95.8517,
+        "source.geo.region_iso_code": "US-IA",
+        "source.geo.region_name": "Iowa",
+        "source.ip": "34.71.250.247",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ],
+        "user.name": "Administrator"
+    },
+    {
+        "@timestamp": "2021-03-14T13:49:36.000Z",
+        "cyberarkpas.audit.action": "Logoff",
+        "cyberarkpas.audit.desc": "Logoff",
+        "cyberarkpas.audit.gateway_station": "34.71.250.247",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-14T13:49:36Z",
+        "cyberarkpas.audit.issuer": "Administrator",
+        "cyberarkpas.audit.message": "Logoff",
+        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 14 06:49:36</Timestamp>\n    <IsoTimestamp>2021-03-14T13:49:36Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>8</MessageID>\n    <Desc>Logoff</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Logoff</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe></Safe>\n    <File></File>\n    <Station>81.32.170.205</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Logoff</Message>\n    <GatewayStation>34.71.250.247</GatewayStation>\n  </audit_record>\n\n</syslog>",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.station": "81.32.170.205",
+        "cyberarkpas.audit.timestamp": "Mar 14 06:49:36",
+        "destination.address": "34.71.250.247",
+        "destination.geo.city_name": "Council Bluffs",
+        "destination.geo.continent_name": "North America",
+        "destination.geo.country_iso_code": "US",
+        "destination.geo.country_name": "United States",
+        "destination.geo.location.lat": 41.2591,
+        "destination.geo.location.lon": -95.8517,
+        "destination.geo.region_iso_code": "US-IA",
+        "destination.geo.region_name": "Iowa",
+        "destination.ip": "34.71.250.247",
+        "event.action": "logoff",
+        "event.category": [
+            "authentication",
+            "session"
+        ],
+        "event.code": "8",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.outcome": "success",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "event.type": [
+            "end"
+        ],
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 10955,
+        "log.syslog.priority": "5",
+        "network.direction": "external",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "81.32.170.205",
+            "34.71.250.247"
+        ],
+        "related.user": [
+            "Administrator"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "81.32.170.205",
+        "source.geo.city_name": "Barcelona",
+        "source.geo.continent_name": "Europe",
+        "source.geo.country_iso_code": "ES",
+        "source.geo.country_name": "Spain",
+        "source.geo.location.lat": 41.387,
+        "source.geo.location.lon": 2.1701,
+        "source.geo.region_iso_code": "ES-B",
+        "source.geo.region_name": "Barcelona",
+        "source.ip": "81.32.170.205",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ],
+        "user.name": "Administrator"
+    }
+]
\ No newline at end of file
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/98_open_file_write_only.log b/x-pack/filebeat/module/cyberarkpas/audit/test/98_open_file_write_only.log
new file mode 100644
index 00000000000..f3062f7ea56
--- /dev/null
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/98_open_file_write_only.log
@@ -0,0 +1,4 @@
+<5>1 2021-03-08T18:24:50Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 08 10:24:50","IsoTimestamp":"2021-03-08T18:24:50Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"98","Desc":"Open File (Write Only)","Severity":"Info","Issuer":"PVWAAppUser","Action":"Open File (Write Only)","SourceUser":"","TargetUser":"","Safe":"PVWAPrivateUserPrefs","File":"Root\\YWRtaW5pc3RyYXRvcg==","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Open File (Write Only)","GatewayStation":""}}}
+<5>1 2021-03-10T18:44:08Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 10:44:08","IsoTimestamp":"2021-03-10T18:44:08Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"98","Desc":"Open File (Write Only)","Severity":"Info","Issuer":"Administrator","Action":"Open File (Write Only)","SourceUser":"","TargetUser":"","Safe":"PVWAConfig","File":"ROOT\\PVConfiguration.xml","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Open File (Write Only)","GatewayStation":""}}}
+<5>1 2021-03-10T22:17:40Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 14:17:40","IsoTimestamp":"2021-03-10T22:17:40Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"98","Desc":"Open File (Write Only)","Severity":"Info","Issuer":"Administrator","Action":"Open File (Write Only)","SourceUser":"","TargetUser":"","Safe":"PVWAConfig","File":"ROOT\\PVConfiguration.xml","Station":"35.192.121.42","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Open File (Write Only)","GatewayStation":""}}}
+<5>1 2021-03-11T19:45:26Z VAULT {"format":"elastic","version":"1.0","raw":"<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 11:45:26</Timestamp>\n    <IsoTimestamp>2021-03-11T19:45:26Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>98</MessageID>\n    <Desc>Open File (Write Only)</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Open File (Write Only)</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>PVWAConfig</Safe>\n    <File>Root\\PVConfiguration.xml</File>\n    <Station>127.0.0.1</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Open File (Write Only)</Message>\n    <GatewayStation>10.0.1.20</GatewayStation>\n  </audit_record>\n\n</syslog>","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 11:45:26","IsoTimestamp":"2021-03-11T19:45:26Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"98","Desc":"Open File (Write Only)","Severity":"Info","Issuer":"Administrator","Action":"Open File (Write Only)","SourceUser":"","TargetUser":"","Safe":"PVWAConfig","File":"Root\\PVConfiguration.xml","Station":"127.0.0.1","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Open File (Write Only)","GatewayStation":"10.0.1.20"}}}
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/98_open_file_write_only.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/98_open_file_write_only.log-expected.json
new file mode 100644
index 00000000000..b0d96a096c2
--- /dev/null
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/98_open_file_write_only.log-expected.json
@@ -0,0 +1,188 @@
+[
+    {
+        "@timestamp": "2021-03-08T18:24:50.000Z",
+        "cyberarkpas.audit.action": "Open File (Write Only)",
+        "cyberarkpas.audit.desc": "Open File (Write Only)",
+        "cyberarkpas.audit.file": "Root\\YWRtaW5pc3RyYXRvcg==",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-08T18:24:50Z",
+        "cyberarkpas.audit.issuer": "PVWAAppUser",
+        "cyberarkpas.audit.message": "Open File (Write Only)",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.safe": "PVWAPrivateUserPrefs",
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.station": "10.0.1.20",
+        "cyberarkpas.audit.timestamp": "Mar 08 10:24:50",
+        "event.action": "open file (write only)",
+        "event.code": "98",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "file.path": "Root\\YWRtaW5pc3RyYXRvcg==",
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 0,
+        "log.syslog.priority": "5",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "10.0.1.20"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "10.0.1.20",
+        "source.ip": "10.0.1.20",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ]
+    },
+    {
+        "@timestamp": "2021-03-10T18:44:08.000Z",
+        "cyberarkpas.audit.action": "Open File (Write Only)",
+        "cyberarkpas.audit.desc": "Open File (Write Only)",
+        "cyberarkpas.audit.file": "ROOT\\PVConfiguration.xml",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-10T18:44:08Z",
+        "cyberarkpas.audit.issuer": "Administrator",
+        "cyberarkpas.audit.message": "Open File (Write Only)",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.safe": "PVWAConfig",
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.station": "81.32.170.205",
+        "cyberarkpas.audit.timestamp": "Mar 10 10:44:08",
+        "event.action": "open file (write only)",
+        "event.code": "98",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "file.path": "ROOT\\PVConfiguration.xml",
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 633,
+        "log.syslog.priority": "5",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "81.32.170.205"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "81.32.170.205",
+        "source.geo.city_name": "Barcelona",
+        "source.geo.continent_name": "Europe",
+        "source.geo.country_iso_code": "ES",
+        "source.geo.country_name": "Spain",
+        "source.geo.location.lat": 41.387,
+        "source.geo.location.lon": 2.1701,
+        "source.geo.region_iso_code": "ES-B",
+        "source.geo.region_name": "Barcelona",
+        "source.ip": "81.32.170.205",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ]
+    },
+    {
+        "@timestamp": "2021-03-10T22:17:40.000Z",
+        "cyberarkpas.audit.action": "Open File (Write Only)",
+        "cyberarkpas.audit.desc": "Open File (Write Only)",
+        "cyberarkpas.audit.file": "ROOT\\PVConfiguration.xml",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-10T22:17:40Z",
+        "cyberarkpas.audit.issuer": "Administrator",
+        "cyberarkpas.audit.message": "Open File (Write Only)",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.safe": "PVWAConfig",
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.station": "35.192.121.42",
+        "cyberarkpas.audit.timestamp": "Mar 10 14:17:40",
+        "event.action": "open file (write only)",
+        "event.code": "98",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "file.path": "ROOT\\PVConfiguration.xml",
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 1261,
+        "log.syslog.priority": "5",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "35.192.121.42"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "35.192.121.42",
+        "source.geo.city_name": "Council Bluffs",
+        "source.geo.continent_name": "North America",
+        "source.geo.country_iso_code": "US",
+        "source.geo.country_name": "United States",
+        "source.geo.location.lat": 41.2591,
+        "source.geo.location.lon": -95.8517,
+        "source.geo.region_iso_code": "US-IA",
+        "source.geo.region_name": "Iowa",
+        "source.ip": "35.192.121.42",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ]
+    },
+    {
+        "@timestamp": "2021-03-11T19:45:26.000Z",
+        "cyberarkpas.audit.action": "Open File (Write Only)",
+        "cyberarkpas.audit.desc": "Open File (Write Only)",
+        "cyberarkpas.audit.file": "Root\\PVConfiguration.xml",
+        "cyberarkpas.audit.gateway_station": "10.0.1.20",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-11T19:45:26Z",
+        "cyberarkpas.audit.issuer": "Administrator",
+        "cyberarkpas.audit.message": "Open File (Write Only)",
+        "cyberarkpas.audit.raw": "<syslog>\n\n  <audit_record>\n    <Rfc5424>yes</Rfc5424>\n    <Timestamp>Mar 11 11:45:26</Timestamp>\n    <IsoTimestamp>2021-03-11T19:45:26Z</IsoTimestamp>\n    <Hostname>VAULT</Hostname>\n    <Vendor>Cyber-Ark</Vendor>\n    <Product>Vault</Product>\n    <Version>11.7.0000</Version>\n    <MessageID>98</MessageID>\n    <Desc>Open File (Write Only)</Desc>\n    <Severity>Info</Severity>\n    <Issuer>Administrator</Issuer>\n    <Action>Open File (Write Only)</Action>\n    <SourceUser></SourceUser>\n    <TargetUser></TargetUser>\n    <Safe>PVWAConfig</Safe>\n    <File>Root\\PVConfiguration.xml</File>\n    <Station>127.0.0.1</Station>\n    <Location></Location>\n    <Category></Category>\n    <RequestId></RequestId>\n    <Reason></Reason>\n    <ExtraDetails></ExtraDetails>\n    <Message>Open File (Write Only)</Message>\n    <GatewayStation>10.0.1.20</GatewayStation>\n  </audit_record>\n\n</syslog>",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.safe": "PVWAConfig",
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.station": "127.0.0.1",
+        "cyberarkpas.audit.timestamp": "Mar 11 11:45:26",
+        "destination.address": "10.0.1.20",
+        "destination.ip": "10.0.1.20",
+        "event.action": "open file (write only)",
+        "event.code": "98",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "file.path": "Root\\PVConfiguration.xml",
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 1889,
+        "log.syslog.priority": "5",
+        "network.direction": "internal",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "127.0.0.1",
+            "10.0.1.20"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "127.0.0.1",
+        "source.ip": "127.0.0.1",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ]
+    }
+]
\ No newline at end of file
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/99_open_file.log b/x-pack/filebeat/module/cyberarkpas/audit/test/99_open_file.log
new file mode 100644
index 00000000000..ad94c953cc7
--- /dev/null
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/99_open_file.log
@@ -0,0 +1 @@
+<5>1 2021-03-04T19:10:05Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 04 11:10:05","IsoTimestamp":"2021-03-04T19:10:05Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"99","Desc":"Open File","Severity":"Info","Issuer":"PVWAAppUser","Action":"Open File","SourceUser":"","TargetUser":"","Safe":"PVWAConfig","File":"Root\\EPMConfiguration.xml","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Open File","GatewayStation":""}}}
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/99_open_file.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/99_open_file.log-expected.json
new file mode 100644
index 00000000000..431b5c10a27
--- /dev/null
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/99_open_file.log-expected.json
@@ -0,0 +1,43 @@
+[
+    {
+        "@timestamp": "2021-03-04T19:10:05.000Z",
+        "cyberarkpas.audit.action": "Open File",
+        "cyberarkpas.audit.desc": "Open File",
+        "cyberarkpas.audit.file": "Root\\EPMConfiguration.xml",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-04T19:10:05Z",
+        "cyberarkpas.audit.issuer": "PVWAAppUser",
+        "cyberarkpas.audit.message": "Open File",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.safe": "PVWAConfig",
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.station": "10.0.1.20",
+        "cyberarkpas.audit.timestamp": "Mar 04 11:10:05",
+        "event.action": "open file",
+        "event.code": "99",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "file.path": "Root\\EPMConfiguration.xml",
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 0,
+        "log.syslog.priority": "5",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "10.0.1.20"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "10.0.1.20",
+        "source.ip": "10.0.1.20",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ]
+    }
+]
\ No newline at end of file
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/legacysyslog.log b/x-pack/filebeat/module/cyberarkpas/audit/test/legacysyslog.log
new file mode 100644
index 00000000000..e454ec622b8
--- /dev/null
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/legacysyslog.log
@@ -0,0 +1 @@
+Mar 08 03:41:01 VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"no","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"51","Desc":"Retrieve File","Severity":"Info","Issuer":"PasswordManager","Action":"Retrieve File","SourceUser":"","TargetUser":"","Safe":"PasswordManagerShared","File":"Root\\Policies\\Policy-BusinessWebsite.ini","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Retrieve File","GatewayStation":""}}}
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/legacysyslog.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/legacysyslog.log-expected.json
new file mode 100644
index 00000000000..14b87c8867c
--- /dev/null
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/legacysyslog.log-expected.json
@@ -0,0 +1,40 @@
+[
+    {
+        "@timestamp": "2021-03-08T03:41:01.000-02:00",
+        "cyberarkpas.audit.action": "Retrieve File",
+        "cyberarkpas.audit.desc": "Retrieve File",
+        "cyberarkpas.audit.file": "Root\\Policies\\Policy-BusinessWebsite.ini",
+        "cyberarkpas.audit.issuer": "PasswordManager",
+        "cyberarkpas.audit.message": "Retrieve File",
+        "cyberarkpas.audit.rfc5424": false,
+        "cyberarkpas.audit.safe": "PasswordManagerShared",
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.station": "10.0.1.20",
+        "event.action": "retrieve file",
+        "event.code": "51",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "file.path": "Root\\Policies\\Policy-BusinessWebsite.ini",
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 0,
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "10.0.1.20"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "10.0.1.20",
+        "source.ip": "10.0.1.20",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ]
+    }
+]
\ No newline at end of file
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/rfc5424syslog.log b/x-pack/filebeat/module/cyberarkpas/audit/test/rfc5424syslog.log
new file mode 100644
index 00000000000..f5774af5ef9
--- /dev/null
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/rfc5424syslog.log
@@ -0,0 +1,4 @@
+<5>1 2021-03-04T17:27:14Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 04 09:27:14","IsoTimestamp":"2021-03-04T17:27:14Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"7","Desc":"Logon","Severity":"Info","Issuer":"PVWAGWUser","Action":"Logon","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Logon","GatewayStation":""}}}
+<5>1 2021-03-04T17:27:21Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 04 09:27:21","IsoTimestamp":"2021-03-04T17:27:21Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"7","Desc":"Logon","Severity":"Info","Issuer":"PasswordManager","Action":"Logon","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Logon","GatewayStation":""}}}
+<5>1 2021-03-04T17:27:21Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 04 09:27:21","IsoTimestamp":"2021-03-04T17:27:21Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"51","Desc":"Retrieve File","Severity":"Info","Issuer":"PasswordManager","Action":"Retrieve File","SourceUser":"","TargetUser":"","Safe":"PasswordManagerShared","File":"Root\\Policies\\Policy-GenericWebApp.ini","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Retrieve File","GatewayStation":""}}}
+<5>1 2021-03-04T17:27:33Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 04 09:27:33","IsoTimestamp":"2021-03-04T17:27:33Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"7","Desc":"Logon","Severity":"Info","Issuer":"PVWAAppUser","Action":"Logon","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Logon","GatewayStation":""}}}
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/rfc5424syslog.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/rfc5424syslog.log-expected.json
new file mode 100644
index 00000000000..f3c5e458aef
--- /dev/null
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/rfc5424syslog.log-expected.json
@@ -0,0 +1,193 @@
+[
+    {
+        "@timestamp": "2021-03-04T17:27:14.000Z",
+        "cyberarkpas.audit.action": "Logon",
+        "cyberarkpas.audit.desc": "Logon",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-04T17:27:14Z",
+        "cyberarkpas.audit.issuer": "PVWAGWUser",
+        "cyberarkpas.audit.message": "Logon",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.station": "10.0.1.20",
+        "cyberarkpas.audit.timestamp": "Mar 04 09:27:14",
+        "event.action": "authentication_success",
+        "event.category": [
+            "authentication",
+            "session"
+        ],
+        "event.code": "7",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.outcome": "success",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "event.type": [
+            "start"
+        ],
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 0,
+        "log.syslog.priority": "5",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "10.0.1.20"
+        ],
+        "related.user": [
+            "PVWAGWUser"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "10.0.1.20",
+        "source.ip": "10.0.1.20",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ],
+        "user.name": "PVWAGWUser"
+    },
+    {
+        "@timestamp": "2021-03-04T17:27:21.000Z",
+        "cyberarkpas.audit.action": "Logon",
+        "cyberarkpas.audit.desc": "Logon",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-04T17:27:21Z",
+        "cyberarkpas.audit.issuer": "PasswordManager",
+        "cyberarkpas.audit.message": "Logon",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.station": "10.0.1.20",
+        "cyberarkpas.audit.timestamp": "Mar 04 09:27:21",
+        "event.action": "authentication_success",
+        "event.category": [
+            "authentication",
+            "session"
+        ],
+        "event.code": "7",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.outcome": "success",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "event.type": [
+            "start"
+        ],
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 534,
+        "log.syslog.priority": "5",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "10.0.1.20"
+        ],
+        "related.user": [
+            "PasswordManager"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "10.0.1.20",
+        "source.ip": "10.0.1.20",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ],
+        "user.name": "PasswordManager"
+    },
+    {
+        "@timestamp": "2021-03-04T17:27:21.000Z",
+        "cyberarkpas.audit.action": "Retrieve File",
+        "cyberarkpas.audit.desc": "Retrieve File",
+        "cyberarkpas.audit.file": "Root\\Policies\\Policy-GenericWebApp.ini",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-04T17:27:21Z",
+        "cyberarkpas.audit.issuer": "PasswordManager",
+        "cyberarkpas.audit.message": "Retrieve File",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.safe": "PasswordManagerShared",
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.station": "10.0.1.20",
+        "cyberarkpas.audit.timestamp": "Mar 04 09:27:21",
+        "event.action": "retrieve file",
+        "event.code": "51",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "file.path": "Root\\Policies\\Policy-GenericWebApp.ini",
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 1073,
+        "log.syslog.priority": "5",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "10.0.1.20"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "10.0.1.20",
+        "source.ip": "10.0.1.20",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ]
+    },
+    {
+        "@timestamp": "2021-03-04T17:27:33.000Z",
+        "cyberarkpas.audit.action": "Logon",
+        "cyberarkpas.audit.desc": "Logon",
+        "cyberarkpas.audit.iso_timestamp": "2021-03-04T17:27:33Z",
+        "cyberarkpas.audit.issuer": "PVWAAppUser",
+        "cyberarkpas.audit.message": "Logon",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.station": "10.0.1.20",
+        "cyberarkpas.audit.timestamp": "Mar 04 09:27:33",
+        "event.action": "authentication_success",
+        "event.category": [
+            "authentication",
+            "session"
+        ],
+        "event.code": "7",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.outcome": "success",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "event.type": [
+            "start"
+        ],
+        "fileset.name": "audit",
+        "host.name": "VAULT",
+        "input.type": "log",
+        "log.offset": 1698,
+        "log.syslog.priority": "5",
+        "observer.hostname": "VAULT",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "11.7.0000",
+        "related.ip": [
+            "10.0.1.20"
+        ],
+        "related.user": [
+            "PVWAAppUser"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "10.0.1.20",
+        "source.ip": "10.0.1.20",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ],
+        "user.name": "PVWAAppUser"
+    }
+]
\ No newline at end of file
diff --git a/x-pack/filebeat/module/cyberarkpas/fields.go b/x-pack/filebeat/module/cyberarkpas/fields.go
new file mode 100644
index 00000000000..2e48ca8da6d
--- /dev/null
+++ b/x-pack/filebeat/module/cyberarkpas/fields.go
@@ -0,0 +1,23 @@
+// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+// or more contributor license agreements. Licensed under the Elastic License;
+// you may not use this file except in compliance with the Elastic License.
+
+// Code generated by beats/dev-tools/cmd/asset/asset.go - DO NOT EDIT.
+
+package cyberarkpas
+
+import (
+	"github.com/elastic/beats/v7/libbeat/asset"
+)
+
+func init() {
+	if err := asset.SetFields("filebeat", "cyberarkpas", asset.ModuleFieldsPri, AssetCyberarkpas); err != nil {
+		panic(err)
+	}
+}
+
+// AssetCyberarkpas returns asset data.
+// This is the base64 encoded gzipped contents of module/cyberarkpas.
+func AssetCyberarkpas() string {
+	return "eJy0V0tv2zgQvudXzDEF6iDPLqJDASPZoFnEiBF72+5ejDE5kohQosChrOjfF9TDiWUpTeyUJ4uP+b55j0fwSGUAolySRfuYIR8AOOU0BXDlN8f2Eabj2QGAJBZWZU6ZNICvBwDw8hmEirTkowNofgXVjRGkmFAXwC9XZhRAZE2eNTuSQsy1W1TvAwhRMzVHrcjm81ku5lK59e6rMvpB60dbmrXrquENU6tWSlNEEsZCEDPMSORWuRLGnsML/dv10g5bvIVH2zhq2T1SWRgrO2cbHMcvP8GE4GKqTQGWhLHyqBdU4CKzJiPrFHEvdqjROUrpdXQhTJ46SMihRIdDYI4iY8tddZzHtJZRiYTD0Nj11siSRkcSvD7on/CnfiJe6u6GZodOCVihzglcjA6k4kxjyYDDXhBGEvfToSdncSHJodJ7OGGWkVChErU8aOT1xcIAj1Bp2sc3lUsaOIc2IleJ7AeL0FGB5aKy5kDcq+x3kLfTFrCgJWCWaSUqeZCgiFVKcDj9/mM8EAexYed/7aN0K+MzqBTyLCMfkNxRGoCeMMl8CZ38N7q6n0z/nf/90MtJsVk4lRA7TLrq18Qkui7jLVZrCRWt29k9zNsdCI1N0MHhw80VnJ2dXX4a5Hp6fHI2+jI6vZifHAfnfwUnl/8PcOac7D5W/O5LNORMForYQGGNo+ewPYJ5rBgUQ845al1WR+vbGVmvE8lqe539/T7XRgwH3BvZNsF914iqy9D6a7D8AKgoNZYWuDQrCuD8+PJLF8qIRVVYeLtTVQJSSU99R616CTFjtHNE/7aNMByyT3OV1mHkryH7IPM3r4lF3eQGMq6ht1BdFu9rAkYS3F6/o7Rl1shcuI8s+pYyS0yp44pEgzAAvyo+ssB3SruvcG8xgsViVwN87RwCPGABPyd3vprUaWdVpFLUrwwdft2nuoTGcFDElMLP2d286hMQI4OkZR5FKo2AUlxq2hLx51PIEvJAfXD01I2hreCsnwOljixJWD4Xq64qqbFJL8k1k1BcnJ+e91JZGqMJuzQ32PyIycVUu4dL1iZqa78wSaYVMRTKxfBwc+VhBttA2RkNW3qM4UfPCzMMB+YFphX52XofwFbGOwoHm9wKWnj3fZSqnV73ru6197QUWpP4vLO0CQcF8jOVI7gxtq4rTMy+l30G53twobSGZf3YEmoQWvlUbset22k/8dq/f8qOnn+sRPyqTv28Xh213joPbExbk8kErq/h27dgMglmsybnBrPrnzyF0wtoJ6xelitKpdnZcG/oXjVAv4lWZHmvf6ZvQK8QNhx7dPArAAD//75ppq4="
+}
diff --git a/x-pack/filebeat/module/cyberarkpas/module.yml b/x-pack/filebeat/module/cyberarkpas/module.yml
new file mode 100644
index 00000000000..411b4945cde
--- /dev/null
+++ b/x-pack/filebeat/module/cyberarkpas/module.yml
@@ -0,0 +1,3 @@
+dashboards:
+  - id: eb12ef60-96f6-11eb-bbf8-d77aef8ad7a6
+    file: Filebeat-cyberarkpas-audit.json
diff --git a/x-pack/filebeat/modules.d/cyberarkpas.yml.disabled b/x-pack/filebeat/modules.d/cyberarkpas.yml.disabled
new file mode 100644
index 00000000000..2045718a6b7
--- /dev/null
+++ b/x-pack/filebeat/modules.d/cyberarkpas.yml.disabled
@@ -0,0 +1,27 @@
+# Module: cyberarkpas
+# Docs: https://www.elastic.co/guide/en/beats/filebeat/master/filebeat-module-cyberarkpas.html
+
+- module: cyberarkpas
+  audit:
+    enabled: true
+
+    # Set which input to use between tcp (default), udp, or file.
+    #
+    # var.input: tcp
+
+    # var.syslog_host: localhost
+    # var.syslog_port: 9301
+
+    # With tcp input, set the optional tls configuration:
+    #var.ssl:
+    #  enabled: true
+    #  certificate: /path/to/cert.pem
+    #  key: /path/to/privatekey.pem
+    #  key_passphrase: 'password for my key'
+
+    # Uncoment to keep the original syslog event under event.original.
+    # var.preserve_original_event: true
+
+    # Set paths for the log files when file input is used.
+    # var.paths:
+