Can Splunk index events from my Checkpoint firewall logs? If so, how can I set that up?
Hi, Starlette -
I'm running the Splunk lea-loggrabber on 64-bit Linux, so I don't think that's the source of your issue. It appears that your lea enviroment isn't setup properly. Are you trying to import events from SmartCenter or from Provider-1?
Hello,
Should this work on 64 bit linux with de default app? It looks like everything is running fine but I get no sourcetype or events
Running –debug gives :
04-26-2010 10:33:01.680 ERROR ExecProcessor - message from "/opt/splunk/etc/apps/lea-loggrabber-splunk/bin/lea-loggrabber.sh" opsec environment initialized successfully...opsec client, server entities initialized successfully...start handler called ...reading from start of log...end handler called ...
lea.conf
opsec_sic_name "CN=SplunkLEA,O=idxxxxxxxxxxxxxx"
opsec_sslca_file /opt/splunk/etc/apps/lea-loggrabber-splunk/opsec-tools/linux22/opsec.p12
lea_server ip 10.0.1.xx
lea_server auth_port 18184
lea_server auth_type sslca_comp
opsec_entity_sic_name ="cn=cp_mgmt,o=xxxxxxxxxxxxx"
input.conf
[script://./bin/lea-loggrabber.sh]
interval = 60
sourcetype = opsec
disabled = false
lea-loggrabber.sh
#!/bin/bash
cd $SPLUNK_HOME/etc/apps/lea-loggrabber-splunk/bin
./lea_loggrabber --lea-config-file $SPLUNK_HOME/etc/apps/lea-loggrabber-splunk/default/lea.conf
$SPLUNK_HOME is setted
No errors in splunkd
I've got a patch against lea-loggrabber which I would like to submit. From looking to the Google Code project it appears that there is only one person with commit privs. Please could someone either grant me perms to commit a patch to the repo or else spell out a workflow for this?
Cheers, --Trey
Yes it can. See this page for detailed instruction on how to set that up.
http://www.splunk.com/wiki/Apps:Configure_OPSEC_LEA_input
Also, note that the solution provided via this link includes an executable that works on Linux and Solaris only.
However, the open source project for the lea-loggrabber portion of it is now available here: