Splunk Search

Loggraber - how to get all logs exept action=accept from CP

clanglais
Explorer

Hi,

I'm trying to get less logs from CheckPoint Firewall (75.4) into a Splunk server (v 6).

I just want to have all logs exept action=accept.

I tried to change filter in /opt/splunk/etc/apps/Splunk_TA_opseclea_linux22/bin/fw1-loggrabber.conf.

For example, I add FW1_FILTER_RULE="action!=accept"

But I think it don't works because when I try a new search with Splunk, I have lot of new logs with action=accept

Any idea?

Thanks !

1 Solution

araitz
Splunk Employee
Splunk Employee

See the answer above in the comment. One thing to note is that there is a bug in the OPSEC LEA SDK (i.e. the one that CheckPoint provides) that makes FW1_FILTER_RULE not work.

View solution in original post

araitz
Splunk Employee
Splunk Employee

See the answer above in the comment. One thing to note is that there is a bug in the OPSEC LEA SDK (i.e. the one that CheckPoint provides) that makes FW1_FILTER_RULE not work.

clanglais
Explorer

I see,

This solution Works for me, Thanks a lot !

0 Karma

Chubbybunny
Splunk Employee
Splunk Employee

use overrides (props & transforms) to filter out the unwanted events.

props.conf

[opsec]
TRANSFORMS = carrot, rabbit_hole

transforms.conf

[rabbit_hole]
REGEX = action=accept 
DEST_KEY = queue 
FORMAT = nullQueue


[carrot]
REGEX=.
DEST_KEY = queue
FORMAT = indexQueue

** ascii art (optional) **

(\__/)
(='.'=)
(")_(")
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...