Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Check Point object name resolution

Peter
Path Finder
‎05-09-2011 07:39 AM

Just finished configuring the lea-loggrabber to get logs from some Check Point hosts. All is working correctly except I want to turn object name resolution off. Looks like it might be a command line parameter (--noresolve), but I can't get it to run successfully (http://www.sourcefiles.org/Miscellaneous/fw1-loggrabber-1.9.2.tar.gz.shtml)

Anyone done this?

Reply
1 Solution
Solved! Jump to solution
Solution

hexx
Splunk Employee
Splunk Employee
‎12-19-2011 01:19 PM

With the contribution of Splunk Answers user treyka, we we were able to patch and recompile the lea_loggrabber Linux binary to outputs semi-colons as delimiters between field/value pairs:

  • Before:

    loc=2445861 filename=fw.log fileid=1314230340 time=25Aug2011 12:40:58 action=drop orig=FIREWALLNAME i/f_dir=inbound i/f_name=eth-s2p2c0 has_accounting=0 product=VPN-1 & FireWall-1 __policy_id_tag=product=VPN-1 & FireWall-1[db_tag={AAAAAAA-BBBBB-CCCCCC-DDDDDDD-EEEEEEEEEE};mgmt=LAB-CMA;date=1310743754;policy_name=ABCD_Policy] rule=77 rule_uid={19AD44C1-79E0-422F-91A6-FF2E6A818EEE} SmartDefense profile=No Protection src=1.2.3.4 s_port=40552 dst=4.3.2.1service=snmp-read proto=udp

  • After:

    time=26Aug2011 12:34:34;action=drop;fw=1.2.3.4;if_dir=inbound;if_name=eth-s2p2c0;mgmt=LAB-CMA;policy_name=ABCD_Policy;rule=77;src=1.2.3.4;s_port=11334;dst=4.3.2.1;d_port=161;proto=udp;

In addition, this patched version of lea_loggrabber accepts new, mutually exclusive parameters to control the name resolution of objects:

  • The option --resolve will cause objects to be resolved, as is currently the case. Example:

    time= 4Aug2011 22:47:52;action=accept;fw=Win2k3-86sup01;if_dir=inbound;if_name=E1G606;mgmt=Win2k3-86sup01;policy_name=Standard;rule=2;rule_name=LEA traffic;service_id=FW1_lea;src=beefysup01.splunk.com;s_port=33776;dst=Win2k3-86sup01;d_port=FW1_lea;proto=tcp;

  • The option --no-resolve will prevent object name resolution. Example:

    time= 4Aug2011 22:47:00;action=accept;fw=10.160.31.56;if_dir=inbound;if_name=E1G606;mgmt=Win2k3-86sup01;policy_name=Standard;rule=2;rule_name=LEA traffic;service_id=FW1_lea;src=10.1.12.1;s_port=47250;dst=10.160.31.56;d_port=18184;proto=tcp;

Some important remarks:

  • This patched version of the lea_loggrabber binary is not currently integrated to the app packaged on splunkbase. It can be obtained by requesting it from Splunk Support. Please open a support case if you would like to receive it.
  • Only the Linux (32bit/64bit) version of the lea_loggrabber binary has been recompiled with this patch.
  • The patched binary will be provided "as is". It has not been tested by Splunk Quality Assurance, which is why it has not yet been integrated in the package available on splunkbase.

View solution in original post

Reply
Solved! Jump to solution

jcoates_splunk
Splunk Employee
Splunk Employee
‎12-18-2014 02:49 PM

Support just brought this page to my attention... greetings from late 2014, we come in peace. There is now an official and supported OPSEC LEA solution for Linux: https://apps.splunk.com/app/1454 and Solaris: https://apps.splunk.com/app/1453

The semicolon delimiter thing is not in there, but you can toggle no-resolve. http://docs.splunk.com/Documentation/OPSEC-LEA/latest/Install/ConfiguretheLEAclient for instructions.

Reply
Solved! Jump to solution
Solution

hexx
Splunk Employee
Splunk Employee
‎12-19-2011 01:19 PM

With the contribution of Splunk Answers user treyka, we we were able to patch and recompile the lea_loggrabber Linux binary to outputs semi-colons as delimiters between field/value pairs:

  • Before:

    loc=2445861 filename=fw.log fileid=1314230340 time=25Aug2011 12:40:58 action=drop orig=FIREWALLNAME i/f_dir=inbound i/f_name=eth-s2p2c0 has_accounting=0 product=VPN-1 & FireWall-1 __policy_id_tag=product=VPN-1 & FireWall-1[db_tag={AAAAAAA-BBBBB-CCCCCC-DDDDDDD-EEEEEEEEEE};mgmt=LAB-CMA;date=1310743754;policy_name=ABCD_Policy] rule=77 rule_uid={19AD44C1-79E0-422F-91A6-FF2E6A818EEE} SmartDefense profile=No Protection src=1.2.3.4 s_port=40552 dst=4.3.2.1service=snmp-read proto=udp

  • After:

    time=26Aug2011 12:34:34;action=drop;fw=1.2.3.4;if_dir=inbound;if_name=eth-s2p2c0;mgmt=LAB-CMA;policy_name=ABCD_Policy;rule=77;src=1.2.3.4;s_port=11334;dst=4.3.2.1;d_port=161;proto=udp;

In addition, this patched version of lea_loggrabber accepts new, mutually exclusive parameters to control the name resolution of objects:

  • The option --resolve will cause objects to be resolved, as is currently the case. Example:

    time= 4Aug2011 22:47:52;action=accept;fw=Win2k3-86sup01;if_dir=inbound;if_name=E1G606;mgmt=Win2k3-86sup01;policy_name=Standard;rule=2;rule_name=LEA traffic;service_id=FW1_lea;src=beefysup01.splunk.com;s_port=33776;dst=Win2k3-86sup01;d_port=FW1_lea;proto=tcp;

  • The option --no-resolve will prevent object name resolution. Example:

    time= 4Aug2011 22:47:00;action=accept;fw=10.160.31.56;if_dir=inbound;if_name=E1G606;mgmt=Win2k3-86sup01;policy_name=Standard;rule=2;rule_name=LEA traffic;service_id=FW1_lea;src=10.1.12.1;s_port=47250;dst=10.160.31.56;d_port=18184;proto=tcp;

Some important remarks:

  • This patched version of the lea_loggrabber binary is not currently integrated to the app packaged on splunkbase. It can be obtained by requesting it from Splunk Support. Please open a support case if you would like to receive it.
  • Only the Linux (32bit/64bit) version of the lea_loggrabber binary has been recompiled with this patch.
  • The patched binary will be provided "as is". It has not been tested by Splunk Quality Assurance, which is why it has not yet been integrated in the package available on splunkbase.
Reply
Solved! Jump to solution

Peter
Path Finder
‎05-17-2011 10:41 AM

Anyone have any experience with the fw1-loggrabber?

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...