Solved: Splunk Add-on for Check Point OPSEC LEA: We ingest...

edwardrose · ‎06-14-2016

Hello All,

I have a question about Splunk's App for Checkpoint OPSEC LEA from our firewall administrator. We currently ingest about 60GB/day of CP logs, but the admin only sees about 15GB/day of logs on his CP device. Why is there such a high discrepancy? As far as I can tell, the Splunk app is working as it should and we are not getting any errors.

Any thoughts?

thanks
ed

somesoni2 · ‎06-14-2016

Check Splunk's license_usage log to find out distribution of the 60GB license usage by index/host/source/sourcetype and validate that with your Firewall admin that he's including all those index/host/source/sourcetype into his calculation.

index=_internal sourcetype=splunkd source=*license_usage.log type=usage

fields - idx (index) h (host) s (source) and st (sourcetype)

View solution in original post

somesoni2 · ‎06-14-2016

Check Splunk's license_usage log to find out distribution of the 60GB license usage by index/host/source/sourcetype and validate that with your Firewall admin that he's including all those index/host/source/sourcetype into his calculation.

index=_internal sourcetype=splunkd source=*license_usage.log type=usage

fields - idx (index) h (host) s (source) and st (sourcetype)

edwardrose · ‎06-14-2016

I think I figured it out. Check Point logs are in binary format and the add-on converts the data from binary to ascii format which would account for the 4x difference in log sizes.

Splunk Add-on for Check Point OPSEC LEA: We ingest 60GB/day of logs, but why does our admin only see 15GB/day of logs on his Check Point device?

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life