With previous versions of the Splunk Add-on for Check Point OPSEC LEA, we could manually configure fw1-loggrabber.conf in order to filter what events we collected from the device, example:
FW1_FILTER_RULE="action=drop,reject,block"
The new version 4.0.0 has this feature removed:
2016-06-02 ADDON-8992 Remove support for direct configuration of lea_loggrabber. fw1-loggrabber.conf has been removed.
What should be the correct way to filter the collected events in order to not fill the license with unwanted events?
You can select the type of data you want downloaded from the checkpoint device - when configuring an input:
In the Data menu, choose the data you want to collect for the input.
Non-Audit: Collects all event types except audit events.
Firewall Events: Collects firewall events only.
Firewall Audit:Collects audit events only.
SmartDefense (Smart Defense): Collects Smart Defense events only.
VPN (Virtual Private Network): Collects VPN events only.
Hi, thanks for your reply.
We only want to collect firewall events that match the following action types: "action=drop,reject,block".
Just configuring the input for firewall events will also collect "action=allow" and other action types, events that we don't need and that, by volume, kills our enterprise license in about 8-9 hours. Also, the fact that on every connection we are downloading everything, puts an extra load on the Splunk server, as we have to filter the events on indexing time.
As said previously, doing a quick props/transform job works, but it would be nice to have more configuration flexibility as we had on previous versions.
Regards 😉
Hi aosso, You can configure the forwarder with props and transforms config to drop any events matching a certain pattern. More info can be found here http://docs.splunk.com/Documentation/Splunk/6.4.1/Forwarding/Routeandfilterdatad , but essentially
# props
[loggrabber_sourcetype]
TRANSFORMS-null= setnull
# transforms
[setnull]
REGEX = (drop|reject|block)
DEST_KEY = queue
FORMAT = nullQueue
You'll want to modify the regex to match only the events you want, but this will prompt splunk to filter out such events, thus avoiding the license hit at index time.
Please let me know if this answers your question!
I didn't go for this path at first as this way we are actually downloading all events from the CMA while in previous version we only downloaded the filtered events.
So it would be nice to be able to keep doing that, just to reduce network traffic between the CMA and Splunk.
Meanwhile, applying this solution works until we can apply filters to the collecting process 🙂
#props.conf
[opsec]
TRANSFORMS-drops = opsecnull, opsecparsing
#transforms.conf
[opsecnull]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue
[opsecparsing]
REGEX = (drop|reject|block)
DEST_KEY = queue
FORMAT = indexQueue
You can't just pick the type that you want anymore? How is that an improvement? Seriously? Checkpoint logs are huge, and filtering this way puts a load on whatever server is doing that processing. Argh...
The improvements are in performance and error handling as well as reducing configuration problems by removing direct loggrabber configuration access. There are ways to filter out data, see below. Additional filtering options will be available down the road.