All Apps and Add-ons

Splunking Check Point logs

alvin
New Member

Hi,

I am trying to get logs from Check Point Firewall into our Splunk server.

We have a cluster of 2 UTM-1 Firewalls managed by a Smart-1.

Firewall Logs are being sent to the Smart-1.

All Checkpoint are running R75.20.

I have configured Splunk OPSEC LEA-Loggrabber to connect to the Smart-1 to grab the logs according to the guide from http://splunk-base.splunk.com/apps/22386/opsec-lea-for-check-point-linux

Everything seems well except i do not see any data with sourcetype=opsec on Splunk.

Will anyone be able to assist with my set up?

I will be glad to provide more info.

Thanks,

Alvin

0 Karma

PunchMonkey
Explorer

I'd just like to add that I too had a problem identifying the correct value for opsec_entity_sic. Getting the SIC DN from the GUI isn't obvious to me in R75.30. I found this command which can be run from the expert shell on the management server which provides a list of values including the DN for your management server.

cpca_client lscert -kind SIC
0 Karma

MarioM
Motivator

then your Smart-1 are possibly not sending data...
You need to do packet capture to see if any data from your smart-1 is reaching the splunk machine.
As well you could try lea debug as per this answer:
http://splunk-base.splunk.com/answers/33875/how-can-i-debug-my-lea-client-for-checkpoint

0 Karma

MarioM
Motivator

what do you see in internal logs?

index=_internal sourcetype=splunkd "lea-loggrabber.sh"
0 Karma

alvin
New Member

Thanks a lot MarioM.

The link was very helpful.
Was able to see the problem with debug.
opsec_entity_sic_name was set wrongly.
Able to see the Checkpoint logs now.

You are a great help.

0 Karma

alvin
New Member

default index.
Got nothing from the above search.

0 Karma

MarioM
Motivator

do you send it to a specific index or default one ?

do you get anything from this search?

index=* source="*lea-loggrabber*"
0 Karma

alvin
New Member

internal logs results:

05-02-2012 18:21:28.762 +0800 INFO ExecProcessor - Ran script: /opt/splunk/etc/apps/lea-loggrabber-splunk/bin/lea-loggrabber.sh, took 317.9 milliseconds to run, 0 bytes read

Occurs every minute.

0 Karma