Hi,
I am trying to get logs from Check Point Firewall into our Splunk server.
We have a cluster of 2 UTM-1 Firewalls managed by a Smart-1.
Firewall Logs are being sent to the Smart-1.
All Checkpoint are running R75.20.
I have configured Splunk OPSEC LEA-Loggrabber to connect to the Smart-1 to grab the logs according to the guide from http://splunk-base.splunk.com/apps/22386/opsec-lea-for-check-point-linux
Everything seems well except i do not see any data with sourcetype=opsec on Splunk.
Will anyone be able to assist with my set up?
I will be glad to provide more info.
Thanks,
Alvin
I'd just like to add that I too had a problem identifying the correct value for opsec_entity_sic. Getting the SIC DN from the GUI isn't obvious to me in R75.30. I found this command which can be run from the expert shell on the management server which provides a list of values including the DN for your management server.
cpca_client lscert -kind SIC
then your Smart-1 are possibly not sending data...
You need to do packet capture to see if any data from your smart-1 is reaching the splunk machine.
As well you could try lea debug as per this answer:
http://splunk-base.splunk.com/answers/33875/how-can-i-debug-my-lea-client-for-checkpoint
what do you see in internal logs?
index=_internal sourcetype=splunkd "lea-loggrabber.sh"
Thanks a lot MarioM.
The link was very helpful.
Was able to see the problem with debug.
opsec_entity_sic_name was set wrongly.
Able to see the Checkpoint logs now.
You are a great help.
default index.
Got nothing from the above search.
do you send it to a specific index or default one ?
do you get anything from this search?
index=* source="*lea-loggrabber*"
internal logs results:
05-02-2012 18:21:28.762 +0800 INFO ExecProcessor - Ran script: /opt/splunk/etc/apps/lea-loggrabber-splunk/bin/lea-loggrabber.sh, took 317.9 milliseconds to run, 0 bytes read
Occurs every minute.