All Apps and Add-ons

Check Point OPSEC LEA : log size question

nov1ce
Explorer

Hi,

We're using Splunk Add-on for Check Point OPSEC LEA (v2.0.4) to pull logs from Check Point R77.30. The version of Splunk is 6.2.1 running on CentOS 7.3.1611.

According to SmartView Tracker the size of the daily log is ~1.4GB:

-rw-rw---- 1 admin root 1468286725 Mar 10 23:59 2017-03-10_235900.log

However, Splunk License Usage page reports almost 5.5GB for the opsec source type. Why such a big difference?

Thank you.

0 Karma

nov1ce
Explorer

I think I might have found the root cause -- there are several fw rules that I've set to not log via SmartDashboard (due to a heavy activity), however they are still being sent to Splunk.

Perhaps my question would be -- is there any way to configure Check Point OPSEC LEA to skip logs for rules with the Track option set to None?

gjanders
SplunkTrust
SplunkTrust

Is it possible that your looking at the compressed version of the log and not the raw size of the log?
Alternatively, have you checked what period of time was indexed on the day you used the 5.5GB of license?

It would be possible that you indexed multiple days of log data within the same 24 hour period and therefore used 5.5GB of Splunk licensing. Perhaps you could query the data with something similar to:

| tstats max(_indextime), min(_indextime), max(_time), min(_time) where sourcetype=opssec

Or, if you know the approximate size of each event (checkpoint logs can be quite consistent), then count the number of events for a 24 hour period in Splunk...:

| tstats count where sourcetype=opssec groupby _time span=24h

That query will need some tweaking but I think you get the point...
Note that Splunk licensing will bill raw data size that is sent via the indexer.

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...