We are using the Splunk Add-on for Check Point OPSEC LEA and it is working ok. We need to change the log source host/IP that this LEA connection is using. I changed the host of the input but it still was pulling from the old source. I verified this by doing a tcpdump on the old Check Point management server. I then disabled and then enabled the input to see if that would force it to use the new host. I did see the LEA connection stop on the old Check Point management server when I disabled this input and then it started again on the old management server when I enabled the input. It seems like I may be missing an additional configuration or setting that may need to be changed to point to the new management server for this LEA connection.
Thanks.