- Apps and Add-ons
- :
- All Apps and Add-ons
- :
- Re: Splunking Check Point logs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Splunking Check Point logs
Hi,
I am trying to get logs from Check Point Firewall into our Splunk server.
We have a cluster of 2 UTM-1 Firewalls managed by a Smart-1.
Firewall Logs are being sent to the Smart-1.
All Checkpoint are running R75.20.
I have configured Splunk OPSEC LEA-Loggrabber to connect to the Smart-1 to grab the logs according to the guide from http://splunk-base.splunk.com/apps/22386/opsec-lea-for-check-point-linux
Everything seems well except i do not see any data with sourcetype=opsec on Splunk.
Will anyone be able to assist with my set up?
I will be glad to provide more info.
Thanks,
Alvin
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'd just like to add that I too had a problem identifying the correct value for opsec_entity_sic. Getting the SIC DN from the GUI isn't obvious to me in R75.30. I found this command which can be run from the expert shell on the management server which provides a list of values including the DN for your management server.
cpca_client lscert -kind SIC
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
then your Smart-1 are possibly not sending data...
You need to do packet capture to see if any data from your smart-1 is reaching the splunk machine.
As well you could try lea debug as per this answer:
http://splunk-base.splunk.com/answers/33875/how-can-i-debug-my-lea-client-for-checkpoint
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
what do you see in internal logs?
index=_internal sourcetype=splunkd "lea-loggrabber.sh"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks a lot MarioM.
The link was very helpful.
Was able to see the problem with debug.
opsec_entity_sic_name was set wrongly.
Able to see the Checkpoint logs now.
You are a great help.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
default index.
Got nothing from the above search.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
do you send it to a specific index or default one ?
do you get anything from this search?
index=* source="*lea-loggrabber*"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
internal logs results:
05-02-2012 18:21:28.762 +0800 INFO ExecProcessor - Ran script: /opt/splunk/etc/apps/lea-loggrabber-splunk/bin/lea-loggrabber.sh, took 317.9 milliseconds to run, 0 bytes read
Occurs every minute.
They're back! Join the SplunkTrust and MVP at .conf24
Enterprise Security Content Update (ESCU) | New Releases
Detecting Remote Code Executions With the Splunk Threat Research Team
