I have just gotten a Splunk instance running and am working on including logs from our Check Point Smart-1 management server. I've followed the docs for the Splunk OPSEC LEA add on without any significant problems and am receiving data from the management server.
However, many of the fields are coming across as "*** Confidential ***". Is there any way to get the real values?
Fields affected include (but not limited to): user, src_user_name, src_machine_name, dst_user_name, dst_machine_name, appi_name, app_desc, app_risk, app_rule_id
Here's a sample record:
loc=33292 filename=fw.log fileid=1337354883 time=18May2012 12:31:28 action=reject orig=UTM1 i/f_dir=inbound i/f_name=Internal has_accounting=0 product=VPN-1 & FireWall-1 __policy_id_tag=product=VPN-1 & FireWall-1[db_tag={9E77F78D-A0EE-12E1-97FE-000000001819};mgmt=fwmgmt;date=1337355553;policy_name=Standard] user=*** Confidential *** src_user_name=*** Confidential *** src_machine_name=*** Confidential *** dst_user_name=*** Confidential *** dst_machine_name=*** Confidential *** snid=7f006812 rule=74 rule_uid={3CEEDB7D-72AE-469C-862B-A329CE4F2E2C} src=userpc1 s_port=17500 dst=255.255.255.255 service=17500 proto=udp
... View more