Hello all,
I am a novice when it comes to Splunk. I am in the process of building a POC using checkpoint log export feature. I am running R77.30 T338. My goal is to export log from customer CLM to Splunk 7.2.0. Below is my configuration on checkpoint side:
[Expert@mlm11:0] cp_log_export show
name: C1-export domain-server: clm1
enabled: true
target-server: 172.16.1.10
target-port: 4321
protocol: tcp
format: splunk
read-mode: raw
Once this export is restarted, I can see that SYN are being sent to Splunk instance, by looking at the netstat on the MLM server.
However, SYN ack is never sent back so three way handshake cannot complete. When I try simple telnet to this remote port 4321, I do not receive any response either. I guess I am missing something in Splunk configuration. I have set up a new Data input as local tcp on port 4321. I can see that is is listening on it
[splunk@siem1 ~]$ netstat -antp | grep 4321
tcp 0 0 0.0.0.0:4321 0.0.0.0:* LISTEN 1657/splunkd
From Splunk itself, I am able to connect to this port locally.
... View more