We are a consulting firm and I am assessing the Splunk solution for one of my customer.
The LEA application for Checkpoint is not working correctly : each time the script is called, it downloads the complete fw.log file. It results with a huge data indexing activity - and license expiration warnings!
I assume the script should normally download the difference since last LEA download.
Could somebody help to clarify how it works and what might going wrong with our installation?
Your help appreciated. Many thanks.
Hey, LauMat, did you solve this problem? If not, double-check the permissions on your lea_loggrabber app(s) - the lea app stores its state in bin/ but whatever user this app is running as needs write permission to some of the files in this directory. In your case I believe that it is (or was) unable to write to lea_log_rec_num.cache which is where it keeps track of the last line read off the wire.
answered 07 Sep '10, 13:05