|
Hi, I am trying to get logs from Check Point Firewall into our Splunk server. We have a cluster of 2 UTM-1 Firewalls managed by a Smart-1. Firewall Logs are being sent to the Smart-1. All Checkpoint are running R75.20. I have configured Splunk OPSEC LEA-Loggrabber to connect to the Smart-1 to grab the logs according to the guide from OPSEC LEA for Check Point (Linux) on Splunkbase Everything seems well except i do not see any data with sourcetype=opsec on Splunk. Will anyone be able to assist with my set up? I will be glad to provide more info. Thanks, Alvin |
|
what do you see in internal logs? internal logs results: 05-02-2012 18:21:28.762 +0800 INFO ExecProcessor - Ran script: /opt/splunk/etc/apps/lea-loggrabber-splunk/bin/lea-loggrabber.sh, took 317.9 milliseconds to run, 0 bytes read Occurs every minute.
(02 May '12, 03:29)
alvin
do you send it to a specific index or default one ? do you get anything from this search?
(02 May '12, 03:43)
MarioM
default index. Got nothing from the above search.
(02 May '12, 03:52)
alvin
Thanks a lot MarioM. The link was very helpful. Was able to see the problem with debug. opsec_entity_sic_name was set wrongly. Able to see the Checkpoint logs now. You are a great help.
(02 May '12, 20:10)
alvin
|
|
then your Smart-1 are possibly not sending data... You need to do packet capture to see if any data from your smart-1 is reaching the splunk machine. As well you could try lea debug as per this answer: How can I debug my lea client for checkpoint? on Splunk Answers |
|
I'd just like to add that I too had a problem identifying the correct value for opsec_entity_sic. Getting the SIC DN from the GUI isn't obvious to me in R75.30. I found this command which can be run from the expert shell on the management server which provides a list of values including the DN for your management server. |
