I am trying to get logs from Check Point Firewall into our Splunk server.
We have a cluster of 2 UTM-1 Firewalls managed by a Smart-1.
Firewall Logs are being sent to the Smart-1.
All Checkpoint are running R75.20.
I have configured Splunk OPSEC LEA-Loggrabber to connect to the Smart-1 to grab the logs according to the guide from OPSEC LEA for Check Point (Linux) on Splunkbase
Everything seems well except i do not see any data with sourcetype=opsec on Splunk.
Will anyone be able to assist with my set up?
I will be glad to provide more info.
asked 02 May '12, 02:30
what do you see in internal logs?
answered 02 May '12, 02:49
then your Smart-1 are possibly not sending data... You need to do packet capture to see if any data from your smart-1 is reaching the splunk machine. As well you could try lea debug as per this answer: How can I debug my lea client for checkpoint? on Splunk Answers
answered 02 May '12, 04:04
I'd just like to add that I too had a problem identifying the correct value for opsec_entity_sic. Getting the SIC DN from the GUI isn't obvious to me in R75.30. I found this command which can be run from the expert shell on the management server which provides a list of values including the DN for your management server.
answered 18 May '12, 10:20