I just onboarded the checkpoint logs in Splunk format und built a regex for my field extractions. Then I saw this addon and changed the log export to cef. The extractions are working fine and the knowledge objects help me in building searches.
But, I noticed, that the timestamp extraction looks strange. It is definied to '\s(end|rt)\=‘ and there is a field called rt. So the logs are written to disk from the syslog at 0630, 0920 or at 1018 am - but the timestamps points to 0333, 0450 or 0418 am. There is no schema.
So my question is, is rt the correct timestamp or should I use the syslog timestamp for the _time field?
Hi there,
I just onboarded the checkpoint logs in Splunk format und built a regex for my field extractions. Then I saw this addon and changed the log export to cef. The extractions are working fine and the knowledge objects help me in building searches. But, I noticed, that the timestamp extraction looks strange. It is definied to '\s(end|rt)\=‘ and there is a field called rt. So the logs are written to disk from the syslog at 0630, 0920 or at 1018 am - but the timestamps points to 0333, 0450 or 0418 am. There is no schema.
So my question is, is rt the correct timestamp or should I use the syslog timestamp for the _time field?
Cheers