September 2018
Author | Tom Kopchak, Hurricane Labs |
---|---|
App Version | 1.0.2 |
Vendor Products | Check Point |
Has index-time operations | true |
Create an index | false |
Implements summarization | false |
The Check Point CEF Add On For Splunk provides knowledge objects to allow for the Check Point Log Exporter to function within Splunk. This replaces the traditional method of using OPSEC LEA for collecting this data.
This app supports the new Log Exporter method for Check Point logging. This resolves several limitations of the OPSEC LEA method:
Version 1.0.2 is the third release. It adds additional values to the checkpoint_cef_actions.csv lookup in support of CIM compliance.
Version 1.0.1 is the second release. It adds support for audit logging and contains minor edits to version 1.0.0.
Version 1.0.1 of the Check Point CEF Add On For Slunk For Splunk is compatible with:
Splunk Enterprise versions | 6.6, 7.0, 7.1 |
---|---|
Platforms | Platform independent |
Vendor Products | Check Point Management Server, Check Point R77.30, R80.10, R80.20 |
Vendor Tools | Log Exporter - Check Point Log Export (see sk122323) |
Lookup file changes | None |
This app requires that the Check Point management server controlling gateways be running a version which supports the Check Point Log Exporter, which is documented in sk122323. At the time of this writing, this includes versions R77.30, R80.10 and R80.20. Gateways do not necessarily need to be running a version supporting the Log Exporter as long as they are centrally logging to a management server or log server capable of running the Log Exporter.
This app is not officially supported by Check Point, Splunk, or Hurricane Labs. Submit an issue on Github: https://github.com/HurricaneLabs/TA-checkpoint-cef/issues
Check Point CEF Add On For Splunk supports the following server platforms in the versions supported by Splunk Enterprise:
Because this add-on runs on Splunk Enterprise, all of the Splunk Enterprise system requirements apply.
Note: it is recommended that a dedicated syslog receiver (such as syslog-ng) be used to collect the data associated with this app, as opposed to a direct TCP/UDP input in Splunk. TCP is recommended over UDP for this data input.
Install Log Exporter
Install to search head
Install to search head and the first Splunk Enterprise system to receive data
The app has index-time sourcetyping operations. This app should be deployed to your search head as well as the first Splunk Enterprise system to receive your data. If you are receiving syslog on a Universal Forwarder, this app should be installed on the indexing tier. If you are receiving syslog on a Heavy Forwarder, this app should be installed on the Heavy Forwarder.