October 2018
| Author | Tom Kopchak, Hurricane Labs |
|---|---|
| App Version | 1.0.1 |
| Vendor Products | Check Point |
| Has index-time operations | true |
| Create an index | false |
| Implements summarization | false |
The Check Point CEF Add On For Splunk provides knowledge objects to allow for the Check Point Log Exporter to function within Splunk. This replaces the traditional method of using OPSEC LEA for collecting this data.
This app supports the new Log Exporter method for Check Point logging. This resolves several limitations of the OPSEC LEA method:
- A Linux heavy forwarder is no longer required for bringing in Check Point logs. All Splunk platforms are supported.
- The OPSEC LEA forwarder is no longer a single point of failure for Check Point logging. This method supports all syslog redundancy mechanisms.
- There is not a gap in logging that occurs during a logrotate on the management server (this commonly resulted in missing logs occurring daily at midnight).
Version 1.0.1 is the second release. It adds support for audit logging and contains minor edits to version 1.0.0.
Version 1.0.1 of the Check Point CEF Add On For Slunk For Splunk is compatible with:
| Splunk Enterprise versions | 6.6, 7.0, 7.1, 7.2 |
|---|---|
| Platforms | Platform independent |
| Vendor Products | Check Point Management Server, Check Point R77.30, R80.10, R80.20 |
| Vendor Tools | Log Exporter - Check Point Log Export (see sk122323) |
| Lookup file changes | None |
This app requires that the Check Point management server controlling gateways be running a version which supports the Check Point Log Exporter, which is documented in sk122323. At the time of this writing, this includes versions R77.30, R80.10 and R80.20. Gateways do not necessarily need to be running a version supporting the Log Exporter as long as they are centrally logging to a management server or log server capable of running the Log Exporter.
This app is not officially supported by Check Point, Splunk, or Hurricane Labs. Submit an issue on Github: https://github.com/HurricaneLabs/TA-checkpoint-cef/issues
Check Point CEF Add On For Splunk supports the following server platforms in the versions supported by Splunk Enterprise:
Because this add-on runs on Splunk Enterprise, all of the Splunk Enterprise system requirements apply.
Note: it is recommended that a dedicated syslog receiver (such as syslog-ng) be used to collect the data associated with this app, as opposed to a direct TCP/UDP input in Splunk. TCP is recommended over UDP for this data input.
Install Log Exporter
Install to search head
Install to search head and the first Splunk Enterprise system to receive data
The app has index-time sourcetyping operations. This app should be deployed to your search head as well as the first Splunk Enterprise system to receive your data. If you are receiving syslog on a Universal Forwarder, this app should be installed on the indexing tier. If you are receiving syslog on a Heavy Forwarder, this app should be installed on the Heavy Forwarder.
See GitHub for the app source: https://github.com/HurricaneLabs/TA-checkpoint-cef
As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps from Splunk, our partners and our community. Find an app for most any data source and user need, or simply create your own with help from our developer portal.