topic Splunk add-on for Check Point OPSEC LEA: Change HOST field to be firewall IP not the management station ip in All Apps and Add-ons https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunk-add-on-for-Check-Point-OPSEC-LEA-Change-HOST-field-to-be/m-p/374753#M45451 <P>We have been ingesting our Check Point logs via the Check Point OPSEC LEA add-on and finally realized that the HOST being reported is always our management station IP where we are pulling logs from... Is there a way to change this in the OPSEC Lea add on or would we be better off doing this in transforms.conf and props.conf on the heavy forwarder? </P> Tue, 13 Feb 2018 17:19:39 GMT gstefancyk 2018-02-13T17:19:39Z Splunk add-on for Check Point OPSEC LEA: Change HOST field to be firewall IP not the management station ip https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunk-add-on-for-Check-Point-OPSEC-LEA-Change-HOST-field-to-be/m-p/374753#M45451 <P>We have been ingesting our Check Point logs via the Check Point OPSEC LEA add-on and finally realized that the HOST being reported is always our management station IP where we are pulling logs from... Is there a way to change this in the OPSEC Lea add on or would we be better off doing this in transforms.conf and props.conf on the heavy forwarder? </P> Tue, 13 Feb 2018 17:19:39 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunk-add-on-for-Check-Point-OPSEC-LEA-Change-HOST-field-to-be/m-p/374753#M45451 gstefancyk 2018-02-13T17:19:39Z Re: Splunk add-on for Check Point OPSEC LEA: Change HOST field to be firewall IP not the management station ip https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunk-add-on-for-Check-Point-OPSEC-LEA-Change-HOST-field-to-be/m-p/374754#M45452 <P>You can use props and transforms to overwrite it (e.g. based on the orig= field).<BR /> See this recent discussion: <A href="https://answers.splunk.com/answers/615561/how-to-overwrite-the-host-field-value-with-dvc-fie.html">https://answers.splunk.com/answers/615561/how-to-overwrite-the-host-field-value-with-dvc-fie.html</A></P> Wed, 28 Feb 2018 12:22:09 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunk-add-on-for-Check-Point-OPSEC-LEA-Change-HOST-field-to-be/m-p/374754#M45452 FrankVl 2018-02-28T12:22:09Z Re: Splunk add-on for Check Point OPSEC LEA: Change HOST field to be firewall IP not the management station ip https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunk-add-on-for-Check-Point-OPSEC-LEA-Change-HOST-field-to-be/m-p/374755#M45453 <P>Thanks FrankVI, exactly what I expected but nice to get some re-assurance. </P> Wed, 28 Feb 2018 12:42:20 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunk-add-on-for-Check-Point-OPSEC-LEA-Change-HOST-field-to-be/m-p/374755#M45453 gstefancyk 2018-02-28T12:42:20Z Re: Splunk add-on for Check Point OPSEC LEA: Change HOST field to be firewall IP not the management station ip https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunk-add-on-for-Check-Point-OPSEC-LEA-Change-HOST-field-to-be/m-p/374756#M45454 <P>What field was your fw coming into Splunk as? And did you have to change logging on mgmt server to get the fw info to be sent to Splunk?</P> Mon, 21 May 2018 18:48:39 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunk-add-on-for-Check-Point-OPSEC-LEA-Change-HOST-field-to-be/m-p/374756#M45454 mathieuamos 2018-05-21T18:48:39Z