https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunking-Check-Point-logs/m-p/41311#M69918 <P>Thanks a lot MarioM. </P> <P>The link was very helpful. <BR /> Was able to see the problem with debug. <BR /> opsec_entity_sic_name was set wrongly. <BR /> Able to see the Checkpoint logs now.</P> <P>You are a great help.</P> Mon, 28 Sep 2020 11:46:13 GMT alvin 2020-09-28T11:46:13Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunking-Check-Point-logs/m-p/41305#M69912 <P>Hi,</P> <P>I am trying to get logs from Check Point Firewall into our Splunk server.</P> <P>We have a cluster of 2 UTM-1 Firewalls managed by a Smart-1.</P> <P>Firewall Logs are being sent to the Smart-1.</P> <P>All Checkpoint are running R75.20.</P> <P>I have configured Splunk OPSEC LEA-Loggrabber to connect to the Smart-1 to grab the logs according to the guide from <A href="http://splunk-base.splunk.com/apps/22386/opsec-lea-for-check-point-linux">http://splunk-base.splunk.com/apps/22386/opsec-lea-for-check-point-linux</A> </P> <P>Everything seems well except i do not see any data with sourcetype=opsec on Splunk.</P> <P>Will anyone be able to assist with my set up?</P> <P>I will be glad to provide more info.</P> <P>Thanks,</P> <P>Alvin</P> Wed, 02 May 2012 09:30:26 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunking-Check-Point-logs/m-p/41305#M69912 alvin 2012-05-02T09:30:26Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunking-Check-Point-logs/m-p/41306#M69913 <P>what do you see in internal logs?</P> <PRE><CODE>index=_internal sourcetype=splunkd "lea-loggrabber.sh" </CODE></PRE> Wed, 02 May 2012 09:49:40 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunking-Check-Point-logs/m-p/41306#M69913 MarioM 2012-05-02T09:49:40Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunking-Check-Point-logs/m-p/41307#M69914 <P>internal logs results:</P> <P>05-02-2012 18:21:28.762 +0800 INFO ExecProcessor - Ran script: /opt/splunk/etc/apps/lea-loggrabber-splunk/bin/lea-loggrabber.sh, took 317.9 milliseconds to run, 0 bytes read</P> <P>Occurs every minute.</P> Wed, 02 May 2012 10:29:55 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunking-Check-Point-logs/m-p/41307#M69914 alvin 2012-05-02T10:29:55Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunking-Check-Point-logs/m-p/41308#M69915 <P>do you send it to a specific index or default one ?</P> <P>do you get anything from this search?</P> <PRE><CODE>index=* source="*lea-loggrabber*" </CODE></PRE> Wed, 02 May 2012 10:43:39 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunking-Check-Point-logs/m-p/41308#M69915 MarioM 2012-05-02T10:43:39Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunking-Check-Point-logs/m-p/41309#M69916 <P>default index.<BR /> Got nothing from the above search.</P> Wed, 02 May 2012 10:52:43 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunking-Check-Point-logs/m-p/41309#M69916 alvin 2012-05-02T10:52:43Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunking-Check-Point-logs/m-p/41310#M69917 <P>then your Smart-1 are possibly not sending data...<BR /> You need to do packet capture to see if any data from your smart-1 is reaching the splunk machine.<BR /> As well you could try lea debug as per this answer:<BR /> <A href="http://splunk-base.splunk.com/answers/33875/how-can-i-debug-my-lea-client-for-checkpoint">http://splunk-base.splunk.com/answers/33875/how-can-i-debug-my-lea-client-for-checkpoint</A></P> Wed, 02 May 2012 11:04:48 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunking-Check-Point-logs/m-p/41310#M69917 MarioM 2012-05-02T11:04:48Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunking-Check-Point-logs/m-p/41311#M69918 <P>Thanks a lot MarioM. </P> <P>The link was very helpful. <BR /> Was able to see the problem with debug. <BR /> opsec_entity_sic_name was set wrongly. <BR /> Able to see the Checkpoint logs now.</P> <P>You are a great help.</P> Mon, 28 Sep 2020 11:46:13 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunking-Check-Point-logs/m-p/41311#M69918 alvin 2020-09-28T11:46:13Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunking-Check-Point-logs/m-p/41312#M69919 <P>I'd just like to add that I too had a problem identifying the correct value for opsec_entity_sic. Getting the SIC DN from the GUI isn't obvious to me in R75.30. I found this command which can be run from the expert shell on the management server which provides a list of values including the DN for your management server.</P> <PRE><CODE>cpca_client lscert -kind SIC </CODE></PRE> Mon, 28 Sep 2020 11:50:40 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunking-Check-Point-logs/m-p/41312#M69919 PunchMonkey 2020-09-28T11:50:40Z