topic Re: Splunk Add-on for Check Point OPSEC LEA: Why are the extracted values for fields protocol, s_port, and service not consistent? in All Apps and Add-ons

Splunk Add-on for Check Point OPSEC LEA: Why are the extracted values for fields protocol, s_port, and service not consistent?

daniel_augustyn — Thu, 03 Dec 2015 22:55:59 GMT

I just onboarded Checkpoint logs using the Splunk Add-on for Check Point OPSEC LEA, and most of the fields look OK except for a few ones which seem to swap the data between each other. Fields like protocol, s_port, or service do not have consistent values such as:

protocol: udp, tcp, icmp, 2, 89, 46
s_port: ntp-udp, nbname, 8978, 23384, http, 9809

service: http, 8612, TCP, SSL, UDP, DNS

Any idea how to fix it? It seems like there is some issue with field extraction.

Re: Splunk Add-on for Check Point OPSEC LEA: Why are the extracted values for fields protocol, s_port, and service not consistent?

mreynov_splunk — Fri, 04 Dec 2015 00:24:27 GMT

can you show a couple of records to compare?

Re: Splunk Add-on for Check Point OPSEC LEA: Why are the extracted values for fields protocol, s_port, and service not consistent?

daniel_augustyn — Fri, 04 Dec 2015 15:56:02 GMT

loc=5554494|time= 4Dec2015 15:40:01|action=accept|orig=firewallxxx|i/f_dir=inbound|i/f_name=xxx|has_accounting=0|uuid=<5661b3d1,00000001,09f61e0c>|product=VPN-1 & FireWall-1|inzone=Internal|outzone=External|rule=148|rule_uid={19D74F92-2D29-45AA-B627-}|service_id=domain-udp|src=10.140.32.107|s_port=37031|dst=Pulic-dns-8.8.8.8|service=UDP-DNS|proto=udp|xlatesrc=xxx|xlatesport=41463|xlatedport=Unknown|NAT_rulenum=42|NAT_addtnl_rulenum=1|__policy_id_tag=product=VPN-1 & FireWall-1[db_tag={9645AB21-4FCA-40A4-A4DE-xxx};mgmt=fw-mgr;date=1447972833;policy_name=xxxxx]


loc=5778286|time= 4Dec2015 15:41:37|action=accept|orig=-Primary|i/f_dir=inbound|i/f_name=ser1|has_accounting=0|uuid=<5661b431,0000000c,65420101,>|product=VPN-1 & FireWall-1|__policy_id_tag=product=VPN-1 & FireWall-1[db_tag={3357D522-4BEF-4939-B5B4-};mgmt=fw-mgr;date=1447311214;policy_name=-Test]|inzone=Internal|outzone=External|rule=38|rule_uid={DEC259F7-B5C1-4E56-9B5F-}|service_id=SIT|src=10.95.7.39|dst=x.x.x.20|proto=41|xlatesport=0|xlatedport=0|NAT_rulenum=29|NAT_addtnl_rulenum=1

loc=1394075|time= 4Dec2015 15:49:11|action=drop|orig=FW-1|i/f_dir=inbound|i/f_name=eth2-01|alert=spoofalert|has_accounting=0|uuid=<00000000,00000000,00000000,00000000>|product=VPN-1 & FireWall-1|src=127.0.0.1|s_port=UDP-DNS|dst=10.9.64.115|service=59076|proto=udp|message_info=Local interface address spoofing|__policy_id_tag=product=VPN-1 & FireWall-1[db_tag={5598DF1D-380D-428C-925B-};mgmt=fw-mgr;date=1447952280;policy_name=nternal-10-03-2015]|origin_sic_name=CN=FW-1,O=xxxx

loc=6352273|time= 4Dec2015 15:49:15|action=accept|orig=xxxx|i/f_dir=inbound|i/f_name=eth3-01|has_accounting=0|uuid=<5661b5fb,00010016,02c810ac,>|product=FireWall-1|__policy_id_tag=product=VPN-1 & FireWall-1[db_tag={558C5022-FEE8-4637};mgmt=fw-mgr;date=1449206314;policy_name=FW-09-30-2013]|inzone=Internal|outzone=External|rule=144|rule_uid={07C8CBBD-F01F-48F0-A637-}|service_id=RTP-UDP|src=SV-F5-10.200.10.52|s_port=UDP-DNS|dst=x.x.77.166|service=59399|proto=udp|xlatesrc=x.x.x.x|xlatesport=19380|xlatedport=Unknown|NAT_rulenum=35|NAT_addtnl_rulenum=1

Re: Splunk Add-on for Check Point OPSEC LEA: Why are the extracted values for fields protocol, s_port, and service not consistent?

daniel_augustyn — Fri, 04 Dec 2015 15:56:37 GMT

There is also no destination ports in any of these or any other logs? I just noticed it now.

Re: Splunk Add-on for Check Point OPSEC LEA: Why are the extracted values for fields protocol, s_port, and service not consistent?

daniel_augustyn — Tue, 08 Dec 2015 06:33:13 GMT

This is related to the issue of how Checkpoint columns are set up. This is not an issue with Splunk parsing the logs wrong way.

Re: Splunk Add-on for Check Point OPSEC LEA: Why are the extracted values for fields protocol, s_port, and service not consistent?

kmanson — Fri, 04 Mar 2016 18:21:32 GMT

Correct, but is there way to fix this on the CheckPoint side?

Re: Splunk Add-on for Check Point OPSEC LEA: Why are the extracted values for fields protocol, s_port, and service not consistent?

nbonner — Mon, 07 Mar 2016 18:19:07 GMT

"Service" is the destination port in Check Point logs. The logs record whatever you have configured as the object name for that service.

Re: Splunk Add-on for Check Point OPSEC LEA: Why are the extracted values for fields protocol, s_port, and service not consistent?

daniel_augustyn — Thu, 05 May 2016 23:37:37 GMT

Yes, this was an issue on the checkpoint side. Not Splunk issue.