topic Splunk App for Check Point in Getting Data In

Splunk App for Check Point

gstefancyk — Tue, 25 Oct 2016 13:37:36 GMT

I am currently pulling logs from my Check Point Management station successfully and can search on them with no issues. I am trying to get the Splunk app for Check Point to display data and am looking for some clarification on what indexes need to be created?

Currently I have all Check Point non-audit logs going into the default index. Can anyone clarify for me what index the Splunk App for Check Point looks at and what index or indexes I need to create?

Re: Splunk App for Check Point

Richfez — Tue, 25 Oct 2016 13:47:47 GMT

The Splunk app for Checkpoint seems to use checkpoint_indexas a macro behind most of the searches. That macro is simple and says index=checkpoint, so your data needs to be indexed in the index "checkpoint". (You could - though I don't recommend it - change that macro to point to main. More explanation can be given, but mostly it's just you shouldn't use main.)

Speaking of which, did you set up the Splunk add-on for Check Point OPSEC LEA as the docs mention?

Re: Splunk App for Check Point

gstefancyk — Tue, 25 Oct 2016 14:15:43 GMT

Thanks rich7177.

I must have missed that little section at the bottom of the App details page that says log everything to "checkpoint". I have configured the opsec lea add on to log to index checkpoint and data is now populating the Splunk App for Check Point.