topic Re: host override not working in Getting Data In

host override not working

dkloud — Wed, 23 Sep 2020 15:56:15 GMT

Hello,

We are using the Splunk app for checkpoint to ingest checkpoint logs via a heavy forwarder.

The host is always reported as the management server and we want to override that with the IPs of the actual firewalls.

I created the following files in the local folders on the heavy forwarder:

props.conf

[cp_log]
TRANSFORMS-host_override = host_override

transforms.conf

[host_override]
REGEX = origin=([^|]+)
DEST_KEY = MetaData:Host
FORMAT = host::$1

Restarted Splunk but there's no change, the host value remains the same.

btool shows that the local props and transforms files are applied.

I can even see the Field transformation on the heavy forwarder UI.

I've also checked that the regex works fine and extracts the correct values.

Any ideas?

Thank you!

Re: host override not working

gcusello — Wed, 23 Sep 2020 16:01:30 GMT

Hi @dkloud,

could you share a sample of your logs?

Ciao.

Giuseppe

Re: host override not working

dkloud — Wed, 23 Sep 2020 16:10:48 GMT

Hi @gcusello ,

Sure, here's one "anonymized" log 🙂

time=1600865570|hostname=ckpman|product=Firewall|action=Drop|ifdir=inbound|ifname=eth2-01.123|loguid={0x512344ba,0x123,0x6612300a,0x3fff1234}|origin=10.10.10.10|originsicname=CN\=editedfwname,O\=ckpman..aaaaaa|sequencenum=1|time=1600865570|version=5|dst=192.168.0.20|message_info=Address spoofing|proto=17|s_port=137|service=137|src=192.168.0.10

Regards,

Re: host override not working

dkloud — Wed, 23 Sep 2020 16:10:10 GMT

origin=10.10.10.10 is (one of ) the firewalls IPs that we want to be present in the host field

Re: host override not working

isoutamo — Wed, 23 Sep 2020 17:28:21 GMT

You are sure that this is the first full enterprise instance on path where those events are coming?

Re: host override not working

dkloud — Wed, 23 Sep 2020 18:54:25 GMT

Hi,

I finally made it work by editing the

/opt/splunk/etc/system/local/props.conf and transform.conf files

instead of the ones in:

/opt/splunk/etc/apps/TA-check-point-app-for-splunk/local

Regards,

Re: host override not working

isoutamo — Wed, 23 Sep 2020 20:06:38 GMT

In indexing those files on system/local always wins. You should use
splunk btool props list —debug <your sourcetype>
To see what and where configs are valid.

Re: host override not working

gcusello — Thu, 24 Sep 2020 07:35:39 GMT

Hi @dkloud ,

the hostname you want to set is the one after "hostname=", is it correct?

if this is your requirent, please, try this:

[host_override] REGEX = hostname\=([^|]+) DEST_KEY = MetaData:Host FORMAT = host::$1

probably the problem is that "=" is a special char so you have to escape it.

Ciao.

Giuseppe

Re: host override not working

dkloud — Thu, 24 Sep 2020 15:01:32 GMT

Hi @gcusello ,

As said, in the end it worked by editing the /opt/splunk/etc/system/local props and transforms files

So the regex was correct after all, I didn't have to escape the "=" sign.

Thanks for the suggestion though!

Regards,