topic Re: Splunk add-on for Checkpoint not extracting fields in Knowledge Management

Splunk add-on for Checkpoint not extracting fields

Navanitha — Wed, 20 Sep 2023 13:55:18 GMT

I have Splunk SH Cluster ( 3 SH's in Cluster) and we are collecting Checkpoint logs using Syslog and then Splunk HF read the Checkpoint logs (basically a flat file) and indexes into Splunk. Now my issue is I see the events are extracted as it should when we use an add-on. However I do not see any Checkpoint app/add-on this is installed on SH's / HF. No manual field extractions either. I would like to know if there is any away to check how the fields are extracted ?

Secondly, We also have a separate SH running ES. On this, I don't see the events being extracted as I see it on our SH cluster. I did try to install Splunk Add-on for Checkpoint to parse the fields and make it CIM compliant but the fields are not extracted. I changed the sourcetype of the CP logs to match it with the add-on but still no luck. I am using Splunk Add-on for Check Point Log Exporter. Appreciate your thoughts on this.

Re: Splunk add-on for Checkpoint not extracting fields

gcusello — Wed, 20 Sep 2023 14:20:45 GMT

Hi @Navanitha,

what's the sourcetype of your checkpoint data?

usually it's renamed and fields extractions are related to the new sourcetypes.

This means that you have to install the CheckPoint Add on, both on SH and HF.

In addition, you have to associate to the checkpoint input the sourcetype "cp_log" so the Add-on can correctly modify the sourcetype.

Read the instructions on the Checkpoint Add-On, which one are you using?

Ciao.

Giuseppe

Re: Splunk add-on for Checkpoint not extracting fields

Navanitha — Wed, 20 Sep 2023 16:15:09 GMT

Hi @gcusello

I am using "Splunk Add-on for Check Point Log Exporter" from https://splunkbase.splunk.com/app/5478.

I installed this on splunk SH and did rename sourcetype on Splunk HF to "cp_log:syslog" as per the add-on.

Re: Splunk add-on for Checkpoint not extracting fields

gcusello — Thu, 21 Sep 2023 06:25:43 GMT

Hi @Navanitha,

try to install it also on HF.

Ciao.

Giuseppe

Re: Splunk add-on for Checkpoint not extracting fields

Navanitha — Fri, 29 Sep 2023 09:53:18 GMT

I tried installing the add-on on HF but no luck. I am working with Splunk support on this and they figured that the KV store for Checkpoint add-on is not loading as the regex is not matching our events. They are working on giving me a regex, will try it out once I have it.

Re: Splunk add-on for Checkpoint not extracting fields

gcusello — Fri, 29 Sep 2023 10:17:06 GMT

Hi @Navanitha ,

publish the solution when you'll solve for the other people of Community.

Ciao.

Giuseppe

P.S.: Karma Points are appreciated 😉

Re: Splunk add-on for Checkpoint not extracting fields

nguyens — Wed, 21 Feb 2024 08:12:42 GMT

Hi,

i was facing the same issue. I have changed under transforms.conf the following:

[kv_cp_log_format] REGEX = ([a-zA-Z0-9_-]+)[:=]+([^|]+) [kv_cp_syslog_log_format] REGEX = ([a-zA-Z0-9_-]+)[:=]+"((?:[^"\\]|\\.)+)"

Re: Splunk add-on for Checkpoint not extracting fields

wali02 — Thu, 04 Jul 2024 14:34:09 GMT

@nguyens Thanks it worked...