topic Can you help me with my checkpoint log export? in Reporting

Can you help me with my checkpoint log export?

mkukan — Mon, 08 Jun 2020 22:49:47 GMT

Hello all,

I am a novice when it comes to Splunk. I am in the process of building a POC using checkpoint log export feature. I am running R77.30 T338. My goal is to export log from customer CLM to Splunk 7.2.0. Below is my configuration on checkpoint side:

[Expert@mlm11:0] cp_log_export show

name: C1-export domain-server: clm1
           enabled: true
           target-server: 172.16.1.10
           target-port: 4321
           protocol: tcp
           format: splunk
           read-mode: raw

Once this export is restarted, I can see that SYN are being sent to Splunk instance, by looking at the netstat on the MLM server.

However, SYN ack is never sent back so three way handshake cannot complete. When I try simple telnet to this remote port 4321, I do not receive any response either. I guess I am missing something in Splunk configuration. I have set up a new Data input as local tcp on port 4321. I can see that is is listening on it

[splunk@siem1 ~]$ netstat -antp | grep 4321
tcp         0       0 0.0.0.0:4321        0.0.0.0:*           LISTEN 1657/splunkd

From Splunk itself, I am able to connect to this port locally.

Re: Can you help me with my checkpoint log export?

ca1bab — Tue, 07 Apr 2020 17:37:47 GMT

Did you ever resolve this issue? I'm running into the exact same issue currently.

Re: Can you help me with my checkpoint log export?

boyanmilushev — Mon, 07 Dec 2020 15:35:38 GMT

I had a similar problem.

Our setup is:

CheckPoint Log Server => Splunk Intermediate Heavy Forwarder => Splunk Cloud indexer.

The Intermediate HF was set-up to listen on TCP 514 from limited list of IP addresses (CheckPoint Log Servers).

It didn't work, because you are not allowed to listen on ports below 1024 on Linux if you don't have root privileges. The intermediate HF was sending "Reset" packages to the LogExporter Log server.

After that, I changed the port to 9997, but it didn't work as well, because this port is reserved for Splunk "cooked" data ingestion from Splunk instances.

Finally, I made it work after selecting the port 18188. This port turned-out to be free and not reserved for other apps.

This is example of my inputs.conf on the Heavy Forwarder:

[tcp://1.2.3.4:18188]
host = checkpoint_host_1
sourcetype = cp_log
index = logexporter_index

[tcp://1.2.3.5:18188]
host = checkpoint_host_2
sourcetype = cp_log
index = logexporter_index

[tcp://1.2.3.6:18188]
host = checkpoint_host_3
sourcetype = cp_log
index = logexporter_index

The outputs.conf file is set to send the data to the cloud:

[tcpout]
defaultGroup = splunkcloud

[tcpout:splunkcloud]
server = input_host.splunkcloud.com:9997
compressed = false

Seems like the port number is very important and you cannot select just any random port...

Also you need to check if the traffic is not being blocked on a Firewall device between the Log Server and Splunk instance.

I hope that this info is helpful, because I didn't find anything like that in the CheckPoint Log Exporter documentation.