Check Point object name resolution

Peter — Mon, 09 May 2011 14:39:34 GMT

Just finished configuring the lea-loggrabber to get logs from some Check Point hosts. All is working correctly except I want to turn object name resolution off. Looks like it might be a command line parameter (--noresolve), but I can't get it to run successfully (http://www.sourcefiles.org/Miscellaneous/fw1-loggrabber-1.9.2.tar.gz.shtml)

Anyone done this?

Re: Check Point object name resolution

Peter — Tue, 17 May 2011 17:41:29 GMT

Anyone have any experience with the fw1-loggrabber?

Re: Check Point object name resolution

hexx — Mon, 28 Sep 2020 10:14:04 GMT

With the contribution of Splunk Answers user treyka, we we were able to patch and recompile the lea_loggrabber Linux binary to outputs semi-colons as delimiters between field/value pairs:

Before:

loc=2445861 filename=fw.log fileid=1314230340 time=25Aug2011 12:40:58 action=drop orig=FIREWALLNAME i/f_dir=inbound i/f_name=eth-s2p2c0 has_accounting=0 product=VPN-1 & FireWall-1 __policy_id_tag=product=VPN-1 & FireWall-1[db_tag={AAAAAAA-BBBBB-CCCCCC-DDDDDDD-EEEEEEEEEE};mgmt=LAB-CMA;date=1310743754;policy_name=ABCD_Policy] rule=77 rule_uid={19AD44C1-79E0-422F-91A6-FF2E6A818EEE} SmartDefense profile=No Protection src=1.2.3.4 s_port=40552 dst=4.3.2.1service=snmp-read proto=udp
After:

time=26Aug2011 12:34:34;action=drop;fw=1.2.3.4;if_dir=inbound;if_name=eth-s2p2c0;mgmt=LAB-CMA;policy_name=ABCD_Policy;rule=77;src=1.2.3.4;s_port=11334;dst=4.3.2.1;d_port=161;proto=udp;

In addition, this patched version of lea_loggrabber accepts new, mutually exclusive parameters to control the name resolution of objects:

The option --resolve will cause objects to be resolved, as is currently the case. Example:

time= 4Aug2011 22:47:52;action=accept;fw=Win2k3-86sup01;if_dir=inbound;if_name=E1G606;mgmt=Win2k3-86sup01;policy_name=Standard;rule=2;rule_name=LEA traffic;service_id=FW1_lea;src=beefysup01.splunk.com;s_port=33776;dst=Win2k3-86sup01;d_port=FW1_lea;proto=tcp;
The option --no-resolve will prevent object name resolution. Example:

time= 4Aug2011 22:47:00;action=accept;fw=10.160.31.56;if_dir=inbound;if_name=E1G606;mgmt=Win2k3-86sup01;policy_name=Standard;rule=2;rule_name=LEA traffic;service_id=FW1_lea;src=10.1.12.1;s_port=47250;dst=10.160.31.56;d_port=18184;proto=tcp;

Some important remarks:

This patched version of the lea_loggrabber binary is not currently integrated to the app packaged on splunkbase. It can be obtained by requesting it from Splunk Support. Please open a support case if you would like to receive it.
Only the Linux (32bit/64bit) version of the lea_loggrabber binary has been recompiled with this patch.
The patched binary will be provided "as is". It has not been tested by Splunk Quality Assurance, which is why it has not yet been integrated in the package available on splunkbase.

Re: Check Point object name resolution

jcoates_splunk — Thu, 18 Dec 2014 22:49:28 GMT

Support just brought this page to my attention... greetings from late 2014, we come in peace. There is now an official and supported OPSEC LEA solution for Linux: https://apps.splunk.com/app/1454 and Solaris: https://apps.splunk.com/app/1453

The semicolon delimiter thing is not in there, but you can toggle no-resolve. http://docs.splunk.com/Documentation/OPSEC-LEA/latest/Install/ConfiguretheLEAclient for instructions.

topic Re: Check Point object name resolution in Splunk Search

Check Point object name resolution

Re: Check Point object name resolution

Re: Check Point object name resolution

Re: Check Point object name resolution