topic Re: Loggraber - how to get all logs exept action=accept from CP in Splunk Search

Loggraber - how to get all logs exept action=accept from CP

clanglais — Mon, 28 Sep 2020 16:00:56 GMT

Hi,

I'm trying to get less logs from CheckPoint Firewall (75.4) into a Splunk server (v 6).

I just want to have all logs exept action=accept.

I tried to change filter in /opt/splunk/etc/apps/Splunk_TA_opseclea_linux22/bin/fw1-loggrabber.conf.

For example, I add FW1_FILTER_RULE="action!=accept"

But I think it don't works because when I try a new search with Splunk, I have lot of new logs with action=accept

Any idea?

Thanks !

Re: Loggraber - how to get all logs exept action=accept from CP

Chubbybunny — Fri, 28 Feb 2014 17:12:42 GMT

use overrides (props & transforms) to filter out the unwanted events.

props.conf

[opsec]
TRANSFORMS = carrot, rabbit_hole

transforms.conf

[rabbit_hole]
REGEX = action=accept 
DEST_KEY = queue 
FORMAT = nullQueue


[carrot]
REGEX=.
DEST_KEY = queue
FORMAT = indexQueue

** ascii art (optional) **

(\__/)
(='.'=)
(")_(")

Re: Loggraber - how to get all logs exept action=accept from CP

araitz — Mon, 28 Sep 2020 16:01:04 GMT

See the answer above in the comment. One thing to note is that there is a bug in the OPSEC LEA SDK (i.e. the one that CheckPoint provides) that makes FW1_FILTER_RULE not work.

Re: Loggraber - how to get all logs exept action=accept from CP

clanglais — Mon, 03 Mar 2014 08:50:56 GMT

I see,

This solution Works for me, Thanks a lot !