All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Check Point App vs Log Exporter TA

TheWoodRanger
Explorer
3 weeks ago

The Check Point App for Splunk (https://splunkbase.splunk.com/app/4293)  was recently updated on June 9th, 2025 after a 4 year gap, making it Splunk Cloud compatible.

There are no release notes added, no updated information on the app listing page, and Checkpoint documentation related to Splunk onboarding has not been modified, still reflecting app v1.0.0 from 2018 and the usage of the log exporter for a version of Checkpoint firewall that's EOL.

 

The Splunk Addon for Checkpoint Log Exporter (https://splunkbase.splunk.com/app/5478) was last updated February 2024.

 

There's significant inconsistencies between the field extractions, eventtype definitions and tag assignments, and general transforms configured between these two apps.. the hope was that a proper update to the Checkpoint app would make it the "correct" one to use, but it does not incorporate many of the configs found in the Log Exporter TA, and vice versa.

 

Has anyone sorted out a unified approach to this mess? Validated which configurations should be applied for data exported via the log exporter over syslog?

 

ie, the definitions for the "network" tag to populate the Network Traffic DMA are significantly different:

# Splunk Addon for Checkpoint Log Exporter snippet from eventtypes.conf for "network" tag:

[cp_network_communicate]
search = (sourcetype=cp_log OR sourcetype=cp_log:syslog) AND (((proto=* OR nat_rulenum=*) OR (product="URL Filtering" AND conn_direction=*)) NOT (product="Anti Phishing" OR product="Anti-Spam and Email Security" OR product="DLP" OR alert=* OR malware_action=* OR protection_name=* OR file_name=* OR auth_method=* OR event_name="IP sweep from external network"))
#tags = network communicate

[cp_change_network]
search = (sourcetype=cp_log OR sourcetype=cp_log:syslog) AND internal_ca="VPN certificate created"
#tags = change network

# Check point App for Splunk snippet from eventtypes.conf for "network" tag:

[Network_Sessions]
search = (sourcetype=cp_log AND ((product="*VPN*" OR product="*Mobile*") OR (fw_subproduct="*VPN*")))

[Network_Traffic]
search = (sourcetype=cp_log AND product="*Firewall*" AND NOT fw_subproduct="*VPN*")

 

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

livehybrid
SplunkTrust
SplunkTrust
3 weeks ago

Hi @TheWoodRanger 

Whilst I have no personal experience with these apps, its worth noting that the latest version change on the Check Point App for Splunk (https://splunkbase.splunk.com/app/4293) was on 9th June 2024! Not 2025! So closer to the last update date of the other (Splunk supported) TA. I also noticed that the Splunk version (Splunk Add-on for Check Point Log Exporter) is set to support Splunk 10.0 unlike the other. This suggests to me that it has been verified against 10.0 and no version increase means no changes need to be made since the last release. 

Regarding the most unified approach - I'd start by taking the Splunk-recommended approach as you can then lean in to this community and/or support to assistance. The Splunk docs https://docs.splunk.com/Documentation/AddOns/released/CheckPointLogExporter/Setup recommend using Splunk Connect for Syslog (SC4S) to onboard this rather than receiving syslog directly into Splunk. The SC4S docs state two intesting things, firstly that "the Log Exporter configuration provided by Checkpoint is defective and produces invalid data" and secondly that you should use the syslog output from CheckPoint not the "Splunk" output, this might seem counter-intuitive but having it output raw syslog gives Splunk more control over its parsing.

If you took this approach then ultimately you'd use the Splunk Add-on for Check Point Log Exporter app.

I hope this helps!

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

View solution in original post

Reply
Solved! Jump to solution
Solution

livehybrid
SplunkTrust
SplunkTrust
3 weeks ago

Hi @TheWoodRanger 

Whilst I have no personal experience with these apps, its worth noting that the latest version change on the Check Point App for Splunk (https://splunkbase.splunk.com/app/4293) was on 9th June 2024! Not 2025! So closer to the last update date of the other (Splunk supported) TA. I also noticed that the Splunk version (Splunk Add-on for Check Point Log Exporter) is set to support Splunk 10.0 unlike the other. This suggests to me that it has been verified against 10.0 and no version increase means no changes need to be made since the last release. 

Regarding the most unified approach - I'd start by taking the Splunk-recommended approach as you can then lean in to this community and/or support to assistance. The Splunk docs https://docs.splunk.com/Documentation/AddOns/released/CheckPointLogExporter/Setup recommend using Splunk Connect for Syslog (SC4S) to onboard this rather than receiving syslog directly into Splunk. The SC4S docs state two intesting things, firstly that "the Log Exporter configuration provided by Checkpoint is defective and produces invalid data" and secondly that you should use the syslog output from CheckPoint not the "Splunk" output, this might seem counter-intuitive but having it output raw syslog gives Splunk more control over its parsing.

If you took this approach then ultimately you'd use the Splunk Add-on for Check Point Log Exporter app.

I hope this helps!

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

Introduction to Splunk AI

How are you using AI in Splunk? Whether you see AI as a threat or opportunity, AI is here to stay. Lucky for ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Maximizing the Value of Splunk ES 8.x

Splunk Enterprise Security (ES) continues to be a leader in the Gartner Magic Quadrant, reflecting its pivotal ...