All Apps and Add-ons

Configuration of Checkpoint logs and Splunk

kellywilson
Engager

Hello everyone! I am new to this site as well as Splunk.

I am having a bit of trouble understanding the connection between CP logs and Splunk. We would like to pull those logs into Splunk. As of now, we have a windows (2K8R2) server with the latest version of Splunk enterprise installed, and a Centos 6.5 Linux server with the latest version of splunk installed on it as well. The documentation does a decent job of explaining how to get Splunk onto those particular machines, but not the process in which to import or grab those logs from Checkpoint. I’m confused as to whether or not I need to install the LEA add-on on the linux machine, the CP management server or the windows box, or all of them. Any direction as to how this architecture should look would help tremendously.

Thank you!

1 Solution

dmaislin_splunk
Splunk Employee
Splunk Employee

Yes. The app, http://apps.splunk.com/app/1454 would be installed on the Linux machine AND on the Indexer running Splunk Enterprise. The Linux machine should be a full Splunk instance (Heavy Forwarder) that is setup to forward the collected logs from this instance to the Splunk Indexer you have installed on Windows. The add-on needs to be installed on the Indexer to take advantage of field extractions, lookups, and index-time knowledge in the package.

View solution in original post

dmaislin_splunk
Splunk Employee
Splunk Employee

Yes. The app, http://apps.splunk.com/app/1454 would be installed on the Linux machine AND on the Indexer running Splunk Enterprise. The Linux machine should be a full Splunk instance (Heavy Forwarder) that is setup to forward the collected logs from this instance to the Splunk Indexer you have installed on Windows. The add-on needs to be installed on the Indexer to take advantage of field extractions, lookups, and index-time knowledge in the package.

dmaislin_splunk
Splunk Employee
Splunk Employee

Fantastic!

0 Karma

araitz
Splunk Employee
Splunk Employee

Great to hear!

0 Karma

kellywilson
Engager

Thank you! we have it setup that way exactly and it working like a charm!

0 Karma
Get Updates on the Splunk Community!

Stay Connected: Your Guide to July and August Tech Talks, Office Hours, and Webinars!

Dive into our sizzling summer lineup for July and August Community Office Hours and Tech Talks. Scroll down to ...

Edge Processor Scaling, Energy & Manufacturing Use Cases, and More New Articles on ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Get More Out of Your Security Practice With a SIEM

Get More Out of Your Security Practice With a SIEMWednesday, July 31, 2024  |  11AM PT / 2PM ETREGISTER ...