All Apps and Add-ons

Configuration of Checkpoint logs and Splunk

kellywilson
Engager

Hello everyone! I am new to this site as well as Splunk.

I am having a bit of trouble understanding the connection between CP logs and Splunk. We would like to pull those logs into Splunk. As of now, we have a windows (2K8R2) server with the latest version of Splunk enterprise installed, and a Centos 6.5 Linux server with the latest version of splunk installed on it as well. The documentation does a decent job of explaining how to get Splunk onto those particular machines, but not the process in which to import or grab those logs from Checkpoint. I’m confused as to whether or not I need to install the LEA add-on on the linux machine, the CP management server or the windows box, or all of them. Any direction as to how this architecture should look would help tremendously.

Thank you!

1 Solution

dmaislin_splunk
Splunk Employee
Splunk Employee

Yes. The app, http://apps.splunk.com/app/1454 would be installed on the Linux machine AND on the Indexer running Splunk Enterprise. The Linux machine should be a full Splunk instance (Heavy Forwarder) that is setup to forward the collected logs from this instance to the Splunk Indexer you have installed on Windows. The add-on needs to be installed on the Indexer to take advantage of field extractions, lookups, and index-time knowledge in the package.

View solution in original post

dmaislin_splunk
Splunk Employee
Splunk Employee

Yes. The app, http://apps.splunk.com/app/1454 would be installed on the Linux machine AND on the Indexer running Splunk Enterprise. The Linux machine should be a full Splunk instance (Heavy Forwarder) that is setup to forward the collected logs from this instance to the Splunk Indexer you have installed on Windows. The add-on needs to be installed on the Indexer to take advantage of field extractions, lookups, and index-time knowledge in the package.

dmaislin_splunk
Splunk Employee
Splunk Employee

Fantastic!

0 Karma

araitz
Splunk Employee
Splunk Employee

Great to hear!

0 Karma

kellywilson
Engager

Thank you! we have it setup that way exactly and it working like a charm!

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...