All Apps and Add-ons

Configuration of Checkpoint logs and Splunk

kellywilson
Engager

Hello everyone! I am new to this site as well as Splunk.

I am having a bit of trouble understanding the connection between CP logs and Splunk. We would like to pull those logs into Splunk. As of now, we have a windows (2K8R2) server with the latest version of Splunk enterprise installed, and a Centos 6.5 Linux server with the latest version of splunk installed on it as well. The documentation does a decent job of explaining how to get Splunk onto those particular machines, but not the process in which to import or grab those logs from Checkpoint. I’m confused as to whether or not I need to install the LEA add-on on the linux machine, the CP management server or the windows box, or all of them. Any direction as to how this architecture should look would help tremendously.

Thank you!

1 Solution

dmaislin_splunk
Splunk Employee
Splunk Employee

Yes. The app, http://apps.splunk.com/app/1454 would be installed on the Linux machine AND on the Indexer running Splunk Enterprise. The Linux machine should be a full Splunk instance (Heavy Forwarder) that is setup to forward the collected logs from this instance to the Splunk Indexer you have installed on Windows. The add-on needs to be installed on the Indexer to take advantage of field extractions, lookups, and index-time knowledge in the package.

View solution in original post

dmaislin_splunk
Splunk Employee
Splunk Employee

Yes. The app, http://apps.splunk.com/app/1454 would be installed on the Linux machine AND on the Indexer running Splunk Enterprise. The Linux machine should be a full Splunk instance (Heavy Forwarder) that is setup to forward the collected logs from this instance to the Splunk Indexer you have installed on Windows. The add-on needs to be installed on the Indexer to take advantage of field extractions, lookups, and index-time knowledge in the package.

dmaislin_splunk
Splunk Employee
Splunk Employee

Fantastic!

0 Karma

araitz
Splunk Employee
Splunk Employee

Great to hear!

0 Karma

kellywilson
Engager

Thank you! we have it setup that way exactly and it working like a charm!

0 Karma
Get Updates on the Splunk Community!

Accelerate Service Onboarding, Decomposition, Troubleshooting - and more with ITSI’s ...

Accelerate Service Onboarding, Decomposition, Troubleshooting - and more! Faster Time to ValueManaging and ...

New Release | Splunk Enterprise 9.3

Hi Splunky people! We are excited to share the newest updates in Splunk Enterprise 9.3!Admins and Analyst can ...

2024 Splunk Career Impact Survey | Earn a $20 gift card for participating!

Hear ye, hear ye! The time has come again for Splunk's annual Career Impact Survey!  We need your help by ...