Hi All,
I'm not seeing any data in the Hurricane Check Point Splunk App, despite having stacks of logs and no issues with the loggrabber.
My Splunk 6 enterprise instance is not running under root, but under a splunk user.
I am logging check point logs to the default (main) index, logs are being pulled with no issues.
I looked in the app itself but could not see anywhere referencing the index it was accessing - can someone give me a pointer as to what i'm doing wrong?
Appreciate any guidance.
Yes, you must write the traffic logs to the "opsec" index and the audit logs to the "opsec_audit" index. You must create these indexes manually as the app will not do it for you. These indexes should be specified in the default inputs.conf of the app.
Yes, you must write the traffic logs to the "opsec" index and the audit logs to the "opsec_audit" index. You must create these indexes manually as the app will not do it for you. These indexes should be specified in the default inputs.conf of the app.
Update from yesterday's response -
Our app:
https://splunkbase.splunk.com/app/1727/#/documentation
Prerequisites:
Installation and configuration of the Splunk Add-on for Check Point OPSEC LEA Linux (http://apps.splunk.com/app/1454/) is required.
Then if you check the documentation for the Splunk built OpsecLEA app. the most recent one breaks down the sourcetypes even further, but the indexers remain the same. (opsec, opsec_audit)
http://docs.splunk.com/Documentation/OPSEC-LEA/3.1.0/Install/WhatdatadoestheSplunkAdd-onforCheckPoin...
I think i must have not followed the instructions properly in the 20 plus installs i've done in the last two months onto CentOS6 and 7. When i install the SplunkLEA app on checkpoint it creates no indexes, it only writes to default/main.
The events however are tagged as described with types listed and are being ingested into Splunk and are searchable. I appreciate you taking the time to respond and will look again at the add on and see what it is i've done wrong.
To be entirely clear - you are saying that opsec and opsec_audit indexes should have been created by the Splunk Add-on for Check Point OPSEC LEA Lunix?
i'm happy to mark this answered - but could your let me know if this understanding is correct? To be entirely clear - you are saying that opsec and opsec_audit indexes should have been created by the Splunk Add-on for Check Point OPSEC LEA Lunix?
I believe it looks for logs in the opsec and opsec_audit indexes.
I created these indexes and the hurricane app didn't claim them, i looked through the config files and it looks as though it writes to a checkpoint index but pulls out opsec
and opsec_audit
logs from the checkpoint index. As soon as i created a checkpoint index hurricane 'claimed' it as the app that owned that index.
However i could not get my OPSEC Log grabber to write to the checkpoint index, no matter what i did it would only write to default/main.
Let me know if this is incorrect.
One of my guys is saying the problem is occurring because a custom index is being used and the app doesn't support that.