Solved: No data showing in Hurricane Check Point Splunk ap...

jimbul · ‎09-22-2015

Hi All,

I'm not seeing any data in the Hurricane Check Point Splunk App, despite having stacks of logs and no issues with the loggrabber.

My Splunk 6 enterprise instance is not running under root, but under a splunk user.

I am logging check point logs to the default (main) index, logs are being pulled with no issues.

I looked in the app itself but could not see anywhere referencing the index it was accessing - can someone give me a pointer as to what i'm doing wrong?

Appreciate any guidance.

delink · ‎09-25-2015

Yes, you must write the traffic logs to the "opsec" index and the audit logs to the "opsec_audit" index. You must create these indexes manually as the app will not do it for you. These indexes should be specified in the default inputs.conf of the app.

View solution in original post

delink · ‎09-25-2015

Yes, you must write the traffic logs to the "opsec" index and the audit logs to the "opsec_audit" index. You must create these indexes manually as the app will not do it for you. These indexes should be specified in the default inputs.conf of the app.

k3153717nn · ‎09-24-2015

Update from yesterday's response -

Our app:
https://splunkbase.splunk.com/app/1727/#/documentation

Prerequisites:
Installation and configuration of the Splunk Add-on for Check Point OPSEC LEA Linux (http://apps.splunk.com/app/1454/) is required.

Then if you check the documentation for the Splunk built OpsecLEA app. the most recent one breaks down the sourcetypes even further, but the indexers remain the same. (opsec, opsec_audit)
http://docs.splunk.com/Documentation/OPSEC-LEA/3.1.0/Install/WhatdatadoestheSplunkAdd-onforCheckPoin...

jimbul · ‎09-24-2015

I think i must have not followed the instructions properly in the 20 plus installs i've done in the last two months onto CentOS6 and 7. When i install the SplunkLEA app on checkpoint it creates no indexes, it only writes to default/main.

The events however are tagged as described with types listed and are being ingested into Splunk and are searchable. I appreciate you taking the time to respond and will look again at the add on and see what it is i've done wrong.

To be entirely clear - you are saying that opsec and opsec_audit indexes should have been created by the Splunk Add-on for Check Point OPSEC LEA Lunix?

jimbul · ‎09-25-2015

i'm happy to mark this answered - but could your let me know if this understanding is correct? To be entirely clear - you are saying that opsec and opsec_audit indexes should have been created by the Splunk Add-on for Check Point OPSEC LEA Lunix?

k3153717nn · ‎09-23-2015

I believe it looks for logs in the opsec and opsec_audit indexes.

jimbul · ‎09-24-2015

I created these indexes and the hurricane app didn't claim them, i looked through the config files and it looks as though it writes to a checkpoint index but pulls out opsec and opsec_audit logs from the checkpoint index. As soon as i created a checkpoint index hurricane 'claimed' it as the app that owned that index.

However i could not get my OPSEC Log grabber to write to the checkpoint index, no matter what i did it would only write to default/main.

Let me know if this is incorrect.

k3153717nn · ‎09-25-2015

One of my guys is saying the problem is occurring because a custom index is being used and the app doesn't support that.

No data showing in Hurricane Check Point Splunk application - OPSEC LEA working fine?

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life