All Apps and Add-ons

No data showing in Hurricane Check Point Splunk application - OPSEC LEA working fine?

jimbul
Explorer

Hi All,

I'm not seeing any data in the Hurricane Check Point Splunk App, despite having stacks of logs and no issues with the loggrabber.

My Splunk 6 enterprise instance is not running under root, but under a splunk user.

I am logging check point logs to the default (main) index, logs are being pulled with no issues.

I looked in the app itself but could not see anywhere referencing the index it was accessing - can someone give me a pointer as to what i'm doing wrong?

Appreciate any guidance.

0 Karma
1 Solution

delink
Communicator

Yes, you must write the traffic logs to the "opsec" index and the audit logs to the "opsec_audit" index. You must create these indexes manually as the app will not do it for you. These indexes should be specified in the default inputs.conf of the app.

View solution in original post

0 Karma

delink
Communicator

Yes, you must write the traffic logs to the "opsec" index and the audit logs to the "opsec_audit" index. You must create these indexes manually as the app will not do it for you. These indexes should be specified in the default inputs.conf of the app.

0 Karma

k3153717nn
Explorer

Update from yesterday's response -

Our app:
https://splunkbase.splunk.com/app/1727/#/documentation

Prerequisites:
Installation and configuration of the Splunk Add-on for Check Point OPSEC LEA Linux (http://apps.splunk.com/app/1454/) is required.

Then if you check the documentation for the Splunk built OpsecLEA app. the most recent one breaks down the sourcetypes even further, but the indexers remain the same. (opsec, opsec_audit)
http://docs.splunk.com/Documentation/OPSEC-LEA/3.1.0/Install/WhatdatadoestheSplunkAdd-onforCheckPoin...

0 Karma

jimbul
Explorer

I think i must have not followed the instructions properly in the 20 plus installs i've done in the last two months onto CentOS6 and 7. When i install the SplunkLEA app on checkpoint it creates no indexes, it only writes to default/main.

The events however are tagged as described with types listed and are being ingested into Splunk and are searchable. I appreciate you taking the time to respond and will look again at the add on and see what it is i've done wrong.

To be entirely clear - you are saying that opsec and opsec_audit indexes should have been created by the Splunk Add-on for Check Point OPSEC LEA Lunix?

0 Karma

jimbul
Explorer

i'm happy to mark this answered - but could your let me know if this understanding is correct? To be entirely clear - you are saying that opsec and opsec_audit indexes should have been created by the Splunk Add-on for Check Point OPSEC LEA Lunix?

0 Karma

k3153717nn
Explorer

I believe it looks for logs in the opsec and opsec_audit indexes.

jimbul
Explorer

I created these indexes and the hurricane app didn't claim them, i looked through the config files and it looks as though it writes to a checkpoint index but pulls out opsec and opsec_audit logs from the checkpoint index. As soon as i created a checkpoint index hurricane 'claimed' it as the app that owned that index.

However i could not get my OPSEC Log grabber to write to the checkpoint index, no matter what i did it would only write to default/main.

Let me know if this is incorrect.

0 Karma

k3153717nn
Explorer

One of my guys is saying the problem is occurring because a custom index is being used and the app doesn't support that.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

(view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...