Solved: Splunk Add-on for Check Point OPSEC LEA 4.0.0: Is ...

georgen_splunk · ‎09-20-2016

I've recently migrated to the Splunk Add-on for Check Point OPSEC LEA 4.0.0 which was easy to setup btw.

However, I'm unable to configure a custom Source & SourceType for my Check Point feed as the previous version leveraged 'inputs.conf' to run the lea-lograbber binary.

Would there happen to be a way to override the default Source & SourceType, or is there a workaround available?

rsimmons · ‎09-21-2016

Here's a quick solution! You can override the source field by using a regex in your transforms.

props.conf
[source::ip:8184]
TRANSFORMS-set_opsec_rename = opsec-rename

transforms.conf
[opsec-rename]
DEST_KEY=MetaData:Source
REGEX = .
FORMAT=source::configentitycheckpoint1_events

View solution in original post

rsimmons · ‎09-21-2016

Here's a quick solution! You can override the source field by using a regex in your transforms.

props.conf
[source::ip:8184]
TRANSFORMS-set_opsec_rename = opsec-rename

transforms.conf
[opsec-rename]
DEST_KEY=MetaData:Source
REGEX = .
FORMAT=source::configentitycheckpoint1_events

georgen_splunk · ‎09-21-2016

I agree with the override, it appears that we'll need to rename the source field for this new version of Splunk. Please keep me updated on enhancement#ADDON-11382 to allow admins to set their own Source/SourceType via the OPSEC 4.0.0 UI.

Splunk Add-on for Check Point OPSEC LEA 4.0.0: Is there a way to override the default source and sourcetype?

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases