All Apps and Add-ons

Splunk Add-on for Check Point OPSEC LEA: We ingest 60GB/day of logs, but why does our admin only see 15GB/day of logs on his Check Point device?

edwardrose
Contributor

Hello All,

I have a question about Splunk's App for Checkpoint OPSEC LEA from our firewall administrator. We currently ingest about 60GB/day of CP logs, but the admin only sees about 15GB/day of logs on his CP device. Why is there such a high discrepancy? As far as I can tell, the Splunk app is working as it should and we are not getting any errors.

Any thoughts?

thanks
ed

0 Karma
1 Solution

somesoni2
Revered Legend

Check Splunk's license_usage log to find out distribution of the 60GB license usage by index/host/source/sourcetype and validate that with your Firewall admin that he's including all those index/host/source/sourcetype into his calculation.

index=_internal sourcetype=splunkd source=*license_usage.log type=usage

fields - idx (index) h (host) s (source) and st (sourcetype)

View solution in original post

0 Karma

somesoni2
Revered Legend

Check Splunk's license_usage log to find out distribution of the 60GB license usage by index/host/source/sourcetype and validate that with your Firewall admin that he's including all those index/host/source/sourcetype into his calculation.

index=_internal sourcetype=splunkd source=*license_usage.log type=usage

fields - idx (index) h (host) s (source) and st (sourcetype)

0 Karma

edwardrose
Contributor

I think I figured it out. Check Point logs are in binary format and the add-on converts the data from binary to ascii format which would account for the 4x difference in log sizes.

0 Karma
Get Updates on the Splunk Community!

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...