All Apps and Add-ons

Splunk Add-on for Check Point OPSEC LEA: Why are the extracted values for fields protocol, s_port, and service not consistent?

daniel_augustyn
Contributor

I just onboarded Checkpoint logs using the Splunk Add-on for Check Point OPSEC LEA, and most of the fields look OK except for a few ones which seem to swap the data between each other. Fields like protocol, s_port, or service do not have consistent values such as:

protocol: udp, tcp, icmp, 2, 89, 46
s_port: ntp-udp, nbname, 8978, 23384, http, 9809

service: http, 8612, TCP, SSL, UDP, DNS

Any idea how to fix it? It seems like there is some issue with field extraction.

0 Karma
1 Solution

daniel_augustyn
Contributor

This is related to the issue of how Checkpoint columns are set up. This is not an issue with Splunk parsing the logs wrong way.

View solution in original post

0 Karma

daniel_augustyn
Contributor

This is related to the issue of how Checkpoint columns are set up. This is not an issue with Splunk parsing the logs wrong way.

0 Karma

kmanson
Path Finder

Correct, but is there way to fix this on the CheckPoint side?

0 Karma

daniel_augustyn
Contributor

Yes, this was an issue on the checkpoint side. Not Splunk issue.

0 Karma

mreynov_splunk
Splunk Employee
Splunk Employee

can you show a couple of records to compare?

daniel_augustyn
Contributor
loc=5554494|time= 4Dec2015 15:40:01|action=accept|orig=firewallxxx|i/f_dir=inbound|i/f_name=xxx|has_accounting=0|uuid=<5661b3d1,00000001,09f61e0c>|product=VPN-1 & FireWall-1|inzone=Internal|outzone=External|rule=148|rule_uid={19D74F92-2D29-45AA-B627-}|service_id=domain-udp|src=10.140.32.107|s_port=37031|dst=Pulic-dns-8.8.8.8|service=UDP-DNS|proto=udp|xlatesrc=xxx|xlatesport=41463|xlatedport=Unknown|NAT_rulenum=42|NAT_addtnl_rulenum=1|__policy_id_tag=product=VPN-1 & FireWall-1[db_tag={9645AB21-4FCA-40A4-A4DE-xxx};mgmt=fw-mgr;date=1447972833;policy_name=xxxxx]


loc=5778286|time= 4Dec2015 15:41:37|action=accept|orig=-Primary|i/f_dir=inbound|i/f_name=ser1|has_accounting=0|uuid=<5661b431,0000000c,65420101,>|product=VPN-1 & FireWall-1|__policy_id_tag=product=VPN-1 & FireWall-1[db_tag={3357D522-4BEF-4939-B5B4-};mgmt=fw-mgr;date=1447311214;policy_name=-Test]|inzone=Internal|outzone=External|rule=38|rule_uid={DEC259F7-B5C1-4E56-9B5F-}|service_id=SIT|src=10.95.7.39|dst=x.x.x.20|proto=41|xlatesport=0|xlatedport=0|NAT_rulenum=29|NAT_addtnl_rulenum=1

loc=1394075|time= 4Dec2015 15:49:11|action=drop|orig=FW-1|i/f_dir=inbound|i/f_name=eth2-01|alert=spoofalert|has_accounting=0|uuid=<00000000,00000000,00000000,00000000>|product=VPN-1 & FireWall-1|src=127.0.0.1|s_port=UDP-DNS|dst=10.9.64.115|service=59076|proto=udp|message_info=Local interface address spoofing|__policy_id_tag=product=VPN-1 & FireWall-1[db_tag={5598DF1D-380D-428C-925B-};mgmt=fw-mgr;date=1447952280;policy_name=nternal-10-03-2015]|origin_sic_name=CN=FW-1,O=xxxx

loc=6352273|time= 4Dec2015 15:49:15|action=accept|orig=xxxx|i/f_dir=inbound|i/f_name=eth3-01|has_accounting=0|uuid=<5661b5fb,00010016,02c810ac,>|product=FireWall-1|__policy_id_tag=product=VPN-1 & FireWall-1[db_tag={558C5022-FEE8-4637};mgmt=fw-mgr;date=1449206314;policy_name=FW-09-30-2013]|inzone=Internal|outzone=External|rule=144|rule_uid={07C8CBBD-F01F-48F0-A637-}|service_id=RTP-UDP|src=SV-F5-10.200.10.52|s_port=UDP-DNS|dst=x.x.77.166|service=59399|proto=udp|xlatesrc=x.x.x.x|xlatesport=19380|xlatedport=Unknown|NAT_rulenum=35|NAT_addtnl_rulenum=1
0 Karma

daniel_augustyn
Contributor

There is also no destination ports in any of these or any other logs? I just noticed it now.

0 Karma

nbonner
Explorer

"Service" is the destination port in Check Point logs. The logs record whatever you have configured as the object name for that service.

0 Karma
Get Updates on the Splunk Community!

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...