I just onboarded Checkpoint logs using the Splunk Add-on for Check Point OPSEC LEA, and most of the fields look OK except for a few ones which seem to swap the data between each other. Fields like protocol, s_port, or service do not have consistent values such as:
protocol: udp, tcp, icmp, 2, 89, 46
s_port: ntp-udp, nbname, 8978, 23384, http, 9809
service: http, 8612, TCP, SSL, UDP, DNS
Any idea how to fix it? It seems like there is some issue with field extraction.
This is related to the issue of how Checkpoint columns are set up. This is not an issue with Splunk parsing the logs wrong way.
This is related to the issue of how Checkpoint columns are set up. This is not an issue with Splunk parsing the logs wrong way.
Correct, but is there way to fix this on the CheckPoint side?
Yes, this was an issue on the checkpoint side. Not Splunk issue.
can you show a couple of records to compare?
loc=5554494|time= 4Dec2015 15:40:01|action=accept|orig=firewallxxx|i/f_dir=inbound|i/f_name=xxx|has_accounting=0|uuid=<5661b3d1,00000001,09f61e0c>|product=VPN-1 & FireWall-1|inzone=Internal|outzone=External|rule=148|rule_uid={19D74F92-2D29-45AA-B627-}|service_id=domain-udp|src=10.140.32.107|s_port=37031|dst=Pulic-dns-8.8.8.8|service=UDP-DNS|proto=udp|xlatesrc=xxx|xlatesport=41463|xlatedport=Unknown|NAT_rulenum=42|NAT_addtnl_rulenum=1|__policy_id_tag=product=VPN-1 & FireWall-1[db_tag={9645AB21-4FCA-40A4-A4DE-xxx};mgmt=fw-mgr;date=1447972833;policy_name=xxxxx]
loc=5778286|time= 4Dec2015 15:41:37|action=accept|orig=-Primary|i/f_dir=inbound|i/f_name=ser1|has_accounting=0|uuid=<5661b431,0000000c,65420101,>|product=VPN-1 & FireWall-1|__policy_id_tag=product=VPN-1 & FireWall-1[db_tag={3357D522-4BEF-4939-B5B4-};mgmt=fw-mgr;date=1447311214;policy_name=-Test]|inzone=Internal|outzone=External|rule=38|rule_uid={DEC259F7-B5C1-4E56-9B5F-}|service_id=SIT|src=10.95.7.39|dst=x.x.x.20|proto=41|xlatesport=0|xlatedport=0|NAT_rulenum=29|NAT_addtnl_rulenum=1
loc=1394075|time= 4Dec2015 15:49:11|action=drop|orig=FW-1|i/f_dir=inbound|i/f_name=eth2-01|alert=spoofalert|has_accounting=0|uuid=<00000000,00000000,00000000,00000000>|product=VPN-1 & FireWall-1|src=127.0.0.1|s_port=UDP-DNS|dst=10.9.64.115|service=59076|proto=udp|message_info=Local interface address spoofing|__policy_id_tag=product=VPN-1 & FireWall-1[db_tag={5598DF1D-380D-428C-925B-};mgmt=fw-mgr;date=1447952280;policy_name=nternal-10-03-2015]|origin_sic_name=CN=FW-1,O=xxxx
loc=6352273|time= 4Dec2015 15:49:15|action=accept|orig=xxxx|i/f_dir=inbound|i/f_name=eth3-01|has_accounting=0|uuid=<5661b5fb,00010016,02c810ac,>|product=FireWall-1|__policy_id_tag=product=VPN-1 & FireWall-1[db_tag={558C5022-FEE8-4637};mgmt=fw-mgr;date=1449206314;policy_name=FW-09-30-2013]|inzone=Internal|outzone=External|rule=144|rule_uid={07C8CBBD-F01F-48F0-A637-}|service_id=RTP-UDP|src=SV-F5-10.200.10.52|s_port=UDP-DNS|dst=x.x.77.166|service=59399|proto=udp|xlatesrc=x.x.x.x|xlatesport=19380|xlatedport=Unknown|NAT_rulenum=35|NAT_addtnl_rulenum=1
There is also no destination ports in any of these or any other logs? I just noticed it now.
"Service" is the destination port in Check Point logs. The logs record whatever you have configured as the object name for that service.