Re: Splunk Add-on for Check Point OPSEC LEA: Why i...

Federica_92 · ‎04-12-2016

Hi everyone,

I am getting ids checkpoint logs in Splunk through the Splunk Add-on for Check Point OPSEC LEA. Looking at the raw logs, I can correctly see src=x.x.x.x, but clicking on the field above, it changes the value of the src ( or src_ip) field with the value of origin. I tried to manually extract the field, but it doesn't allow me to do it. (Everything is set as global, and I don't have any permission issues)

I had a look on the props/transforms file, but I wasn't able to locate the point where this happens.

mikelanghorst · ‎04-12-2016

I can't explain why it was decided to have this field alias, but it's within the [opsec:ips] stanza

[opsec:ips]
...
FIELDALIAS-dvc_for_opsec                        = orig as dvc, orig as dvc_ip
FIELDALIAS-signature_for_ips                     = Protection_Name as signature
FIELDALIAS-src_for_opsec                        = orig as src, orig as src_ip

I'm not sure if the source formatting has changed or ??

Splunk Add-on for Check Point OPSEC LEA: Why is the src field not consistent?

Can’t make it to .conf25? Join us online!

Community Content Calendar, September edition

Splunkbase Unveils New App Listing Management Public Preview

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you a member of the Splunk Community?

Splunk Add-on for Check Point OPSEC LEA: Why is the src field not consistent?

Can’t make it to .conf25? Join us online!

Community Content Calendar, September edition

Splunkbase Unveils New App Listing Management Public Preview

Leveraging Automated Threat Analysis Across the Splunk Ecosystem