Solved: Splunk add-on for Check Point OPSEC LEA: Change HO...

gstefancyk · ‎02-13-2018

We have been ingesting our Check Point logs via the Check Point OPSEC LEA add-on and finally realized that the HOST being reported is always our management station IP where we are pulling logs from... Is there a way to change this in the OPSEC Lea add on or would we be better off doing this in transforms.conf and props.conf on the heavy forwarder?

FrankVl · ‎02-28-2018

You can use props and transforms to overwrite it (e.g. based on the orig= field).
See this recent discussion: https://answers.splunk.com/answers/615561/how-to-overwrite-the-host-field-value-with-dvc-fie.html

View solution in original post

mathieuamos · ‎05-21-2018

What field was your fw coming into Splunk as? And did you have to change logging on mgmt server to get the fw info to be sent to Splunk?

FrankVl · ‎02-28-2018

You can use props and transforms to overwrite it (e.g. based on the orig= field).
See this recent discussion: https://answers.splunk.com/answers/615561/how-to-overwrite-the-host-field-value-with-dvc-fie.html

gstefancyk · ‎02-28-2018

Thanks FrankVI, exactly what I expected but nice to get some re-assurance.

Splunk add-on for Check Point OPSEC LEA: Change HOST field to be firewall IP not the management station ip

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?