All Apps and Add-ons

Splunk add-on for Check Point OPSEC LEA: Change HOST field to be firewall IP not the management station ip

gstefancyk
Path Finder

We have been ingesting our Check Point logs via the Check Point OPSEC LEA add-on and finally realized that the HOST being reported is always our management station IP where we are pulling logs from... Is there a way to change this in the OPSEC Lea add on or would we be better off doing this in transforms.conf and props.conf on the heavy forwarder?

0 Karma
1 Solution

FrankVl
Ultra Champion

You can use props and transforms to overwrite it (e.g. based on the orig= field).
See this recent discussion: https://answers.splunk.com/answers/615561/how-to-overwrite-the-host-field-value-with-dvc-fie.html

View solution in original post

0 Karma

mathieuamos
New Member

What field was your fw coming into Splunk as? And did you have to change logging on mgmt server to get the fw info to be sent to Splunk?

0 Karma

FrankVl
Ultra Champion

You can use props and transforms to overwrite it (e.g. based on the orig= field).
See this recent discussion: https://answers.splunk.com/answers/615561/how-to-overwrite-the-host-field-value-with-dvc-fie.html

0 Karma

gstefancyk
Path Finder

Thanks FrankVI, exactly what I expected but nice to get some re-assurance.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...