All Apps and Add-ons

Splunk add-on for Check Point OPSEC LEA: Change HOST field to be firewall IP not the management station ip

Path Finder

We have been ingesting our Check Point logs via the Check Point OPSEC LEA add-on and finally realized that the HOST being reported is always our management station IP where we are pulling logs from... Is there a way to change this in the OPSEC Lea add on or would we be better off doing this in transforms.conf and props.conf on the heavy forwarder?

0 Karma
1 Solution

Ultra Champion

You can use props and transforms to overwrite it (e.g. based on the orig= field).
See this recent discussion: https://answers.splunk.com/answers/615561/how-to-overwrite-the-host-field-value-with-dvc-fie.html

View solution in original post

0 Karma

New Member

What field was your fw coming into Splunk as? And did you have to change logging on mgmt server to get the fw info to be sent to Splunk?

0 Karma

Ultra Champion

You can use props and transforms to overwrite it (e.g. based on the orig= field).
See this recent discussion: https://answers.splunk.com/answers/615561/how-to-overwrite-the-host-field-value-with-dvc-fie.html

View solution in original post

0 Karma

Path Finder

Thanks FrankVI, exactly what I expected but nice to get some re-assurance.

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!