All Apps and Add-ons

Splunk add-on for Check Point OPSEC LEA: Change HOST field to be firewall IP not the management station ip

gstefancyk
Path Finder

We have been ingesting our Check Point logs via the Check Point OPSEC LEA add-on and finally realized that the HOST being reported is always our management station IP where we are pulling logs from... Is there a way to change this in the OPSEC Lea add on or would we be better off doing this in transforms.conf and props.conf on the heavy forwarder?

0 Karma
1 Solution

FrankVl
Ultra Champion

You can use props and transforms to overwrite it (e.g. based on the orig= field).
See this recent discussion: https://answers.splunk.com/answers/615561/how-to-overwrite-the-host-field-value-with-dvc-fie.html

View solution in original post

0 Karma

mathieuamos
New Member

What field was your fw coming into Splunk as? And did you have to change logging on mgmt server to get the fw info to be sent to Splunk?

0 Karma

FrankVl
Ultra Champion

You can use props and transforms to overwrite it (e.g. based on the orig= field).
See this recent discussion: https://answers.splunk.com/answers/615561/how-to-overwrite-the-host-field-value-with-dvc-fie.html

0 Karma

gstefancyk
Path Finder

Thanks FrankVI, exactly what I expected but nice to get some re-assurance.

0 Karma
Get Updates on the Splunk Community!

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...