Archive

Check Point OPSEC LEA : log size question

Explorer

Hi,

We're using Splunk Add-on for Check Point OPSEC LEA (v2.0.4) to pull logs from Check Point R77.30. The version of Splunk is 6.2.1 running on CentOS 7.3.1611.

According to SmartView Tracker the size of the daily log is ~1.4GB:

-rw-rw---- 1 admin root 1468286725 Mar 10 23:59 2017-03-10_235900.log

However, Splunk License Usage page reports almost 5.5GB for the opsec source type. Why such a big difference?

Thank you.

0 Karma

Explorer

I think I might have found the root cause -- there are several fw rules that I've set to not log via SmartDashboard (due to a heavy activity), however they are still being sent to Splunk.

Perhaps my question would be -- is there any way to configure Check Point OPSEC LEA to skip logs for rules with the Track option set to None?

SplunkTrust
SplunkTrust

Is it possible that your looking at the compressed version of the log and not the raw size of the log?
Alternatively, have you checked what period of time was indexed on the day you used the 5.5GB of license?

It would be possible that you indexed multiple days of log data within the same 24 hour period and therefore used 5.5GB of Splunk licensing. Perhaps you could query the data with something similar to:

| tstats max(_indextime), min(_indextime), max(_time), min(_time) where sourcetype=opssec

Or, if you know the approximate size of each event (checkpoint logs can be quite consistent), then count the number of events for a 24 hour period in Splunk...:

| tstats count where sourcetype=opssec groupby _time span=24h

That query will need some tweaking but I think you get the point...
Note that Splunk licensing will bill raw data size that is sent via the indexer.

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!