All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How should configure my splunk CheckPoint application to retrieve all customer logs with MDS???

jbsplunk
Splunk Employee
Splunk Employee
‎01-05-2012 12:39 PM

My environment consists of CheckPoint Provider1 MDS/CMA/CLM: I'm running a MDS (MultiDomainServer) with multiple customer environments (CMA). However, all log traffic is sent back to our central log repository (CLM). Question is: How should configure my splunk CheckPoint application to retrieve all customer logs???

Reply
1 Solution
Solved! Jump to solution
Solution

Chubbybunny
Splunk Employee
Splunk Employee
‎01-05-2012 01:30 PM

To retrieve CheckPoint logs from our CLM we did this:

  1. create the OPSEC application on the MDS
  2. push the OPSEC application to the CMA and CLM
  3. run the opsec_pull_cert using SSLCA against the MDS
  4. retrieve the SIC of the OPSEC application and CLM
  5. configure lea.conf using the OPSEC application and CLM SIC name
  6. configure lea.conf to pull logs from the CLM
  7. configure lea.conf to use auth_type SSLCA

View solution in original post

Reply
Solved! Jump to solution
Solution

Chubbybunny
Splunk Employee
Splunk Employee
‎01-05-2012 01:30 PM

To retrieve CheckPoint logs from our CLM we did this:

  1. create the OPSEC application on the MDS
  2. push the OPSEC application to the CMA and CLM
  3. run the opsec_pull_cert using SSLCA against the MDS
  4. retrieve the SIC of the OPSEC application and CLM
  5. configure lea.conf using the OPSEC application and CLM SIC name
  6. configure lea.conf to pull logs from the CLM
  7. configure lea.conf to use auth_type SSLCA
Reply
Solved! Jump to solution

Chubbybunny
Splunk Employee
Splunk Employee
‎06-15-2012 12:00 PM

In step 2. "push the OPSEC application to the CMA and CLM" should be revised to: "Install the database to the CMA"

*thanks for the correction Mahesh!!!

0 Karma
Reply
Solved! Jump to solution

Chubbybunny
Splunk Employee
Splunk Employee
‎01-05-2012 01:38 PM

you Betcha!!!

0 Karma
Reply
Solved! Jump to solution

jbsplunk
Splunk Employee
Splunk Employee
‎01-05-2012 01:37 PM

Thanks, these were exactly the steps I needed!

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...