Archive
Highlighted

Loggraber - how to get all logs exept action=accept from CP

Explorer

Hi,

I'm trying to get less logs from CheckPoint Firewall (75.4) into a Splunk server (v 6).

I just want to have all logs exept action=accept.

I tried to change filter in /opt/splunk/etc/apps/SplunkTAopseclea_linux22/bin/fw1-loggrabber.conf.

For example, I add FW1FILTERRULE="action!=accept"

But I think it don't works because when I try a new search with Splunk, I have lot of new logs with action=accept

Any idea?

Thanks !

Highlighted

Re: Loggraber - how to get all logs exept action=accept from CP

Splunk Employee
Splunk Employee

use overrides (props & transforms) to filter out the unwanted events.

props.conf

[opsec]
TRANSFORMS = carrot, rabbit_hole

transforms.conf

[rabbit_hole]
REGEX = action=accept 
DEST_KEY = queue 
FORMAT = nullQueue


[carrot]
REGEX=.
DEST_KEY = queue
FORMAT = indexQueue

** ascii art (optional) **

(\__/)
(='.'=)
(")_(")
0 Karma
Highlighted

Re: Loggraber - how to get all logs exept action=accept from CP

Splunk Employee
Splunk Employee

See the answer above in the comment. One thing to note is that there is a bug in the OPSEC LEA SDK (i.e. the one that CheckPoint provides) that makes FW1FILTERRULE not work.

View solution in original post

Highlighted

Re: Loggraber - how to get all logs exept action=accept from CP

Explorer

I see,

This solution Works for me, Thanks a lot !

0 Karma