I'm trying to get less logs from CheckPoint Firewall (75.4) into a Splunk server (v 6).
I just want to have all logs exept action=accept.
I tried to change filter in /opt/splunk/etc/apps/SplunkTAopseclea_linux22/bin/fw1-loggrabber.conf.
For example, I add FW1FILTERRULE="action!=accept"
But I think it don't works because when I try a new search with Splunk, I have lot of new logs with action=accept
use overrides (props & transforms) to filter out the unwanted events.
[opsec] TRANSFORMS = carrot, rabbit_hole
[rabbit_hole] REGEX = action=accept DEST_KEY = queue FORMAT = nullQueue [carrot] REGEX=. DEST_KEY = queue FORMAT = indexQueue
** ascii art (optional) **
(\__/) (='.'=) (")_(")
See the answer above in the comment. One thing to note is that there is a bug in the OPSEC LEA SDK (i.e. the one that CheckPoint provides) that makes FW1FILTERRULE not work.