Archive

Splunk Add-on for Check Point OPSEC LEA: Why is the src field not consistent?

Federica_92
Communicator

Hi everyone,

I am getting ids checkpoint logs in Splunk through the Splunk Add-on for Check Point OPSEC LEA. Looking at the raw logs, I can correctly see src=x.x.x.x, but clicking on the field above, it changes the value of the src ( or src_ip) field with the value of origin. I tried to manually extract the field, but it doesn't allow me to do it. (Everything is set as global, and I don't have any permission issues)

I had a look on the props/transforms file, but I wasn't able to locate the point where this happens.

0 Karma

mikelanghorst
Motivator

I can't explain why it was decided to have this field alias, but it's within the [opsec:ips] stanza

[opsec:ips]
...
FIELDALIAS-dvc_for_opsec                        = orig as dvc, orig as dvc_ip
FIELDALIAS-signature_for_ips                     = Protection_Name as signature
FIELDALIAS-src_for_opsec                        = orig as src, orig as src_ip

I'm not sure if the source formatting has changed or ??

0 Karma
.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!