Getting Data In

Checkpoint Firewall Logs in Splunk

dpatnam
Path Finder

Hello All,

I am trying to import some of my Checkpoint firewall logs into Splunk. I tried to setup a sample input to index the text format of these logs, but am running into issues with the header and timestamp extraction -

Here's a sample (pruned down) semi-colon separated input from the logs -

num;date;time;orig;type
0;22Mar2011;0:55:11;0.0.0.0;control
1;21Mar2011;7:09:41;0.0.0.1;log

Here are the entries in my props.conf to extract the timestamp and the header info for these logs -

TIME_PREFIX = ^\d+;
TIME_FORMAT = %DD%MMM%YYYY;%H:%M:%S
SHOULD_LINEMERGE = false
TZ=GMT
CHECK_FOR_HEADER = true

However, it looks like Splunk is only recognizing the time and the timezone configuration but it is setting the date to the current day (Apr 5th) and is also not extracting any of the headers for the events. Any help in figuring out where I am going wrong would be greatly appreciated.

Thank you.

Tags (1)
0 Karma

hazekamp
Builder

dpatnam,

For TIME_FORMAT be sure to use strptime specifiers like so:

TIME_FORMAT = %d%B%Y;%H:%M:%S

See also: http://docs.python.org/library/time.html

0 Karma

dpatnam
Path Finder

Thanks hazedav and gkanapathy. I went the FIELDS/DELIMS route and got the header extraction to work as well.

0 Karma

gkanapathy
Splunk Employee
Splunk Employee

Agree with Dave. Do not use CHECK_FOR_HEADER, certainly not if your fields are known and fixed. Just specify the fields and delims manually.

0 Karma

hazekamp
Builder

I would highly discourage CHECK_FOR_HEADER and recommend FIELDS/DELIMS

dpatnam
Path Finder

Thanks hazedav. Just a shortwhile before you posted the answers, I found another link that has all the time specifiers (http://dev.mysql.com/doc/refman/5.5/en/date-and-time-functions.html)

After referring to the specifiers in this link , I changed the TIME_FORMAT as shown below and am now able to extract the correct date as well.

TIME_FORMAT = %d%b%Y;%H:%M:%S

The only outstanding item for me now is the header extraction. I am still looking into this.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...