Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Checkpoint OPSEC LEA 4.1 manual log input and multiple HF's

mmoermans
Path Finder
‎08-03-2017 02:59 AM

Due to the lea_loggrabber script malfunctioning (reason unkown, not to be found in logging) we are missing 4 days worth of checkpoint logging. A restart of the heavy forwarder fixed the issue.

What's the best practice for reading those 4 days worth of binary files back into Splunk through the OPSEC LEA process?
A monitor doesn't seem to work from inputs.config.

Second question: How can you create a backup for the OPSEC LEA process so that if it fails (like happened) another Heavy Forwarder can pick it up and input the data instead?

0 Karma
Reply

bheemireddi
Communicator
‎08-03-2017 06:26 AM

Hi mmoermans,

Since you mentioned you are using version 4.1 of OPSEC, when you noticed outage time, if you login to the Splunk UI and go to configuring inputs in the checkpoint add-on - you will see "StartTime". You can change that to the start time you want to pull the logs. (it can only go back to the beginning of the log fw.log on checkpoint side, but if the file is already rolled off on that side, you wouldn't be able to get those logs)

You can have a standby Heavy forwarder with the same configurations (connections,certs, inputs etc) of the active forwarder, except in the case of outage, you can bring it online and have the startTime configured on the standby and start the forwarder. Basically you just need to configure the stanby similar to active and you only run it when needed

0 Karma
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...