Checkpoint OPSEC LEA 4.1 manual log input and mult...

mmoermans · ‎08-03-2017

Due to the lea_loggrabber script malfunctioning (reason unkown, not to be found in logging) we are missing 4 days worth of checkpoint logging. A restart of the heavy forwarder fixed the issue.

What's the best practice for reading those 4 days worth of binary files back into Splunk through the OPSEC LEA process?
A monitor doesn't seem to work from inputs.config.

Second question: How can you create a backup for the OPSEC LEA process so that if it fails (like happened) another Heavy Forwarder can pick it up and input the data instead?

bheemireddi · ‎08-03-2017

Hi mmoermans,

Since you mentioned you are using version 4.1 of OPSEC, when you noticed outage time, if you login to the Splunk UI and go to configuring inputs in the checkpoint add-on - you will see "StartTime". You can change that to the start time you want to pull the logs. (it can only go back to the beginning of the log fw.log on checkpoint side, but if the file is already rolled off on that side, you wouldn't be able to get those logs)

You can have a standby Heavy forwarder with the same configurations (connections,certs, inputs etc) of the active forwarder, except in the case of outage, you can bring it online and have the startTime configured on the standby and start the forwarder. Basically you just need to configure the stanby similar to active and you only run it when needed

Checkpoint OPSEC LEA 4.1 manual log input and multiple HF's

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?