Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Import Checkpoint Archive Logs

keithosullivan
New Member
‎09-07-2010 11:51 AM

I have checkpoint logs going back which we have exported of our checkpoint FW, and i would like to import them into splunk. I have installed the opsec-lea module, but i would rather not setup the connectivity to our fw and just analyse the logs, is this possible?

Many thanks in advance.

Tags (1)
0 Karma
Reply

keithosullivan
New Member
‎09-07-2010 02:56 PM

Thanks Brian and Trey. I tried importing from a file and it fails with an object error (not much help i know), however i presume this is because the logs i have are all in binary format as you say Trey. Is the easiest way to convert them to load them back onto the checkpoint, convert and back again into splunk (either by solitary file or into a temp directory). The problem i suppose is all my logs are in binary format.

Many thanks

0 Karma
Reply

treyka
Path Finder
‎09-07-2010 03:35 PM

fw log -p -n -l -o [logfile] should give you what you want - but refer to Checkpoint's documentation to be sure.

0 Karma
Reply

treyka
Path Finder
‎09-07-2010 12:54 PM

On your Checkpoint side I recommend that you use the 'fw log' command to dump each logfile to text. (Checkpoint natively stores its logs in a binary format.) Use a little shell globbing and a for loop and you should be able to easily get these into text format. Scp to your Splunk server and go with Brian's option #2.

Cheers, --Trey

Reply

Brian_Osburn
Builder
‎09-07-2010 12:25 PM

I can speak to the importing portion of the question.

There's several different ways you can import the logs:

  1. You can pull the logs down from the Firewall and do a manual import into Splunk
  2. You can pull the logs over to a temp directory on the Splunk server itself and set up an input to feed those files into Splunk.

I'd go with option #2, as this will probably be the quickest way to achieve what you want. When you're done, you can either nuke the input settings or leave them there in case you want to do this again.

Brian

Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Unlock What’s Next: The Splunk Cloud Platform at .conf25

In just a few days, Boston will be buzzing as the Splunk team and thousands of community members come together ...