Getting Data In

Need to collect from multiple opsec instances

christianvalin
Explorer

In my case, I have multiple and separate Checkpoint management consoles (production, staging, development). I tried to create a new connection to staging after having my production instance operate for about a year. Trouble is that the new connection I just tried for Staging is not yet trusted. From the docs for the opsec app (version 2.0.4, latest), it seems like if I import the certificate I would unintentionally replace the certificate I need to support production. I told the 'wizard' that I already have a certificate. Do I need to have the opsec app installed once again for each new console (not firewall but management console) on my indexer and how do I accomplish that OR have I just missed something in my assumptions? Ideally I want to log each environment to a unique index so forwarding logs to one environment would work but it would not give me the isolation I need. How do I get my three management consoles monitored and events into Splunk? Has anyone else had a similar situation?

1 Solution

araitz
Splunk Employee
Splunk Employee

No, you only need one instance of the app. We have customers monitoring firewall data from scores of FW-1, MDS, etc.

If you need to pull a certificate from your staging environment, you should set up a new connection and follow the docs steps to pull a new certificate for that environment. It will not overwrite your old certificate. For each connection you create, you can have the data sent to a different index.

View solution in original post

0 Karma

araitz
Splunk Employee
Splunk Employee

No, you only need one instance of the app. We have customers monitoring firewall data from scores of FW-1, MDS, etc.

If you need to pull a certificate from your staging environment, you should set up a new connection and follow the docs steps to pull a new certificate for that environment. It will not overwrite your old certificate. For each connection you create, you can have the data sent to a different index.

View solution in original post

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!