Re: Options in lea-loggrabber app

Mahieu · ‎09-22-2014

Hi there,

I'm using the old lea-loggrabber app for collecting my Checkpoint logs (this one http://wiki.splunk.com/Community:Configure_OPSEC_LEA_input).
Is there a way to disable name resolution in there ?
I've seen that it's a simple option in the new Splunk Add-on for Check Point OPSEC LEA.

I might migrate to the new app but I need to work on it as I've made a few changes to my scripts to support Splunk HA.
I have two indexers in a cluster and I can't have both running the script which would mean indexing the logs twice.

Thanks in advance.

M.

duberich · ‎09-22-2014

You can turn off name resolution with a patched binary as referenced in http://answers.splunk.com/answers/23975/check-point-object-name-resolution.html

We usually setup a separate heavy forwarder for data collection using a pull for things like checkpoint, mcafee, sourcefire, dbcollect, etc.

Regards,
--RIch

Mahieu · ‎09-22-2014

Looks interesting, do you know where I can get this patched version ?
Thanks in advance.

Mat

duberich · ‎09-22-2014

Should be able to get it through support.

--Rich

Options in lea-loggrabber app

Splunk Lantern | Spotlight on Security: Adoption Motions, War Stories, and More

Splunk Cloud | Empowering Splunk Administrators with Admin Config Service (ACS)

Tech Talk | One Log to Rule Them All