I'm using the old lea-loggrabber app for collecting my Checkpoint logs (this one http://wiki.splunk.com/Community:Configure_OPSEC_LEA_input).
Is there a way to disable name resolution in there ?
I've seen that it's a simple option in the new Splunk Add-on for Check Point OPSEC LEA.
I might migrate to the new app but I need to work on it as I've made a few changes to my scripts to support Splunk HA.
I have two indexers in a cluster and I can't have both running the script which would mean indexing the logs twice.
Thanks in advance.
You can turn off name resolution with a patched binary as referenced in http://answers.splunk.com/answers/23975/check-point-object-name-resolution.html
We usually setup a separate heavy forwarder for data collection using a pull for things like checkpoint, mcafee, sourcefire, dbcollect, etc.