props.conf

arkonner · ‎09-01-2016

I have a checkpoint cluster configuration with a single management workstation - Installing the Add-on to establish the connection I got a huge volume of data - Should be possible to "filter" the checkpoint events in order to reduce it.

aosso · ‎09-01-2016

Hi,

Currently with this new version you can get this done with a props.conf/transforms.conf setup:

https://answers.splunk.com/comments/417715/view.html (this example only collects packets with status drop, reject and block)

View solution in original post

arkonner · ‎09-01-2016

This is exactly what I am looking for -

In the example under session opsecparsing] the Regex command allows only drop, reject and block - The regex should accept a command to exclude all different by "accept" like REGEX =! (accept)

[opsecparsing]
REGEX = (drop|reject|block)

props.conf

[opsec]
TRANSFORMS-drops = opsecnull, opsecparsing

#transforms.conf
[opsecnull]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue

[opsecparsing]
REGEX = (drop|reject|block)
DEST_KEY = queue
FORMAT = indexQueue

arrowecssupport · ‎09-01-2016

Are you actually running Check Point 4.0?

aosso · ‎09-01-2016

Hi,

Currently with this new version you can get this done with a props.conf/transforms.conf setup:

https://answers.splunk.com/comments/417715/view.html (this example only collects packets with status drop, reject and block)

Splunk Add-on for Checkpoint 4.0.0

props.conf

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?