Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

lea-loggrabber.sh for Checkpoint not quite working, logs are not showing in Splunk

mmletzko
Path Finder
‎05-21-2010 08:01 PM

I have the lea loggrabber for Checkpoint setup but its not quite working...I am missing something.

When I execute the lea-loggraber.sh file, it scrolls through all of the checkpoint logging from the last point it ran, up until the current time, so I know its seeing the logs. I have the inputs.conf setup to check every 60 seconds.

But, I'm not seeing the logs in splunk. There is no opsec sourcetype. Anyone know what the issue is?

Thanks!

0 Karma
Reply

mmletzko
Path Finder
‎06-21-2010 04:17 PM

Sorry took so long to answer, first time I've been back out here since.

You can confirm you see the log data by just executing the lea-loggrabber.sh executable. If its working correctly, you'll see the log data on the screen until it catches up to the current date/time.

We're actually trying to figure one out right now in which the communication link seems to be fine, but when we execute that command, it just gives the prompt back - no log data seen. Strange because with 4 of our Checkpoint connections, they worked fine using "18184" in the putkey command. This one that's not working needed "fw" for it to work.

The other way to confirm its working is to just search in the gui for a device that you know exists in the checkpoint, not to mention it will have "opsec" as the sourcetype.

If you do a "snoop host (ip of checkpoint)" at the splunkbox cli, you should also see communication every x seconds (however you configured your inputs.conf file).

Also, you can use the '-debug' option for the lea-loggrabber.sh and see if communication is working.

0 Karma
Reply

EricPartington
Communicator
‎06-07-2010 06:08 PM

I am also struggling to get the lea config working. How did you determine that you were seeing the logs from the checkpoint server? what debug files / settings did you use?

0 Karma
Reply

mmletzko
Path Finder
‎05-25-2010 02:37 PM

Figured this out. The inputs.conf file I had put in the /local folder still had the old path to the executable:

[script://./bin/lea-loggrabber.sh]

…instead of:

[script:/opt/splunk/etc/apps/lea-loggrabber-Integrations_CMA/bin/lea-loggrabber.sh]

Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Take Action Automatically on Splunk Alerts with Red Hat Ansible Automation Platform

 Are you ready to revolutionize your IT operations? As digital transformation accelerates, the demand for ...

Calling All Security Pros: Ready to Race Through Boston?

Hey Splunkers, .conf25 is heading to Boston and we’re kicking things off with something bold, competitive, and ...

Beyond Detection: How Splunk and Cisco Integrated Security Platforms Transform ...

Financial services organizations face an impossible equation: maintain 99.9% uptime for mission-critical ...