Getting Data In

lea-loggrabber.sh for Checkpoint not quite working, logs are not showing in Splunk

mmletzko
Path Finder

I have the lea loggrabber for Checkpoint setup but its not quite working...I am missing something.

When I execute the lea-loggraber.sh file, it scrolls through all of the checkpoint logging from the last point it ran, up until the current time, so I know its seeing the logs. I have the inputs.conf setup to check every 60 seconds.

But, I'm not seeing the logs in splunk. There is no opsec sourcetype. Anyone know what the issue is?

Thanks!

0 Karma

mmletzko
Path Finder

Sorry took so long to answer, first time I've been back out here since.

You can confirm you see the log data by just executing the lea-loggrabber.sh executable. If its working correctly, you'll see the log data on the screen until it catches up to the current date/time.

We're actually trying to figure one out right now in which the communication link seems to be fine, but when we execute that command, it just gives the prompt back - no log data seen. Strange because with 4 of our Checkpoint connections, they worked fine using "18184" in the putkey command. This one that's not working needed "fw" for it to work.

The other way to confirm its working is to just search in the gui for a device that you know exists in the checkpoint, not to mention it will have "opsec" as the sourcetype.

If you do a "snoop host (ip of checkpoint)" at the splunkbox cli, you should also see communication every x seconds (however you configured your inputs.conf file).

Also, you can use the '-debug' option for the lea-loggrabber.sh and see if communication is working.

0 Karma

EricPartington
Communicator

I am also struggling to get the lea config working. How did you determine that you were seeing the logs from the checkpoint server? what debug files / settings did you use?

0 Karma

mmletzko
Path Finder

Figured this out. The inputs.conf file I had put in the /local folder still had the old path to the executable:

[script://./bin/lea-loggrabber.sh]

…instead of:

[script:/opt/splunk/etc/apps/lea-loggrabber-Integrations_CMA/bin/lea-loggrabber.sh]

Get Updates on the Splunk Community!

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

The Splunk Success Framework: Your Guide to Successful Splunk Implementations

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...