Knowledge Management
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk add-on for Checkpoint not extracting fields

Navanitha
Path Finder
‎09-20-2023 06:55 AM

I have Splunk SH Cluster ( 3 SH's in Cluster)  and we are collecting Checkpoint logs using Syslog and then Splunk HF read the Checkpoint logs (basically a flat file) and indexes into Splunk.  Now my issue is I see the events are extracted as it should when we use an add-on.  However I do not see any Checkpoint app/add-on this is installed on SH's / HF.  No manual field extractions either.  I would like to know if there is any away to check how the fields are extracted ?

Secondly, We also have a separate SH running ES.  On this, I don't see the events being extracted as I see it on our SH cluster.  I did try to install Splunk Add-on for Checkpoint to parse the fields and make it CIM compliant but the fields are not extracted.  I changed the sourcetype of the CP logs to match it with the add-on but still no luck.  I am using Splunk Add-on for Check Point Log Exporter.  Appreciate your thoughts on this.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎09-20-2023 07:20 AM

Hi @Navanitha,

what's the sourcetype of your checkpoint data?

usually it's renamed and fields extractions are related to the new sourcetypes.

This means that you have to install the CheckPoint Add on, both on SH and HF.

In addition, you have to associate to the checkpoint input the sourcetype "cp_log" so the Add-on can correctly modify the sourcetype.

Read the instructions on the Checkpoint Add-On, which one are you using?

Ciao.

Giuseppe

0 Karma
Reply

Navanitha
Path Finder
‎09-20-2023 09:15 AM

Hi @gcusello 

 

I am using "Splunk Add-on for Check Point Log Exporter" from https://splunkbase.splunk.com/app/5478.

I installed this on splunk SH and  did rename sourcetype on Splunk HF to "cp_log:syslog" as per the add-on. 

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎09-20-2023 11:25 PM

Hi @Navanitha,

try to install it also on HF.

Ciao.

Giuseppe

0 Karma
Reply

Navanitha
Path Finder
‎09-29-2023 02:53 AM

I tried installing the add-on on HF but no luck.  I am working with Splunk support on this and they figured that the KV store for Checkpoint add-on is not loading as the regex is not matching our events.  They are working on giving me a regex, will try it out once I have it.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎09-29-2023 03:17 AM

Hi @Navanitha ,

publish the solution when you'll solve for the other people of Community.

Ciao.

Giuseppe

P.S.: Karma Points are appreciated 😉

Reply

nguyens
New Member
‎02-21-2024 12:12 AM

Hi,

i was facing the same issue. I have changed under transforms.conf the following:

[kv_cp_log_format]
REGEX = ([a-zA-Z0-9_-]+)[:=]+([^|]+)

[kv_cp_syslog_log_format]
REGEX = ([a-zA-Z0-9_-]+)[:=]+"((?:[^"\\]|\\.)+)"

 

0 Karma
Reply

wali02
Observer
‎07-04-2024 07:32 AM

@nguyens  Thanks it worked...

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...