- Splunk Answers
- :
- Using Splunk
- :
- Reporting
- :
- Re: Can you help me with my checkpoint log export?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can you help me with my checkpoint log export?
Hello all,
I am a novice when it comes to Splunk. I am in the process of building a POC using checkpoint log export feature. I am running R77.30 T338. My goal is to export log from customer CLM to Splunk 7.2.0. Below is my configuration on checkpoint side:
[Expert@mlm11:0] cp_log_export show
name: C1-export domain-server: clm1
enabled: true
target-server: 172.16.1.10
target-port: 4321
protocol: tcp
format: splunk
read-mode: raw
Once this export is restarted, I can see that SYN are being sent to Splunk instance, by looking at the netstat on the MLM server.
However, SYN ack is never sent back so three way handshake cannot complete. When I try simple telnet to this remote port 4321, I do not receive any response either. I guess I am missing something in Splunk configuration. I have set up a new Data input as local tcp on port 4321. I can see that is is listening on it
[splunk@siem1 ~]$ netstat -antp | grep 4321
tcp 0 0 0.0.0.0:4321 0.0.0.0:* LISTEN 1657/splunkd
From Splunk itself, I am able to connect to this port locally.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I had a similar problem.
Our setup is:
CheckPoint Log Server => Splunk Intermediate Heavy Forwarder => Splunk Cloud indexer.
The Intermediate HF was set-up to listen on TCP 514 from limited list of IP addresses (CheckPoint Log Servers).
It didn't work, because you are not allowed to listen on ports below 1024 on Linux if you don't have root privileges. The intermediate HF was sending "Reset" packages to the LogExporter Log server.
After that, I changed the port to 9997, but it didn't work as well, because this port is reserved for Splunk "cooked" data ingestion from Splunk instances.
Finally, I made it work after selecting the port 18188. This port turned-out to be free and not reserved for other apps.
This is example of my inputs.conf on the Heavy Forwarder:
[tcp://1.2.3.4:18188]
host = checkpoint_host_1
sourcetype = cp_log
index = logexporter_index
[tcp://1.2.3.5:18188]
host = checkpoint_host_2
sourcetype = cp_log
index = logexporter_index
[tcp://1.2.3.6:18188]
host = checkpoint_host_3
sourcetype = cp_log
index = logexporter_index
The outputs.conf file is set to send the data to the cloud:
[tcpout]
defaultGroup = splunkcloud
[tcpout:splunkcloud]
server = input_host.splunkcloud.com:9997
compressed = false
Seems like the port number is very important and you cannot select just any random port...
Also you need to check if the traffic is not being blocked on a Firewall device between the Log Server and Splunk instance.
I hope that this info is helpful, because I didn't find anything like that in the CheckPoint Log Exporter documentation.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Did you ever resolve this issue? I'm running into the exact same issue currently.
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics!
New in Observability Cloud - Explicit Bucket Histograms
