Our firewall team has told us that they have turned on logging for successful connection for edge firewall. How can you validate this is true in Splunk?
The edge firewalls are a combination of Cisco ASA's and Checkpoints
Thank You
I would just keep it simple. Look for your own username in the raw log.
index=firewalls "AJeepDude"
Once you find the right event, look at it in verbose mode and make sure the user=AJeepDude. If you care about CIM, then check the tags.
here's a nice search to validate your Check Point FW event data is successfully indexing FW event logs:
index=_internal host= source="splunk_ta_checkpoint-opseclea_modinput.log" "Successfully indexed events:" |rex field=_raw "Successfully indexed events:\s(?.*)" |timechart span=600s sum(EVENT_COUNT) by connection
