Solved: Check Point object name resolution

Peter · ‎05-09-2011

Just finished configuring the lea-loggrabber to get logs from some Check Point hosts. All is working correctly except I want to turn object name resolution off. Looks like it might be a command line parameter (--noresolve), but I can't get it to run successfully (http://www.sourcefiles.org/Miscellaneous/fw1-loggrabber-1.9.2.tar.gz.shtml)

Anyone done this?

hexx · ‎12-19-2011

With the contribution of Splunk Answers user treyka, we we were able to patch and recompile the lea_loggrabber Linux binary to outputs semi-colons as delimiters between field/value pairs:

Before:

loc=2445861 filename=fw.log fileid=1314230340 time=25Aug2011 12:40:58 action=drop orig=FIREWALLNAME i/f_dir=inbound i/f_name=eth-s2p2c0 has_accounting=0 product=VPN-1 & FireWall-1 __policy_id_tag=product=VPN-1 & FireWall-1[db_tag={AAAAAAA-BBBBB-CCCCCC-DDDDDDD-EEEEEEEEEE};mgmt=LAB-CMA;date=1310743754;policy_name=ABCD_Policy] rule=77 rule_uid={19AD44C1-79E0-422F-91A6-FF2E6A818EEE} SmartDefense profile=No Protection src=1.2.3.4 s_port=40552 dst=4.3.2.1service=snmp-read proto=udp
After:

time=26Aug2011 12:34:34;action=drop;fw=1.2.3.4;if_dir=inbound;if_name=eth-s2p2c0;mgmt=LAB-CMA;policy_name=ABCD_Policy;rule=77;src=1.2.3.4;s_port=11334;dst=4.3.2.1;d_port=161;proto=udp;

In addition, this patched version of lea_loggrabber accepts new, mutually exclusive parameters to control the name resolution of objects:

The option --resolve will cause objects to be resolved, as is currently the case. Example:

time= 4Aug2011 22:47:52;action=accept;fw=Win2k3-86sup01;if_dir=inbound;if_name=E1G606;mgmt=Win2k3-86sup01;policy_name=Standard;rule=2;rule_name=LEA traffic;service_id=FW1_lea;src=beefysup01.splunk.com;s_port=33776;dst=Win2k3-86sup01;d_port=FW1_lea;proto=tcp;
The option --no-resolve will prevent object name resolution. Example:

time= 4Aug2011 22:47:00;action=accept;fw=10.160.31.56;if_dir=inbound;if_name=E1G606;mgmt=Win2k3-86sup01;policy_name=Standard;rule=2;rule_name=LEA traffic;service_id=FW1_lea;src=10.1.12.1;s_port=47250;dst=10.160.31.56;d_port=18184;proto=tcp;

Some important remarks:

This patched version of the lea_loggrabber binary is not currently integrated to the app packaged on splunkbase. It can be obtained by requesting it from Splunk Support. Please open a support case if you would like to receive it.
Only the Linux (32bit/64bit) version of the lea_loggrabber binary has been recompiled with this patch.
The patched binary will be provided "as is". It has not been tested by Splunk Quality Assurance, which is why it has not yet been integrated in the package available on splunkbase.

View solution in original post

jcoates_splunk · ‎12-18-2014

Support just brought this page to my attention... greetings from late 2014, we come in peace. There is now an official and supported OPSEC LEA solution for Linux: https://apps.splunk.com/app/1454 and Solaris: https://apps.splunk.com/app/1453

The semicolon delimiter thing is not in there, but you can toggle no-resolve. http://docs.splunk.com/Documentation/OPSEC-LEA/latest/Install/ConfiguretheLEAclient for instructions.

hexx · ‎12-19-2011

With the contribution of Splunk Answers user treyka, we we were able to patch and recompile the lea_loggrabber Linux binary to outputs semi-colons as delimiters between field/value pairs:

Before:

loc=2445861 filename=fw.log fileid=1314230340 time=25Aug2011 12:40:58 action=drop orig=FIREWALLNAME i/f_dir=inbound i/f_name=eth-s2p2c0 has_accounting=0 product=VPN-1 & FireWall-1 __policy_id_tag=product=VPN-1 & FireWall-1[db_tag={AAAAAAA-BBBBB-CCCCCC-DDDDDDD-EEEEEEEEEE};mgmt=LAB-CMA;date=1310743754;policy_name=ABCD_Policy] rule=77 rule_uid={19AD44C1-79E0-422F-91A6-FF2E6A818EEE} SmartDefense profile=No Protection src=1.2.3.4 s_port=40552 dst=4.3.2.1service=snmp-read proto=udp
After:

time=26Aug2011 12:34:34;action=drop;fw=1.2.3.4;if_dir=inbound;if_name=eth-s2p2c0;mgmt=LAB-CMA;policy_name=ABCD_Policy;rule=77;src=1.2.3.4;s_port=11334;dst=4.3.2.1;d_port=161;proto=udp;

In addition, this patched version of lea_loggrabber accepts new, mutually exclusive parameters to control the name resolution of objects:

The option --resolve will cause objects to be resolved, as is currently the case. Example:

time= 4Aug2011 22:47:52;action=accept;fw=Win2k3-86sup01;if_dir=inbound;if_name=E1G606;mgmt=Win2k3-86sup01;policy_name=Standard;rule=2;rule_name=LEA traffic;service_id=FW1_lea;src=beefysup01.splunk.com;s_port=33776;dst=Win2k3-86sup01;d_port=FW1_lea;proto=tcp;
The option --no-resolve will prevent object name resolution. Example:

time= 4Aug2011 22:47:00;action=accept;fw=10.160.31.56;if_dir=inbound;if_name=E1G606;mgmt=Win2k3-86sup01;policy_name=Standard;rule=2;rule_name=LEA traffic;service_id=FW1_lea;src=10.1.12.1;s_port=47250;dst=10.160.31.56;d_port=18184;proto=tcp;

Some important remarks:

This patched version of the lea_loggrabber binary is not currently integrated to the app packaged on splunkbase. It can be obtained by requesting it from Splunk Support. Please open a support case if you would like to receive it.
Only the Linux (32bit/64bit) version of the lea_loggrabber binary has been recompiled with this patch.
The patched binary will be provided "as is". It has not been tested by Splunk Quality Assurance, which is why it has not yet been integrated in the package available on splunkbase.

Peter · ‎05-17-2011

Anyone have any experience with the fw1-loggrabber?

Check Point object name resolution

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

SignalFlow: What? Why? How?