Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Check Point object name resolution

Peter
Path Finder
‎05-09-2011 07:39 AM

Just finished configuring the lea-loggrabber to get logs from some Check Point hosts. All is working correctly except I want to turn object name resolution off. Looks like it might be a command line parameter (--noresolve), but I can't get it to run successfully (http://www.sourcefiles.org/Miscellaneous/fw1-loggrabber-1.9.2.tar.gz.shtml)

Anyone done this?

Reply
1 Solution
Solved! Jump to solution
Solution

hexx
Splunk Employee
Splunk Employee
‎12-19-2011 01:19 PM

With the contribution of Splunk Answers user treyka, we we were able to patch and recompile the lea_loggrabber Linux binary to outputs semi-colons as delimiters between field/value pairs:

  • Before:

    loc=2445861 filename=fw.log fileid=1314230340 time=25Aug2011 12:40:58 action=drop orig=FIREWALLNAME i/f_dir=inbound i/f_name=eth-s2p2c0 has_accounting=0 product=VPN-1 & FireWall-1 __policy_id_tag=product=VPN-1 & FireWall-1[db_tag={AAAAAAA-BBBBB-CCCCCC-DDDDDDD-EEEEEEEEEE};mgmt=LAB-CMA;date=1310743754;policy_name=ABCD_Policy] rule=77 rule_uid={19AD44C1-79E0-422F-91A6-FF2E6A818EEE} SmartDefense profile=No Protection src=1.2.3.4 s_port=40552 dst=4.3.2.1service=snmp-read proto=udp

  • After:

    time=26Aug2011 12:34:34;action=drop;fw=1.2.3.4;if_dir=inbound;if_name=eth-s2p2c0;mgmt=LAB-CMA;policy_name=ABCD_Policy;rule=77;src=1.2.3.4;s_port=11334;dst=4.3.2.1;d_port=161;proto=udp;

In addition, this patched version of lea_loggrabber accepts new, mutually exclusive parameters to control the name resolution of objects:

  • The option --resolve will cause objects to be resolved, as is currently the case. Example:

    time= 4Aug2011 22:47:52;action=accept;fw=Win2k3-86sup01;if_dir=inbound;if_name=E1G606;mgmt=Win2k3-86sup01;policy_name=Standard;rule=2;rule_name=LEA traffic;service_id=FW1_lea;src=beefysup01.splunk.com;s_port=33776;dst=Win2k3-86sup01;d_port=FW1_lea;proto=tcp;

  • The option --no-resolve will prevent object name resolution. Example:

    time= 4Aug2011 22:47:00;action=accept;fw=10.160.31.56;if_dir=inbound;if_name=E1G606;mgmt=Win2k3-86sup01;policy_name=Standard;rule=2;rule_name=LEA traffic;service_id=FW1_lea;src=10.1.12.1;s_port=47250;dst=10.160.31.56;d_port=18184;proto=tcp;

Some important remarks:

  • This patched version of the lea_loggrabber binary is not currently integrated to the app packaged on splunkbase. It can be obtained by requesting it from Splunk Support. Please open a support case if you would like to receive it.
  • Only the Linux (32bit/64bit) version of the lea_loggrabber binary has been recompiled with this patch.
  • The patched binary will be provided "as is". It has not been tested by Splunk Quality Assurance, which is why it has not yet been integrated in the package available on splunkbase.

View solution in original post

Reply
Solved! Jump to solution

jcoates_splunk
Splunk Employee
Splunk Employee
‎12-18-2014 02:49 PM

Support just brought this page to my attention... greetings from late 2014, we come in peace. There is now an official and supported OPSEC LEA solution for Linux: https://apps.splunk.com/app/1454 and Solaris: https://apps.splunk.com/app/1453

The semicolon delimiter thing is not in there, but you can toggle no-resolve. http://docs.splunk.com/Documentation/OPSEC-LEA/latest/Install/ConfiguretheLEAclient for instructions.

Reply
Solved! Jump to solution
Solution

hexx
Splunk Employee
Splunk Employee
‎12-19-2011 01:19 PM

With the contribution of Splunk Answers user treyka, we we were able to patch and recompile the lea_loggrabber Linux binary to outputs semi-colons as delimiters between field/value pairs:

  • Before:

    loc=2445861 filename=fw.log fileid=1314230340 time=25Aug2011 12:40:58 action=drop orig=FIREWALLNAME i/f_dir=inbound i/f_name=eth-s2p2c0 has_accounting=0 product=VPN-1 & FireWall-1 __policy_id_tag=product=VPN-1 & FireWall-1[db_tag={AAAAAAA-BBBBB-CCCCCC-DDDDDDD-EEEEEEEEEE};mgmt=LAB-CMA;date=1310743754;policy_name=ABCD_Policy] rule=77 rule_uid={19AD44C1-79E0-422F-91A6-FF2E6A818EEE} SmartDefense profile=No Protection src=1.2.3.4 s_port=40552 dst=4.3.2.1service=snmp-read proto=udp

  • After:

    time=26Aug2011 12:34:34;action=drop;fw=1.2.3.4;if_dir=inbound;if_name=eth-s2p2c0;mgmt=LAB-CMA;policy_name=ABCD_Policy;rule=77;src=1.2.3.4;s_port=11334;dst=4.3.2.1;d_port=161;proto=udp;

In addition, this patched version of lea_loggrabber accepts new, mutually exclusive parameters to control the name resolution of objects:

  • The option --resolve will cause objects to be resolved, as is currently the case. Example:

    time= 4Aug2011 22:47:52;action=accept;fw=Win2k3-86sup01;if_dir=inbound;if_name=E1G606;mgmt=Win2k3-86sup01;policy_name=Standard;rule=2;rule_name=LEA traffic;service_id=FW1_lea;src=beefysup01.splunk.com;s_port=33776;dst=Win2k3-86sup01;d_port=FW1_lea;proto=tcp;

  • The option --no-resolve will prevent object name resolution. Example:

    time= 4Aug2011 22:47:00;action=accept;fw=10.160.31.56;if_dir=inbound;if_name=E1G606;mgmt=Win2k3-86sup01;policy_name=Standard;rule=2;rule_name=LEA traffic;service_id=FW1_lea;src=10.1.12.1;s_port=47250;dst=10.160.31.56;d_port=18184;proto=tcp;

Some important remarks:

  • This patched version of the lea_loggrabber binary is not currently integrated to the app packaged on splunkbase. It can be obtained by requesting it from Splunk Support. Please open a support case if you would like to receive it.
  • Only the Linux (32bit/64bit) version of the lea_loggrabber binary has been recompiled with this patch.
  • The patched binary will be provided "as is". It has not been tested by Splunk Quality Assurance, which is why it has not yet been integrated in the package available on splunkbase.
Reply
Solved! Jump to solution

Peter
Path Finder
‎05-17-2011 10:41 AM

Anyone have any experience with the fw1-loggrabber?

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...