Splunk Search

Loggraber - how to get all logs exept action=accept from CP

clanglais
Explorer

Hi,

I'm trying to get less logs from CheckPoint Firewall (75.4) into a Splunk server (v 6).

I just want to have all logs exept action=accept.

I tried to change filter in /opt/splunk/etc/apps/Splunk_TA_opseclea_linux22/bin/fw1-loggrabber.conf.

For example, I add FW1_FILTER_RULE="action!=accept"

But I think it don't works because when I try a new search with Splunk, I have lot of new logs with action=accept

Any idea?

Thanks !

1 Solution

araitz
Splunk Employee
Splunk Employee

See the answer above in the comment. One thing to note is that there is a bug in the OPSEC LEA SDK (i.e. the one that CheckPoint provides) that makes FW1_FILTER_RULE not work.

View solution in original post

araitz
Splunk Employee
Splunk Employee

See the answer above in the comment. One thing to note is that there is a bug in the OPSEC LEA SDK (i.e. the one that CheckPoint provides) that makes FW1_FILTER_RULE not work.

View solution in original post

clanglais
Explorer

I see,

This solution Works for me, Thanks a lot !

0 Karma

Chubbybunny
Splunk Employee
Splunk Employee

use overrides (props & transforms) to filter out the unwanted events.

props.conf

[opsec]
TRANSFORMS = carrot, rabbit_hole

transforms.conf

[rabbit_hole]
REGEX = action=accept 
DEST_KEY = queue 
FORMAT = nullQueue


[carrot]
REGEX=.
DEST_KEY = queue
FORMAT = indexQueue

** ascii art (optional) **

(\__/)
(='.'=)
(")_(")
0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!