Hi,

I'm trying to get less logs from CheckPoint Firewall (75.4) into a Splunk server (v 6).

I just want to have all logs exept action=accept.

I tried to change filter in /opt/splunk/etc/apps/Splunk_TA_opseclea_linux22/bin/fw1-loggrabber.conf.

For example, I add FW1_FILTER_RULE="action!=accept"

But I think it don't works because when I try a new search with Splunk, I have lot of new logs with action=accept

Any idea?

Thanks !