We just ran into the same problem after upgrading the checkpoint lea opsec app to 5.0. After a while the number of processes grows. Have you already found a solution for your problem ? ... View more

So are you receiving data at all? If so, check the sourcetype. I had to remove the syslog stanza completely. I have a Syslog-ng listening and then sending to the index cluster sourcetype=secretserver Then I checked the case of the stanza (does that matter?) [secretserver] EXTRACT-EventID = (?i)^(?:[^|]*|){4}(?P[^|]+) EXTRACT-action = (Action: (?P[[^:]]+]) ) EXTRACT-body = ^([^|]+|){7}(?P[^|]+) EXTRACT-by_user = (By User: (?P(^:=)+) ) EXTRACT-container_name = (Container Name: (?P[^:=]+(?!suid=)) ) EXTRACT-details = (Details: (?P[^:]+) (suid=)) EXTRACT-event = (Event: (?P[^:]+) ) EXTRACT-file_id = (fileId=(?P[^=]+) ) EXTRACT-file_name = (fname=(?P[^=]+) ) EXTRACT-file_type = (fileType=(?P[^=]+) ) EXTRACT-full_suser = (?i) suser=(?P.+?)\s\S+= EXTRACT-item_name = (Item Name: (?P[^:=]+(?!suid=)) ) EXTRACT-log_level = ^([^|]+|){6}(?P[^|]+) EXTRACT-message_name = ^([^|]+|){5}(?P[^|]+) EXTRACT-preamble = ^(?P[^|]+)| EXTRACT-product = ^([^|]+|){2}(?P[^|]+) EXTRACT-receipt_time = (rt=(?P[^=]+) ) EXTRACT-tss_cs1 = (cs1=(?P[^=]+) ) EXTRACT-tss_cs1Label = (cs1Label=(?P[^=]+) ) EXTRACT-tss_cs2 = (cs2=(?P[^=]+) ) EXTRACT-tss_cs2Label = (cs2Label=(?P[^=]+) ) EXTRACT-tss_cs3 = (cs3=(?P[^=]+) ) EXTRACT-tss_cs3Label = (cs3Label=(?P[^=]+) ) EXTRACT-tss_cs4 = (cs4=(?P[^=]+) ) EXTRACT-tss_cs4Label = (cs4Label=(?P[^=]+) ) EXTRACT-tss_msg = (msg=(?P[^=]+) ) EXTRACT-tss_signature_id = ^([^|]+|){4}(?P[^|]+) EXTRACT-tss_src = (src=(?P[^=]+) ) EXTRACT-tss_suid = (suid=(?P[^=]+) ) EXTRACT-tss_suser = (suser=(?P[^=]+) ) EXTRACT-vendor = ^([^|]+|){1}(?P[^|]+) EXTRACT-version = ^([^|]+|){3}(?P[^|]+) FIELDALIAS-aob_gen_syslog_alias_1 = EventID AS signature_id FIELDALIAS-aob_gen_syslog_alias_10 = action AS change_type FIELDALIAS-aob_gen_syslog_alias_11 = tss_cs1 AS cs1 FIELDALIAS-aob_gen_syslog_alias_12 = tss_cs2 AS cs2 FIELDALIAS-aob_gen_syslog_alias_13 = tss_cs3 AS cs3 FIELDALIAS-aob_gen_syslog_alias_14 = tss_cs4 AS cs4 FIELDALIAS-aob_gen_syslog_alias_15 = tss_cs4Label AS cs4Label FIELDALIAS-aob_gen_syslog_alias_16 = tss_cs3Label AS cs3Label FIELDALIAS-aob_gen_syslog_alias_17 = tss_cs2Label AS cs2Label FIELDALIAS-aob_gen_syslog_alias_18 = tss_cs1Label AS cs1Label FIELDALIAS-aob_gen_syslog_alias_19 = tss_msg AS msg FIELDALIAS-aob_gen_syslog_alias_2 = product AS vendor_product FIELDALIAS-aob_gen_syslog_alias_20 = tss_signature_id AS signature_id FIELDALIAS-aob_gen_syslog_alias_3 = product AS app FIELDALIAS-aob_gen_syslog_alias_4 = log_level AS severity FIELDALIAS-aob_gen_syslog_alias_5 = suser AS src_user FIELDALIAS-aob_gen_syslog_alias_6 = suser AS user FIELDALIAS-aob_gen_syslog_alias_7 = duser AS object FIELDALIAS-aob_gen_syslog_alias_8 = duid AS object_id FIELDALIAS-aob_gen_syslog_alias_9 = container_name AS dest SHOULD_LINEMERGE = 0 pulldown_type = 1 ... View more

What field was your fw coming into Splunk as? And did you have to change logging on mgmt server to get the fw info to be sent to Splunk? ... View more

Thanks maciep, works as expected after adding 3rd column to my lookup table. ... View more

Is there any way to create SNOW incidents without the use of Service NOW add-on? I want to use the REST API's exposed by SNOW to create the incident but not sure of to call them via alert action. Any comments on this topic would be of great help. ... View more

sorry. open a case to Splunk support. Bye. Giuseppe ... View more

Splunk is running as local system. ... View more

Thanks rich7177. I must have missed that little section at the bottom of the App details page that says log everything to "checkpoint". I have configured the opsec lea add on to log to index checkpoint and data is now populating the Splunk App for Check Point. ... View more