I'm trying to get less logs from CheckPoint Firewall (75.4) into a Splunk server (v 6).
I just want to have all logs exept action=accept.
I tried to change filter in /opt/splunk/etc/apps/Splunk_TA_opseclea_linux22/bin/fw1-loggrabber.conf.
For example, I add FW1_FILTER_RULE="action!=accept"
But I think it don't works because when I try a new search with Splunk, I have lot of new logs with action=accept
... View more