I need to understand how the “lea-loggrabber-splunk-linux-4x-42928” application functions.
I need to ensure that if a link between Splunk and the Checkpoint SMART Centre goes down, when it comes back up (maybe days later), that Splunk will go back to where it left off and not lose any events (unless of course Checkpoint has deleted the Log).
This is the functionality I am informed would be required.
In lea _new _session you choose to read in online mode and choose to start reading where they left off, say at position x in log file ID x, then the client reads to the end of file of that log file and then begins at the start of the next file in the fw.logtrack file until they have reached the end of the most recent log file. At that point, the LEA client waits for new events.
Can anyone confirm this is how it works?
Thanks
Wilf
... View more