icon/x Created with Sketch.

Splunk Cookie Policy

We use our own and third-party cookies to provide you with a great online experience. We also use these cookies to improve our products and services, support our marketing campaigns, and advertise to you on our website and other websites. Some cookies may continue to collect information after you have left our website. Learn more (including how to update your settings) here.
Accept Cookie Policy

Accept License Agreements

This app is provided by a third party and your right to use the app is in accordance with the license provided by that third-party licensor. Splunk is not responsible for any third-party apps and does not provide any warranty or support. If you have any questions, complaints or claims with respect to this app, please contact the licensor directly.

Thank You

Downloading Add-on for Check Point Log Exporter (CEF)
SHA256 checksum (add-on-for-check-point-log-exporter-cef_101.tgz) 846ec67cb0f1d9083dcfb77409e81892dd899379b35a1bf256909584b666c293
To install your download
For instructions specific to your download, click the Details tab after closing this window.

Flag As Inappropriate

Add-on for Check Point Log Exporter (CEF)

Overview
Details
The Check Point CEF Add On For Splunk provides knowledge objects to allow for the Check Point Log Exporter to function within Splunk. This replaces the traditional method of using OPSEC LEA for collecting this data.

October 2018

Table of Contents

OVERVIEW

  • About Check Point CEF Add On For Splunk
  • Release notes
  • Prerequisites and requirements
  • Support

HARDWARE AND SOFTWARE REQUIREMENTS

  • Hardware requirements
  • Splunk Enterprise system requirements

INSTALLATION AND CONFIGURATION

  • Check Point configuration
    • Install Log Exporter
    • Configure syslog export
  • Splunk Configuration
    • Single instance
    • Distributed deployment

KNOWN ISSUES

ACKNOWLEDGEMENTS


OVERVIEW

About Check Point CEF Add On For Splunk

Author Tom Kopchak, Hurricane Labs
App Version 1.0.1
Vendor Products Check Point
Has index-time operations true
Create an index false
Implements summarization false

The Check Point CEF Add On For Splunk provides knowledge objects to allow for the Check Point Log Exporter to function within Splunk. This replaces the traditional method of using OPSEC LEA for collecting this data.

This app supports the new Log Exporter method for Check Point logging. This resolves several limitations of the OPSEC LEA method:
- A Linux heavy forwarder is no longer required for bringing in Check Point logs. All Splunk platforms are supported.
- The OPSEC LEA forwarder is no longer a single point of failure for Check Point logging. This method supports all syslog redundancy mechanisms.
- There is not a gap in logging that occurs during a logrotate on the management server (this commonly resulted in missing logs occurring daily at midnight).

Release notes

Version 1.0.1 is the second release. It adds support for audit logging and contains minor edits to version 1.0.0.

About this release

Version 1.0.1 of the Check Point CEF Add On For Slunk For Splunk is compatible with:

Splunk Enterprise versions 6.6, 7.0, 7.1, 7.2
Platforms Platform independent
Vendor Products Check Point Management Server, Check Point R77.30, R80.10, R80.20
Vendor Tools Log Exporter - Check Point Log Export (see sk122323)
Lookup file changes None
Prerequisites and Requirements

This app requires that the Check Point management server controlling gateways be running a version which supports the Check Point Log Exporter, which is documented in sk122323. At the time of this writing, this includes versions R77.30, R80.10 and R80.20. Gateways do not necessarily need to be running a version supporting the Log Exporter as long as they are centrally logging to a management server or log server capable of running the Log Exporter.

Support

This app is not officially supported by Check Point, Splunk, or Hurricane Labs. Submit an issue on Github: https://github.com/HurricaneLabs/TA-checkpoint-cef/issues

HARDWARE AND SOFTWARE REQUIREMENTS

Hardware requirements

Check Point CEF Add On For Splunk supports the following server platforms in the versions supported by Splunk Enterprise:

  • Platform independent (knowledge objects only)

Splunk Enterprise system requirements

Because this add-on runs on Splunk Enterprise, all of the Splunk Enterprise system requirements apply.

INSTALLATION AND CONFIGURATION

Note: it is recommended that a dedicated syslog receiver (such as syslog-ng) be used to collect the data associated with this app, as opposed to a direct TCP/UDP input in Splunk. TCP is recommended over UDP for this data input.

Check Point configuration

Install Log Exporter

  1. Follow the installation instructions for your version of Check Point detailed in sk122323.
  2. After completing the Splunk configuration below, configure the Log Exporter to forward logs to your Splunk environment. CEF format should be specified in the cp_log_export command.

Splunk Configuration

Single-instance

Install to search head

  1. Install the app.
  2. Configure Splunk to receive and ingest the syslog data from the Check Point management server, as appropriate in your environment.

Distributed environment

Install to search head and the first Splunk Enterprise system to receive data

The app has index-time sourcetyping operations. This app should be deployed to your search head as well as the first Splunk Enterprise system to receive your data. If you are receiving syslog on a Universal Forwarder, this app should be installed on the indexing tier. If you are receiving syslog on a Heavy Forwarder, this app should be installed on the Heavy Forwarder.

  1. Install the app.
  2. Configure Splunk to receive and ingest the syslog data from the Check Point management server, as appropriate in your environment.

Known Issues

  • Several field extractions are currently untested

Acknowledgements

Release Notes

Version 1.0.1
Sept. 13, 2018

See GitHub for the app source: https://github.com/HurricaneLabs/TA-checkpoint-cef

182
Installs
829
Downloads
Share Subscribe LOGIN TO DOWNLOAD

Subscribe Share

AppInspect Tooling

Splunk AppInspect evaluates Splunk apps against a set of Splunk-defined criteria to assess the validity and security of an app package and components.

Are you a developer?

As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 50GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps and add-ons from Splunk, our partners and our community. Find an app or add-on for most any data source and user need, or simply create your own with help from our developer portal.

Follow Us:
© 2005-2019 Splunk Inc. All rights reserved.
Splunk®, Splunk>®, Listen to Your Data®, The Engine for Machine Data®, Hunk®, Splunk Cloud™, Splunk Light™, SPL™ and Splunk MINT™ are trademarks and registered trademarks of Splunk Inc. in the United States and other countries. All other brand names, product names, or trademarks belong to their respective owners.