topic Re: Log Exporter exporting to splunk in Firewall and Security Management

Log Exporter exporting to splunk

bob111 — Sun, 22 Jan 2023 13:27:19 GMT

Hello, I want to export audit logs from my firewall to a splunk server. do I need to create a vm with a splunk agent that will forward the logs? Or the log exporter does not need that?

Re: Log Exporter exporting to splunk

the_rock — Sun, 22 Jan 2023 15:04:16 GMT

I dont believe you need that. Check out below post, see if it helps you. My colleague and I did this for the customer couple of years back.

https://community.checkpoint.com/t5/Management/Log-exporter-amp-Splunk-TLS/m-p/126164#M27609

Re: Log Exporter exporting to splunk

bob111 — Mon, 23 Jan 2023 07:57:54 GMT

@the_rock thanks for the reply! I think I phrased my my question wrong, I meant can I specify in my log exporter to which index in the splunk server to send the logs to?

Re: Log Exporter exporting to splunk

Chris_Atkinson — Mon, 23 Jan 2023 08:24:43 GMT

Syntax:

cp_log_export add name <Name> [domain-server {mds | all}] target-server <HostName or IP address of Target Server> target-port <Port on Target Server> protocol {udp | tcp} format {syslog | splunk | cef | leef | generic | json | logrhythm | rsa} [<Optional Arguments>]

Refer also: sk12232

Re: Log Exporter exporting to splunk

bob111 — Mon, 23 Jan 2023 08:33:48 GMT

Hey, thanks for the reply! is there an argument used to specify the index in the splunk server?

Re: Log Exporter exporting to splunk

Nüüül — Mon, 23 Jan 2023 08:43:19 GMT

Hi Bob,

normally you define such things at the destination system - ie splunk - at input config.
I have configured a dedicated UDP port, where CP Management is logging to and set at splunk site that logs received through this and from that host into the dedicated index.

Re: Log Exporter exporting to splunk

bob111 — Mon, 23 Jan 2023 09:00:09 GMT

I see. There is another team in charge of splunk so I can't really do that but I'll check with them, if I can't I think I'll have to use a splunk agent on another machine to specify the index,

Do you know how can I send only a certain type of logs? for example audit logs.

Thank you.

Re: Log Exporter exporting to splunk

S_E_ — Mon, 23 Jan 2023 09:22:41 GMT

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk122323#Filter%20Configuration

<log_types></log_types> Determines which logs to export based on their type

Regarding indexer. In our env, this was done on splunk side. Depends on your Splunk (audit log/access log/visibility for several teams)

Optional, you might run serveral log exporter instances sending to different IP/ports

Regards

Re: Log Exporter exporting to splunk

the_rock — Mon, 23 Jan 2023 13:38:20 GMT

Let me know if you cant get syntax right, I have what my colleague and I did for this customer we worked with. Sadly, I dont know what has to be done on other side (I think we dealt with Qradar), but either way, 3rd party support should be able to get that side of things working.

Re: Log Exporter exporting to splunk

bob111 — Tue, 24 Jan 2023 12:36:45 GMT

Hey, my log exporter is working but I see the logs on my splunk server in a json format even though the log exporter is sending the logs in a syslog format. Do you know why is that? Or maybe do you have an example of how the logs from should look like in the splunk server?

Re: Log Exporter exporting to splunk

the_rock — Tue, 24 Jan 2023 12:47:33 GMT

Do you have the exact syntax on CP side?

Re: Log Exporter exporting to splunk

bob111 — Tue, 24 Jan 2023 12:56:31 GMT

What do you mean?

When I look at the logs from the log exporter that I receive on a vm that is the splunk agent I see information that I don't see when I look in the index in the splunk server

Re: Log Exporter exporting to splunk

the_rock — Tue, 24 Jan 2023 12:54:29 GMT

You can run cp_log_export show from expert mode on mgmt and see what you get. Thats output I was asking for, if you can send it...please blur out any SENSITIVE info.

Re: Log Exporter exporting to splunk

Nüüül — Tue, 24 Jan 2023 12:58:07 GMT

Bob, if possible, can you show us how you configured the log export (i.e. CLI command with relevant portions like log format)
at least in 81.20 there is an own splunk log format

cp_log_export show

should show you the settings actually set

And you should check with your Splunk Colleague, how the data import has been configured.

Re: Log Exporter exporting to splunk

bob111 — Tue, 24 Jan 2023 13:03:55 GMT

name: Log_Exporter
enabled: true
target-server: 192.168.10.15
target-port: 514
protocol: udp
format: syslog
read-mode: semi-unified
export-attachment-ids: false
export-link: false
export-attachment-link: false
time-in-milli: false
export-log-position: false
reconnect-interval: Not Configured, using default

Re: Log Exporter exporting to splunk

the_rock — Tue, 24 Jan 2023 14:02:12 GMT

That looks right to me. As @Nüüül said, maybe double check with soemone on the other side what they are seeing.

Re: Log Exporter exporting to splunk

bob111 — Wed, 25 Jan 2023 15:16:51 GMT

Thank you for all the help. Do you know where are the logs from the log exporter saved in the vm (target server)? I mean what is the path?

Re: Log Exporter exporting to splunk

the_rock — Wed, 25 Jan 2023 15:52:18 GMT

Are you referring to CP or Splunk side?

Re: Log Exporter exporting to splunk

Nüüül — Wed, 25 Jan 2023 15:50:59 GMT

Hi,

cannot be said in general. it depends on the config of the target server. According Splunk Documentation:
Other ways to get data in - Splunk Documentation

For example, if you have installed an app like Check Points TA app.

Re: Log Exporter exporting to splunk

bob111 — Thu, 26 Jan 2023 09:31:02 GMT

I'm referring to the side receiving the logs, for me it is a vm that has a splunk agent installed on it that forwards the logs to the splunk server. when I use tcpdump on the vm to see the logs I receive from the log exporter I can see information, but when I look in the splunk server I see the logs in a json format and I don't see the information I saw when I used tcpdump on the vm.