@the_rock thanks for the reply! I think I phrased my my question wrong, I meant can I specify in my log exporter to which index in the splunk server to send the logs to?

Syntax:

cp_log_export add name <Name> [domain-server {mds | all}] target-server <HostName or IP address of Target Server> target-port <Port on Target Server> protocol {udp | tcp} format {syslog | splunk | cef | leef | generic | json | logrhythm | rsa} [<Optional Arguments>]

Refer also: sk12232

Hey, thanks for the reply! is there an argument used to specify the index in the splunk server?

Hi Bob,

normally you define such things at the destination system - ie splunk - at input config.
I have configured a dedicated UDP port, where CP Management is logging to and set at splunk site that logs received through this and from that host into the dedicated index.

I see. There is another team in charge of splunk so I can't really do that but I'll check with them, if I can't I think I'll have to use a splunk agent on another machine to specify the index,

Do you know how can I send only a certain type of logs? for example audit logs.

Thank you.

Hi

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

Regarding indexer. In our env, this was done on splunk side. Depends on your Splunk (audit log/access log/visibility for several teams)

Optional, you might run serveral log exporter instances sending to different IP/ports

Regards

Let me know if you cant get syntax right, I have what my colleague and I did for this customer we worked with. Sadly, I dont know what has to be done on other side (I think we dealt with Qradar), but either way, 3rd party support should be able to get that side of things working.

Hey, my log exporter is working but I see the logs on my splunk server in a json format even though the log exporter is sending the logs in a syslog format. Do you know why is that? Or maybe do you have an example of how the logs from should look like in the splunk server?

Do you have the exact syntax on CP side?

What do you mean?

When I look at the logs from the log exporter that I receive on a vm that is the splunk agent I see information that I don't see when I look in the index in the splunk server 

You can run cp_log_export show from expert mode on mgmt and see what you get. Thats output I was asking for, if you can send it...please blur out any SENSITIVE info.

name: Log_Exporter
enabled: true
target-server: 192.168.10.15
target-port: 514
protocol: udp
format: syslog
read-mode: semi-unified
export-attachment-ids: false
export-link: false
export-attachment-link: false
time-in-milli: false
export-log-position: false
reconnect-interval: Not Configured, using default

That looks right to me. As @Nüüül said, maybe double check with soemone on the other side what they are seeing.

Thank you for all the help. Do you know where are the logs from the log exporter saved in the vm (target server)? I mean what is the path?

Are you referring to CP or Splunk side?

I'm referring to the side receiving the logs, for me it is a vm that has a splunk agent installed on it that forwards the logs to the splunk server. when I use tcpdump on the vm to see the logs I receive from the log exporter I can see information, but when I look in the splunk server I see the logs in a json format and I don't see the information I saw when I used tcpdump on the vm.

OK, so you are sending logs to a Splunk (universal) forwarder. They have config files on it:

like inputs.conf
Configure the universal forwarder using configuration files - Splunk Documentation

There are things defined, like where to store all the logs, and how they are stored or how they will be transferred to splunk. I would recommend you to check with the admin on that side, what is defined there and how logs are saved /processed there.

Hi,

cannot be said in general. it depends on the config of the target server. According Splunk Documentation:
Other ways to get data in - Splunk Documentation

For example, if you have installed an app like Check Points TA app.

Bob, if possible, can you show us how you configured the log export (i.e. CLI command with relevant portions like log format)
at least in 81.20 there is an own splunk log format

cp_log_export show

should show you the settings actually set

And you should check with your Splunk Colleague, how the data import has been configured.