- Products
- Learn
- Local User Groups
- Partners
- More
Quantum Spark Management Unleashed!
Introducing Check Point Quantum Spark 2500:
Smarter Security, Faster Connectivity, and Simpler MSP Management!
Check Point Named Leader
2025 Gartner® Magic Quadrant™ for Hybrid Mesh Firewall
HTTPS Inspection
Help us to understand your needs better
CheckMates Go:
SharePoint CVEs and More!
Hello, I want to export audit logs from my firewall to a splunk server. do I need to create a vm with a splunk agent that will forward the logs? Or the log exporter does not need that?
I dont believe you need that. Check out below post, see if it helps you. My colleague and I did this for the customer couple of years back.
https://community.checkpoint.com/t5/Management/Log-exporter-amp-Splunk-TLS/m-p/126164#M27609
@the_rock thanks for the reply! I think I phrased my my question wrong, I meant can I specify in my log exporter to which index in the splunk server to send the logs to?
Syntax:
cp_log_export add name <Name> [domain-server {mds | all}] target-server <HostName or IP address of Target Server> target-port <Port on Target Server> protocol {udp | tcp} format {syslog | splunk | cef | leef | generic | json | logrhythm | rsa} [<Optional Arguments>]
Refer also: sk12232
Hey, thanks for the reply! is there an argument used to specify the index in the splunk server?
Hi Bob,
normally you define such things at the destination system - ie splunk - at input config.
I have configured a dedicated UDP port, where CP Management is logging to and set at splunk site that logs received through this and from that host into the dedicated index.
I see. There is another team in charge of splunk so I can't really do that but I'll check with them, if I can't I think I'll have to use a splunk agent on another machine to specify the index,
Do you know how can I send only a certain type of logs? for example audit logs.
Thank you.
Hi
<log_types></log_types> |
Determines which logs to export based on their type |
Regarding indexer. In our env, this was done on splunk side. Depends on your Splunk (audit log/access log/visibility for several teams)
Optional, you might run serveral log exporter instances sending to different IP/ports
Regards
Let me know if you cant get syntax right, I have what my colleague and I did for this customer we worked with. Sadly, I dont know what has to be done on other side (I think we dealt with Qradar), but either way, 3rd party support should be able to get that side of things working.
Hey, my log exporter is working but I see the logs on my splunk server in a json format even though the log exporter is sending the logs in a syslog format. Do you know why is that? Or maybe do you have an example of how the logs from should look like in the splunk server?
Do you have the exact syntax on CP side?
What do you mean?
When I look at the logs from the log exporter that I receive on a vm that is the splunk agent I see information that I don't see when I look in the index in the splunk server
You can run cp_log_export show from expert mode on mgmt and see what you get. Thats output I was asking for, if you can send it...please blur out any SENSITIVE info.
name: Log_Exporter
enabled: true
target-server: 192.168.10.15
target-port: 514
protocol: udp
format: syslog
read-mode: semi-unified
export-attachment-ids: false
export-link: false
export-attachment-link: false
time-in-milli: false
export-log-position: false
reconnect-interval: Not Configured, using default
That looks right to me. As @Nüüül said, maybe double check with soemone on the other side what they are seeing.
Thank you for all the help. Do you know where are the logs from the log exporter saved in the vm (target server)? I mean what is the path?
Are you referring to CP or Splunk side?
I'm referring to the side receiving the logs, for me it is a vm that has a splunk agent installed on it that forwards the logs to the splunk server. when I use tcpdump on the vm to see the logs I receive from the log exporter I can see information, but when I look in the splunk server I see the logs in a json format and I don't see the information I saw when I used tcpdump on the vm.
OK, so you are sending logs to a Splunk (universal) forwarder. They have config files on it:
like inputs.conf
Configure the universal forwarder using configuration files - Splunk Documentation
There are things defined, like where to store all the logs, and how they are stored or how they will be transferred to splunk. I would recommend you to check with the admin on that side, what is defined there and how logs are saved /processed there.
Hi,
cannot be said in general. it depends on the config of the target server. According Splunk Documentation:
Other ways to get data in - Splunk Documentation
For example, if you have installed an app like Check Points TA app.
Bob, if possible, can you show us how you configured the log export (i.e. CLI command with relevant portions like log format)
at least in 81.20 there is an own splunk log format
cp_log_export show
should show you the settings actually set
And you should check with your Splunk Colleague, how the data import has been configured.
Leaderboard
Epsum factorial non deposit quid pro quo hic escorol.
User | Count |
---|---|
17 | |
6 | |
4 | |
4 | |
4 | |
4 | |
2 | |
2 | |
2 | |
2 |
Wed 03 Sep 2025 @ 11:00 AM (SGT)
Deep Dive APAC: Troubleshooting 101 for Quantum Security GatewaysThu 04 Sep 2025 @ 10:00 AM (CEST)
CheckMates Live BeLux: External Risk Management for DummiesWed 10 Sep 2025 @ 11:00 AM (CEST)
Effortless Web Application & API Security with AI-Powered WAF, an intro to CloudGuard WAFWed 10 Sep 2025 @ 11:00 AM (EDT)
Quantum Spark Management Unleashed: Hands-On TechTalk for MSPs Managing SMB NetworksWed 03 Sep 2025 @ 11:00 AM (SGT)
Deep Dive APAC: Troubleshooting 101 for Quantum Security GatewaysThu 04 Sep 2025 @ 10:00 AM (CEST)
CheckMates Live BeLux: External Risk Management for DummiesWed 10 Sep 2025 @ 11:00 AM (EDT)
Quantum Spark Management Unleashed: Hands-On TechTalk for MSPs Managing SMB NetworksAbout CheckMates
Learn Check Point
Advanced Learning
YOU DESERVE THE BEST SECURITY