- Products
- Learn
- Local User Groups
- Partners
- More
CheckMates Fifth Birthday
Celebrate with Us!
days
hours
minutes
seconds
Join the CHECKMATES Everywhere Competition
Submit your picture to win!
Check Point Proactive support
Free trial available for 90 Days!
As YOU DESERVE THE BEST SECURITY
Upgrade to our latest GA Jumbo
The 2022 MITRE Engenuity ATT&CK®
Evaluations Results Are In!
Now Available: SmartAwareness Security Training
Training Built to Educate and Engage
MITRE ATT&CK
Inside Check Point products!
CheckFlix!
All Videos In One Space
Hello all,
I’m happy to announce about a new Splunk app for Check Point logs.
Check Point brings you an advanced and real-time threat analysis and reporting tool for Splunk. The Check Point App for Splunk allows you to respond to security risks immediately and gain network true insights.
You can collect and analyze millions of logs from all Check Point technologies and platforms across networks, Cloud, Endpoints and Mobile.
Key features are:
The app can be downloaded from Splunk base: Check Point App for Splunk | Splunkbase
For any question, comment or suggestion, please contact cp_splunk_app_support@checkpoint.com.
Thank you!
Dan Zada, Group Manager.
Do we have to use the new Log Exporter to take full advantage of the new Splunk App?
Yes, you have to use the new log exporter.
Can I not use SmartReport to generate such kind of Views/Reports? I do not get the point why to use splunk? Maybe you can explain more specific
SmartEvent has most of those views out of the box.
Many customers are using Splunk as another place to keep logs related to ALL security and IT vendors. This is why we created this integration and allowed our customers to export the logs using the log exporter to any SIEM vendor.
I have a few questions:
1. Is Splunk multivendor compatible
2. Do it require additional license to run Splunk App?
3. Can it also be used to pull out health check reports on physical & virtual firewalls/VPNs? (CPU, Memory Utilization, disk space, traffic volume and availability etc)
1. Our Splunk app is working on top of Check Point logs.
2. Not that I know of.
3. No, you can only pull logs
Question on #3 - I am trying to pull health status related logs to Splunk. How do I do that?
Awesome! Thanks for sharing!
We've been using the Log Exporter for a few months now. The Checkpoint logs are getting forwarded to a central syslog sever (rsyslog) and then forwarded to splunk (also via syslog). We've written a custom Splunk checkpoint app to split the fields and using the QOS Dashboards for some nice graphs.
When reading the instructions for the Checkpoint App for Splunk, it mentions using a "splunk" format (which I don't think got mentioned in the original Log Exporter article):
cp_log_export add name my_exporter target-server 192.168.1.1 target-port 12001 protocol tcp format splunk read-mode semi-unified
My questions are:
Hi,
Regarding your questions:
Hi,
Has there been an RFE raised to export pcap files (packet capture) via Log Exporter to SIEMs - in my case Splunk?
I am referring to Packet Capture for Certain Protections in the IPS has been enabled.
Hi,
Yes, we have RFE for that and it will be released later this year.
We are going to implement that using management APIs, meaning the exporter will add additional field representing the blob ID, to every log. Using the management API you will be able to get the blob.
Stay tuned for more updates in SK122323.
Will this also capture and report on Audit events like who created/deleted/modified what and who logged in etc?
Are there plans to release a Splunk dashboard that would allow us to mimic SmartConsole's Log section? The Dashboard announced here is a good overview from Threat, but its not a good replacement for SmartConsole. We'd like something that we can search by IP and have them displayed in a useful manner.
Also in our environment we have found that sending the logs via method TCP creates problems (even after changing the thread count from the default of 12 to just 1) and have resorted to UDP only.
I'm curious on the TCP problems:
Do you mean performance issues? Please elaborate on any log-exporter TCP related issues you had.
We would see only 1 or 2 of the 12 threads establishing TCP sockets. We did have some CLMs that would complete all 12 sockets, but in general it was unstable. We never was able to determine conclusively that it was on the MLM side instead of the Splunk side. There is a TAC case opened (6-0001798729) on it along with a CFG task. There is a tcpdump in the SR, we saw SYN-ACKs coming back but never being ACK'd.
Hello everyone,
according to Splunkbase the app only supports Splunk 7.2.
Has anyone tried it out on 7.3+? Are there any known issues? Is an update planned to support the most current Splunk versions?
Cheers
Hi,
The app is supported on 7.3.
A new version should be released soon.
Shay
Just installed it on Splunk 7.3.2.
Started the log exporter and everything worked within 5 Minutes.
Hello Dan_Zada, may I ask the target_server that you sent to is a Splunk Indexer? Could we get rid of Splunk Fowarder on source side, sending directly to a Splunk Indexer? Is Splunk Forwarder a must for this addon?
About CheckMates
Learn Check Point
Advanced Learning
YOU DESERVE THE BEST SECURITY