We've been using the Log Exporter for a few months now. The Checkpoint logs are getting forwarded to a central syslog sever (rsyslog) and then forwarded to splunk (also via syslog). We've written a custom Splunk checkpoint app to split the fields and using the QOS Dashboards for some nice graphs.
When reading the instructions for the Checkpoint App for Splunk, it mentions using a "splunk" format (which I don't think got mentioned in the original Log Exporter article):
cp_log_export add name my_exporter target-server 192.168.1.1 target-port 12001 protocol tcp format splunk read-mode semi-unified
My questions are:
- Can we still use the central syslog server as an intermediate step before shipping the logs to Splunk using the "splunk" format?
- Does the Check Point 'cache' the logs if there is a network or splunk server issue?
- Is there any loss in functionality if we can use the syslog as an intermediate step?
- How does the 'splunk' format differ from the 'syslog' format?