Trying to collect Remote Access VPN access info to send them via OPSEC to my splunk siem, however can't figure out whom user is logging cause I get the "*** Confidential ***" in the user_name field.
Most likely the OPSEC Application doesn't have permissions to read log fields, i.e. check the OPSEC App LEA permissions tab or maybe the connection is configured to be clear rather than SSLCA. The answer is probably in sk101570: Some fields in logs on 3rd party LEA OPSEC client show "*** Confidential ***".
P.S. you may be interested in the new Splunk app that uses Log Exporter instead of LEA: *New* Splunk App for Check Point Logs.
Retrieving data ...