Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
bob111
Contributor

Log Exporter exporting to splunk

Hello, I want to export audit logs from my firewall to a splunk server. do I need to create a vm with a splunk agent that will forward the logs? Or the log exporter does not need that?

20 Replies
the_rock
Legend
Legend

I dont believe you need that. Check out below post, see if it helps you. My colleague and I did this for the customer couple of years back.

https://community.checkpoint.com/t5/Management/Log-exporter-amp-Splunk-TLS/m-p/126164#M27609

bob111
Contributor

@the_rock thanks for the reply! I think I phrased my my question wrong, I meant can I specify in my log exporter to which index in the splunk server to send the logs to?

0 Kudos
Chris_Atkinson
Employee Employee
Employee

Syntax:

cp_log_export add name <Name> [domain-server {mds | all}] target-server <HostName or IP address of Target Server> target-port <Port on Target Server> protocol {udp | tcp} format {syslog | splunk | cef | leef | generic | json | logrhythm | rsa} [<Optional Arguments>]

Refer also: sk12232

CCSM R77/R80/ELITE
bob111
Contributor

Hey, thanks for the reply! is there an argument used to specify the index in the splunk server?

0 Kudos
Nüüül
Advisor

Hi Bob,

 

normally you define such things at the destination system - ie splunk - at input config.
I have configured a dedicated UDP port, where CP Management is logging to and set at splunk site that logs received through this and from that host into the dedicated index.

bob111
Contributor

I see. There is another team in charge of splunk so I can't really do that but I'll check with them, if I can't I think I'll have to use a splunk agent on another machine to specify the index,

Do you know how can I send only a certain type of logs? for example audit logs.

Thank you.

S_E_
Advisor

Hi

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

<log_types></log_types> Determines which logs to export based on their type

 

Regarding indexer. In our env, this was done on splunk side. Depends on your Splunk (audit log/access log/visibility for several teams)

Optional, you might run serveral log exporter instances sending to different IP/ports

Regards

 

the_rock
Legend
Legend

Let me know if you cant get syntax right, I have what my colleague and I did for this customer we worked with. Sadly, I dont know what has to be done on other side (I think we dealt with Qradar), but either way, 3rd party support should be able to get that side of things working.

bob111
Contributor

Hey, my log exporter is working but I see the logs on my splunk server in a json format even though the log exporter is sending the logs in a syslog format. Do you know why is that? Or maybe do you have an example of how the logs from should look like in the splunk server?

0 Kudos
the_rock
Legend
Legend

Do you have the exact syntax on CP side?

bob111
Contributor

What do you mean?

When I look at the logs from the log exporter that I receive on a vm that is the splunk agent I see information that I don't see when I look in the index in the splunk server 

0 Kudos
the_rock
Legend
Legend

You can run cp_log_export show from expert mode on mgmt and see what you get. Thats output I was asking for, if you can send it...please blur out any SENSITIVE info.

bob111
Contributor

name: Log_Exporter
enabled: true
target-server: 192.168.10.15
target-port: 514
protocol: udp
format: syslog
read-mode: semi-unified
export-attachment-ids: false
export-link: false
export-attachment-link: false
time-in-milli: false
export-log-position: false
reconnect-interval: Not Configured, using default

0 Kudos
the_rock
Legend
Legend

That looks right to me. As @Nüüül said, maybe double check with soemone on the other side what they are seeing.

0 Kudos
bob111
Contributor

Thank you for all the help. Do you know where are the logs from the log exporter saved in the vm (target server)? I mean what is the path?

0 Kudos
the_rock
Legend
Legend

Are you referring to CP or Splunk side?

bob111
Contributor

I'm referring to the side receiving the logs, for me it is a vm that has a splunk agent installed on it that forwards the logs to the splunk server. when I use tcpdump on the vm to see the logs I receive from the log exporter I can see information, but when I look in the splunk server I see the logs in a json format and I don't see the information I saw when I used tcpdump on the vm.

0 Kudos
Nüüül
Advisor

OK, so you are sending logs to a Splunk (universal) forwarder. They have config files on it:

like inputs.conf
Configure the universal forwarder using configuration files - Splunk Documentation

There are things defined, like where to store all the logs, and how they are stored or how they will be transferred to splunk. I would recommend you to check with the admin on that side, what is defined there and how logs are saved /processed there.

 

0 Kudos
Nüüül
Advisor

Hi,

cannot be said in general. it depends on the config of the target server. According Splunk Documentation:
Other ways to get data in - Splunk Documentation

For example, if you have installed an app like Check Points TA app.

 

0 Kudos
Nüüül
Advisor

Bob, if possible, can you show us how you configured the log export (i.e. CLI command with relevant portions like log format)
at least in 81.20 there is an own splunk log format

cp_log_export show

should show you the settings actually set

And you should check with your Splunk Colleague, how the data import has been configured.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events