Splunk® Supported Add-ons

Splunk Add-on for Check Point Log Exporter

Configure inputs

Configure a syslog input using Splunk Connect for Syslog

Splunk recommends using Splunk Connect for Syslog to configure syslog inputs. To configure inputs using Splunk Connect for Syslog, see the documentation at https://splunk.github.io/splunk-connect-for-syslog/main/sources/vendor/Checkpoint/logexporter_5424/.

Configure a syslog input with Splunk Web

  1. Configure a syslog input as described in Add a network input using Splunk Web.
  2. Set the sourcetype as cp_log/cp_log:syslog.

Configure a syslog input via Backend

  1. Open or create $SPLUNK_HOME/etc/apps/Splunk_TA_checkpoint_log_exporter/local/inputs.conf.
  2. If you are using TCP, copy and paste the following stanza into the file and select your configured sourcetype among the list:
    [tcp://514]
    sourcetype = <cp_log|cp_log:syslog>
    disabled = false
  3. If you are using UDP, copy and paste the following stanza into the file.
    
    <pre>
    [udp://514]
    sourcetype =<cp_log|cp_log:syslog>
    disabled = false
  4. If you are using forwarders, configure forwarding by defining tcp outputs and then enabling a receiver.
  5. Restart the Splunk platform. If you have a distributed deployment, restart your forwarder and indexers.


Verify your input is working

If you have a distributed deployment, perform the following search on your Search head to check that the Splunk platform is indexing events from your Checkpoint Log Exporter logs:

index=* sourcetype=cp_log*

Last modified on 15 February, 2024
Migrate to Splunk Add-on for Check Point Log Exporter   Troubleshoot

This documentation applies to the following versions of Splunk® Supported Add-ons: released


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters