Related Answers
Download topic as PDF
Configure inputs
Configure a syslog input using Splunk Connect for Syslog
Splunk recommends using Splunk Connect for Syslog to configure syslog inputs. To configure inputs using Splunk Connect for Syslog, see the documentation at https://splunk.github.io/splunk-connect-for-syslog/main/sources/vendor/Checkpoint/logexporter_5424/.
Configure a syslog input with Splunk Web
- Configure a syslog input as described in Add a network input using Splunk Web.
- Set the sourcetype as cp_log/cp_log:syslog.
Configure a syslog input via Backend
- Open or create
$SPLUNK_HOME/etc/apps/Splunk_TA_checkpoint_log_exporter/local/inputs.conf. - If you are using TCP, copy and paste the following stanza into the file and select your configured sourcetype among the list:
[tcp://514] sourcetype = <cp_log|cp_log:syslog> disabled = false
- If you are using UDP, copy and paste the following stanza into the file.
<pre> [udp://514] sourcetype =<cp_log|cp_log:syslog> disabled = false
- If you are using forwarders, configure forwarding by defining tcp outputs and then enabling a receiver.
- Restart the Splunk platform. If you have a distributed deployment, restart your forwarder and indexers.
Verify your input is working
If you have a distributed deployment, perform the following search on your Search head to check that the Splunk platform is indexing events from your Checkpoint Log Exporter logs:
index=* sourcetype=cp_log*
Last modified on 15 February, 2024
|
PREVIOUS Migrate to Splunk Add-on for Check Point Log Exporter |
NEXT Troubleshoot |
This documentation applies to the following versions of Splunk® Supported Add-ons: released
Feedback submitted, thanks!