Splunk® Supported Add-ons

Splunk Add-on for Check Point Log Exporter

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF


Migrate to Splunk Add-on for Check Point Log Exporter

Migrate from Splunk Add-on for Check Point OPSEC LEA

The Splunk Add-on from Check Point Log Exporter uses the log exporter in Check Point to push syslog data in Splunk.

If the Splunk Add-on for Check Point OPSEC LEA is installed on your deployment, disable the OPSEC LEA inputs before migrating to Splunk Add-on for Check Point Log Exporter. Ingesting data from both add-ons would lead to data duplication in the Splunk instance.

The Splunk add-on for Check Point Log Exporter uses new sourcetypes to ingest and extract information from the data. The existing data from Check Point OPSEC LEA are not available in the new add-on. However, the ingested data in the existing sourcetype would still be searchable in the sourcetype.

Follow the steps described in the Configure section to ingest syslog data from Check Point to Splunk.

Migrate from Splunk App for Check Point

The Splunk Add-on for Check Point Log Exporter uses the same sourcetypes for ingesting the data from the Splunk log format from the Check Point App for Splunk. After installing the Splunk add-on for Check Point Log Exporter, you might experience degraded performance because extractions from the add-on and the app would run on the same data. Significant CIM mapping changes are included in this release to adhere to the CIM standards, and existing content may not correctly include these events.


Configure Check Point Log Exporter to send correct Syslog RFC 5424 format data

This topic describes how to send logs in Syslog format to Splunk. Syslog is the recommended format of data collection and provides better performance than the Splunk log format.

  1. Open the cp terminal
  2. Enter the expert command to log in in expert mode.
  3. Navigate to the configuration directory.
  4. Execute cp SyslogFormatDefinition.xml SyslogRecommendedFormatDefinition.xml
  5. Open SyslogRecommendedFormatDefinition.xml and edit the start_message_body,fields_separatator,field_value_separatator as follows: 
    <start_message_body>[sc4s@2620 </start_message_body>
<fields_separatator> </fields_separatator>
<field_value_separatator>=</field_value_separatator>
    6. .
  6. Copy SyslogRecommendedFormatDefinition.xml into $EXPORTERDIR/targets//conf.
  7. Navigate to the configuration file $EXPORTERDIR/targets//targetConfiguration.xml.
  8. Add the reference to the SyslogRecommendedFormatDefinition.xml under the key. For example, if $EXPORTERDIR=/opt/CPrt-R81/log_exporter, the absolute path will become <formatHeaderFile>/opt/CPrt-R81/log_exporter/targets/<your_log_exporter>/conf/SyslogRecommendedFormatDefinition.xml</formatHeaderFile> .
  9. Restart cp_log_exporter by executing the command cp_log_export restart name <your_log_exporter>. Make sure if you migrate to a different format that the existing format is disabled, or else it would lead to data duplication.

Configure Check Point Log Exporter to send Syslog data to Splunk

  1. Enter the expert command in the Check Point server.

    2. expert .

  2. Enter the expert password.
  3. Execute the following command: 
    cp_log_export add name exporter_splunk target-server <target-server> target-port  target-port  protocol <tcp|udp> format <syslog|splunk> read-mode semi-unified
  4. Start the export process on your Check Point Server: 
    cp_log_export restart name exporter_splunk
Last modified on 15 February, 2024
PREVIOUS
Install the Splunk Add-on for Check Point Log Exporter Log Exporter 		  NEXT
Configure inputs

This documentation applies to the following versions of Splunk® Supported Add-ons: released

Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters