Splunk® Supported Add-ons

Splunk Add-on for Check Point OPSEC LEA

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

Configure the Splunk Add-on for Check Point OPSEC LEA using the command line and configuration files

You can configure the Splunk Add-on for Check Point OPSEC LEA using the command line and configuration files or Splunk web. This section describes how to perform the configuration using the command line and configuration files.

To configure the add-on manually, perform the following four steps:

  1. Pull the OPSEC application certificate.
  2. Create an OPSEC LEA connection.
  3. Set the logging level.
  4. Create an input.

Pull the OPSEC application certificate

Prerequisite:

  • Port 18210 must be open. The pull-cert.sh script pulls the certificate on port 18210.

Steps

  1. At the command line on the Splunk node responsible for data collection, go to $SPLUNK_HOME/etc/apps/Splunk_TA_checkpoint-opseclea/bin.
  2. Run the pull-cert.sh script to pull the certificate from the Management Server: ./pull-cert.sh <CMA_IP> <OPSEC_app_name> <password> <outputFileName>.p12 For example: ./pull-cert.sh 10.160.27.253 SplunkLEA password test1234_517533425.p12 Parameters:
    • <CMA_IP> is the CMA IP address.
    • <OPSEC_app_name> is the OPSEC Application name (for example, SplunkLEA).
    • <password> is the one-time password (activation key) obtained when you created the OPSEC application certificate. Note: The password must not include any of the following special characters: exclamation (!), circumflex accent (^), tilde (~), grave accent (`), quotation ("), and apostrophe (').
    • <outputFileName> is the output file (*.p12) containing the application DN name as defined in the Management Server.
    The command returns an opsec_sic_name, for example: [CN=SplunkLEA, O=opsec-p1-R7540-demo_Management_Server...3tvqd0] Important: Save the opsec_sic_name because you will need to provide it when you edit the opseclea_connection.conf configuration file.
  3. View the $SPLUNK_HOME/etc/apps/Splunk_TA_checkpoint-opseclea/certs directory to confirm that <outputFileName>.p12 has been created as specified in the command line.

Create an OPSEC LEA connection

If you have a standard Check Point Provider-1 environment, you must configure an OPSEC LEA connection for each Customer Management Add-on (CMA) connected to the Multi-Domain Management Server (MDS). The CMA acts as both Log Server (handling log file collection) and Management Server (issuing the OPSEC application certificate). If your Provider-1 environment includes the optional Multi-Domain Log Module (MLM), you must configure an OPSEC LEA connection for each Customer Log Module (CLM) connected to the Multi-Domain Log Module (MLM). In this case, the CLM acts as the Log Server, while the the CMA acts as the Management Server.

Steps

  1. Create a file called opseclea_connection.conf in $SPLUNK_HOME/etc/apps/Splunk_TA_checkpoint-opseclea/local.
  2. Create a connection stanza using the example below, specifying the values necessary for your environment and your needs:
    [<connection name>]                              
    cert_name = <cert name pulled using pull-cert.sh script, example: outputFileName.p12>
    certificate = <connection name from which SIC certificate is reused>
    fw_version = <version of OPSEC LEA: R76, R77 or R80>
    lea_app_name = <application name created on OPSEC LEA Smart Dashboard, example: SplunkLEA>
    lea_server_auth_port = <OPSEC LEA server port, default value is 18184>
    lea_server_auth_type = <sslca or sslca_clear>
    lea_server_ip = <OPSEC LEA server IP address>
    lea_server_type = <OPSEC LEA server type: primary, secondary or dedicated>
    lea_object_name = <name of Secondary Management Server or Dedicated Server if lea_server_type is secondary or dedicated. Example: manager_server2>
    opsec_entity_sic_name = <example: CN=cp_mgmt,O=r7730-domain1_Management_Server_Management_Server..gtruxt> 
    opsec_sic_name = <example: CN=SplunkLEA,O=r7730-domain1_Management_Server_Management_Server..gtruxt>
    

    Note: Both the opsec_entity_sic_name and opsec_sic_name are case sensitive.

    Note: For opsec_sic_name use the opsec_sic_name that was generated when you ran the pull-cert.sh script.

    Note: The opsec_entity_sic_name is the Entity SIC Name of the stand-alone Check Point Manager, Provider-1 Customer Log Module (CLM), or Provider-1 Customer Management Add-on (CMA). The Entity SIC Name can be created from the CN part of the SIC Name.

    • If the Log Server is activated on the Primary Management Server, replace the value of CN with cp_mgmt.
    • If the Log Server is activated on the Secondary Management Server, replace the value of CN with cp_mgmt_<object_name> where <object_name> is the name of the Log Server object.
    • If the Log Server is activated on a Dedicated Server, replace the value of CN with <object_name>, where <object_name> is the name of the Log Server object.
    Alternatively, you can use the Check Point Database tool, GuiDBedit, to locate the Entity SIC Name.
  3. Add a stanza with a unique name for each connection you would like to create and save the file.

Set logging level

The default Log Level is INFO. Change this setting to DEBUG or ERROR if desired.

  1. Create a file called opseclea_settings.conf in $SPLUNK_HOME/etc/apps/Splunk_TA_checkpoint-opseclea/local.
  2. Add the following stanza and specify a log level - INFO, DEBUG, OR ERROR.
    [logging]
    level = DEBUG
    
  3. Save the file.

Create an input

  1. Create a file called opseclea_inputs.conf in $SPLUNK_HOME/etc/apps/Splunk_TA_checkpoint-opseclea/local.
  2. Create an input stanza using the example below, specifying the values necessary for your environment and your needs:
    [<input name>]                                      
    connection = <connection name from opseclea_connection.conf>
    data = <Data to fetch: non_audit (Non-Audit), fw (Firewall Events), audit (Firewall Audit), smartdefense (SmartDefense), or vpn (VPN)>
    index = <index to use for the fetched data>
    interval = <input interval in seconds>
    mode = <input mode: offline or online>
    disabled = <0 = enabled; 1 = disabled>
    host = <value to use for Host field in Splunk events (optional)>
    starttime = <start time to fetch data in format YYYY-MM-DDThh:mm:ssTZD (optional). Example: 2016-06-01T00:00:00+08:00>
    noresolve = <0 = off; 1 = on. Loggrabber --no-resolve argument which prevents object name resolution>
    field_black_list = sent_bytes,short_desc
    filter = product=New Anti Virus,Policy Server,Linux OS;orig!=123.22.22.22,124.34.234.2
    
  3. Add a stanza with a unique name for each input you would like to create and save the file.

Note: You can verify the field name by using the following query.

index=<index-name> sourcetype=<source-type> | table _raw

Run the above query and find the field from the raw event that you want to block. Refer to the LEA Fields to verify the fields.

Upgrade instructions

Add the following inputs to upgrade from version 4.2.0 to 4.3.0.

  1. Modify the configuration to remove the fields property (list of fields to consider as whitelist).
  2. Add the new field_black_list property in each stanza with the list of fields that should be blocked.
    • For example, if you would like to block the sent_bytes and short_desc fields, update the stanza to replace the fields line with:
    [<input-name>]
    field_black_list = sent_bytes,short_desc
    
Last modified on 09 June, 2020
PREVIOUS
Configure the Splunk Add-on for Check Point OPSEC LEA through the UI
  NEXT
Troubleshoot the Splunk Add-on for Check Point OPSEC LEA

This documentation applies to the following versions of Splunk® Supported Add-ons: released


Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters