Splunk® Supported Add-ons

Splunk Add-on for Check Point OPSEC LEA

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

Install the Splunk Add-on for Check Point OPSEC LEA

  1. Get the Splunk Add-on for Check Point OPSEC LEA by downloading it from https://splunkbase.splunk.com/app/3197 or browsing to it using the app browser within Splunk Web.
  2. Determine where and how to install this add-on in your deployment, using the tables on this page.
  3. Perform any prerequisite steps before installing, if required and specified in the tables below.
  4. Complete your installation.

Distributed deployments

Use the tables below to determine where and how to install this add-on in a distributed deployment of Splunk Enterprise or any deployment for which you are using forwarders to get your data in. Depending on your environment, your preferences, and the requirements of the add-on, you may need to install the add-on in multiple places.

Where to install this add-on

Unless otherwise noted, all supported add-ons can be safely installed to all tiers of a distributed Splunk platform deployment. See Where to install Splunk add-ons in Splunk Add-ons for more information.

This table provides a reference for installing this specific add-on to a distributed deployment of Splunk Enterprise.

Note: Linux (RHEL/CentOS 5.x, 6.x, or 7.x) is required for forwarders but search heads and indexers are platform independent.

Splunk instance type Supported Required Comments
Search Heads Yes Yes Install this add-on to all search heads where Check Point OPSEC LEA knowledge management is required. Splunk recommends that you turn the Visible setting off for the add-on on your search heads to prevent data duplication errors that can result from running inputs on your search heads instead of (or in addition to) your data collection node.
Indexers Yes Conditional This add-on does not need to be installed on indexers if it is installed on a heavy forwarder.
Heavy Forwarders Yes See comments Install this add-on on either a heavy or light forwarder for data collection. Because this add-on retains state and checkpoint locally on the data ingestion node, the forwarder needs to be backed up.
Universal Forwarders No No The universal forwarder is not supported because this add-on requires Python.
Light Forwarders Yes See comments Install this add-on on either a heavy or light forwarder for data collection. If installed on a light forwarder, the add-on must also be installed on your indexers. Because this add-on retains state and checkpoint locally on the data ingestion node, the forwarder needs to be backed up.

Distributed deployment feature compatibility

This table describes the compatibility of this add-on with Splunk distributed deployment features.

Distributed deployment feature Supported Comments
Search Head Clusters Yes
Indexer Clusters Yes Before installing this add-on to an Indexer cluster, remove the eventgen.conf file and all files in the samples folder.
Deployment Server No This add-on does not support installation or configuration via Deployment Server. This add-on retains state and checkpoint locally on the data ingestion node. For this reason, you cannot use a deployment server because of potential for duplication by running on multiple forwarders.

Installation walkthroughs

The Splunk Add-Ons manual includes an Installing add-ons guide that helps you successfully install any Splunk-supported add-on to your Splunk platform.

For a walkthrough of the installation procedure, follow the link that matches your deployment scenario:

Last modified on 22 October, 2019
PREVIOUS
Installation and configuration overview for the Splunk Add-on for Check Point OPSEC LEA
  NEXT
Upgrade the Splunk Add-on for Check Point OPSEC LEA

This documentation applies to the following versions of Splunk® Supported Add-ons: released


Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters