Splunk® Supported Add-ons

Splunk Add-on for Check Point OPSEC LEA

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

Configure the Splunk Add-on for Check Point OPSEC LEA through the UI

You can configure the Splunk Add-on for Check Point OPSEC LEA using the configuration files or Splunk Web. This section describes how to configure the Splunk Add-on for Check Point OPSEC LEA using Splunk Web. When you create a connection using the Splunk Add-on for Check Point OPSEC LEA configuration page, the add-on pulls the OPSEC application certificate for you.

You will need to have admin permissions to configure this add-on.

Create an OPSEC LEA connection

If you have a standard Check Point Provider-1 environment, you must configure an OPSEC LEA connection for each Customer Management Add-on (CMA) connected to the Multi-Domain Management Server (MDS). The CMA acts as both Log Server (handling log file collection) and Management Server (issuing the OPSEC application certificate). If your Provider-1 environment includes the optional Multi-Domain Log Module (MLM), you must configure an OPSEC LEA connection for each Customer Log Module (CLM) connected to the Multi-Domain Log Module (MLM). In this case, the CLM acts as the Log Server, while the CMA acts as the Management Server.

Prerequisite:

Before you begin, make sure port 18210 is open to your management server as this port is blocked on many firewalls and the pull-cert.sh script pulls the certificate on port 18210. Also make sure that the log server port (default 18184) is open to your log servers.

Steps:

  1. Access Splunk Web on the node responsible for data collection.
  2. Go to the Splunk Add-on for Check Point OPSEC LEA configuration page, either by clicking on the name of the add-on on the left navigation banner on the home page or by going to Manage Apps, then clicking Launch app in the row for Splunk Add-on for Check Point OPSEC LEA.
  3. Click the Configuration menu.
  4. In the Connection tab, click Add Connection.
  5. In the Add Connection dialog, type a name for the connection in the Name field. This name must be unique for each connection.
  6. Type the Log Server IP address.
    • For standard MDS (Multi-Domain Server) environments, the Log Server IP is the CMA IP address.
    • For standalone environments, the Log Server IP is the Management Server IP address.
  7. Accept the default Log Server Port number, 18184, unless your local environment uses a different port.
  8. From the Major Version list, select the version of your Check Point deployment.
  9. From the Log Server Type list, select the type of Check Point deployment you have.
  10. If you selected log server type Secondary Management Server or Dedicated Server in the previous step, the Log Server Object Name field appears. This is the name of the Secondary Management Server or Dedicated Server. (Example name for a Secondary Management Server: manager_server2.) You do not need to specify the full SIC name (for example, CN=cp_mgmt_manager_server2). The full SIC name will be generated automatically by the add-on.
  11. In the SIC Certificate field, select one of these options:
  12. Click Add. The connection will be saved and will be displayed on the Connection tab. The pulled certificate will be saved as <Connection Name>_<random number>.p12 in $SPLUNK_HOME/etc/apps/Splunk_TA_checkpoint-opseclea/certs. For example: test1234_517533425.p12.

Note: If you receive an error message, this might be because you have not installed glibc.i686 and pam.i686, you are using an invalid password or IP address, the connection to the server is down, or port 18210 is blocked by your firewall. For error details, see $SPLUNK_HOME/var/log/splunk/web_service.log. See the Troubleshooting section for troubleshooting tips. Please note that port 18210 will not be listening on a Log Server (CLM/MLM), and you must configure the SIC initialization to the CMA IP instead. Then you can configure additional CLMs via the opsec_configuration.conf file.

You can edit, delete, or clone a connection by clicking the Action link for the connection in the Actions column.

Note: You cannot delete a connection sharing an SIC certificate with another connection through certificate reuse.

Set logging level

  1. Click the Logging tab on the Splunk Add-on for Check Point OPSEC LEA configuration page.
  2. The default Log Level is INFO. Change this to DEBUG or ERROR as needed.
  3. Click Save.

Create a new input

  1. From the Splunk Add-on for Check Point OPSEC LEA configuration page, click Inputs at the top and click Create New Input.
  2. Type an unique name for the input.
  3. Choose a Connection from the connections that have been previously configured.
  4. Choose Offline Mode or Online Mode. Online mode enables Check Point's real-time mode. This keeps a single Check Point process running, and prevents the Check Point process from being closed when no new log data is available on the Check Point server. This might help improve performance in cases where data flow is intermittent.
  5. (optional) Check No-Resolve Mode if you want to specify the loggrabber --no-resolve argument to turn object name resolution off.
  6. From the Data list, select the data you want to collect with the input.
    • Non-Audit: Collects all event types except audit events.
    • Firewall Events: Collects firewall events only.
    • Firewall Audit: Collects audit events only.
    • SmartDefense: Collects Smart Defense events only.
    • VPN (Virtual Private Network): Collects VPN events only.
  7. Set the interval with which to collect data with this input in seconds. The default is 3600 seconds.
  8. Select an index to use other than default if desired. This is the index to which Check Point events will be sent.
  9. (optional) In the Host field, provide the value you would like to use for the Host field in Splunk events.
  10. (optional) Specify a Start Time to begin collecting events in this format: YYYY-MM-DDThh:mm:ssTZD. For example: 2016-06-01T00:00:00+08:00.
    If you are upgrading from a previous version of the Splunk Add-on for Check Point OPSEC LEA, use this field to specify when to begin collecting events in order to prevent re-indexing events that have already been indexed by the Splunk platform. Note that collection starts at the time specified here from the currently active log file if there is more than one log file.
  11. By default, the add-on collects all log data with an input. You can limit data collection to only the log fields you are interested in to decrease indexed data volume.
    To exclude fields from data collection, clear the Fetch all fields option and in the selection boxes that appear beneath the option, move unwanted fields from the Selected fields box to the Excluded fields box. Only common log fields are listed in the Selected Fields box. By default, all possible fields will be included in the event. Click the plus sign (+) at the top the box to include fields that are not there. Enter the field name in the text box and click Enter to add fields in the Selected Fields box. To exclude any field, add fields in the Excluded fields box.
    • Note: You can verify the field name by using the following query.

      index=<index-name> sourcetype=<source-type> | table _raw

    Run the above query and find the field from the raw event that you want to block. Refer to the LEA Fields to verify the fields.
  12. Optionally, filter events by common log fields - product and org. The org filter rule is only available for non-audit and firewall audit metrics. When setting the org filter rule, enter valid IP address in IPV4 format and delimit multiple IP addresses using comma (,).
  13. Click Add to create the input. The input will now be listed on the Inputs page.

You can edit, delete, disable, or clone an input by clicking the Action link for the input in the Actions column.

Upgrade instructions

If you have configured the Splunk Add-on for Check Point OPSEC LEA through the UI with excluded fields included, then there are no upgrade issues from version 4.2.0 to 5.0.0.

If you have configured the Splunk Add-on for Check Point OPSEC LEA through the UI without excluding fields, you may see additional fields in your events. To remove those fields, do the following steps.

  1. Navigate to the Inputs Page in the Splunk Add-on for Checkpoint OPSEC LEA.
  2. Select the Data input you would like to edit.
  3. Clear the Fetch all fields option and in the selection boxes that appear beneath the option, move unwanted fields from the Selected fields box to the Excluded fields box.
  4. Click Update.
Last modified on 09 June, 2020
PREVIOUS
Configure OPSEC LEA to send data to the Splunk platform
  NEXT
Configure the Splunk Add-on for Check Point OPSEC LEA using the command line and configuration files

This documentation applies to the following versions of Splunk® Supported Add-ons: released


Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters