Checkpoint Software blades with CIM mapping have been sub-grouped into sources
to allow routing to appropriate indexes. All other source meta data is left at default
Install the Splunk Add-on on the search head(s) for the user communities interested in this data source. If SC4S is exclusively used the addon is not required on the indexer.
Review and update the splunk_metadata.csv file and set the index and sourcetype as required for the data source.
To configure the valid syslog format in Checkpoint, follow the steps below
Copy SplunkRecommendedFormatDefinition.xml into $EXPORTERDIR/targets//conf
Navigate to the configuration file $EXPORTERDIR/targets//conf/targetConfigurationSample.xml and open it in edit mode.
Add the reference to the SplunkRecommendedFormatDefinition.xml under the key . For example, if $EXPORTERDIR=/opt/CPrt-R81/log_exporter, the absolute path will become: