Checkpoint Software blades with CIM mapping have been sub-grouped into sources
to allow routing to appropriate indexes. All other source meta data is left at default
Install the Splunk Add-on on the search head(s) for the user communities interested in this data source. If SC4S is exclusively used the addon is not required on the indexer.
Review and update the splunk_metadata.csv file and set the index and sourcetype as required for the data source.
To configure the valid syslog format in Checkpoint, follow the steps below
Go to the cp terminal
Enter expert command for login in expert mode
Enter cd $EXPORTERDIR
In this directory check targets if it’s empty then configure a new target for the logs with help of below command
cp_log_export add name target-server target-port protocol <(udp|tcp)> format <(syslog)|(cef)|(splunk)(generic)>
Copy SplunkRecommendedFormatDefinition.xml into $EXPORTERDIR/targets//conf
Navigate to the configuration file $EXPORTERDIR/targets//targetConfiguration.xml and open it in edit mode.
Add the reference to the SplunkRecommendedFormatDefinition.xml under the key . For example, if $EXPORTERDIR=/opt/CPrt-R81/log_exporter, the absolute path will become: