Log Exporter (Syslog)
Key Facts
- As of 2/1/2022, the Log Exporter configuration provided by Checkpoint is defective and produces invalid data. The configuration below is REQUIRED.
- MSG format-based filter
- RFC5424 IETF Syslog without frame – use port
514/TCP
.
Sourcetypes
Sourcetype and Index Configuration
Source and Index Configuration
Checkpoint Software blades with a CIM mapping have been sub-grouped into sources
to allow routing to appropriate indexes. All other source metadata is left as their defaults.
Source Configuration
Splunk Side
- Install the Splunk Add-on on the search head(s) for the users interested in this data source. If SC4S is used exclusively, the add-on is not required on the target indexer or heavy forwarder.
- Review and update the
splunk_metadata.csv
file and set the index
and sourcetype
as required for the data source.
Checkpoint Side
- Go to the
cp
terminal and use the expert
command to log-in in expert mode.
- Ensure the built-in variable
$EXPORTERDIR
shell variable is defined with:
- Create a new Log Exporter target in
$EXPORTERDIR/targets
with:
LOG_EXPORTER_NAME='SyslogToSplunk' # Name this something unique but meaningful
TARGET_SERVER='example.internal' # The indexer or heavy forwarder to send logs to. Can be an FQDN or an IP address.
TARGET_PORT='514' # Syslog defaults to 514
TARGET_PROTOCOL='tcp' # IETF Syslog is specifically TCP
cp_log_export add name "$LOG_EXPORTER_NAME" target-server "$TARGET_SERVER" target-port "$TARGET_PORT" protocol "$TARGET_PROTOCOL" format 'syslog'
- Make a global copy of the built-in Syslog format definition with:
cp "$EXPORTERDIR/conf/SyslogFormatDefinition.xml" "$EXPORTERDIR/conf/SplunkRecommendedFormatDefinition.xml"
- Edit
$EXPORTERDIR/conf/SplunkRecommendedFormatDefinition.xml
by modifying the start_message_body
, fields_separatator
, and field_value_separatator
keys as shown below.
a. Note: The misspelling of “separator” as “separatator” is intentional, and is to line up with both Checkpoint’s documentation and parser implementation.
<start_message_body>[sc4s@2620 </start_message_body>
<!-- ... -->
<fields_separatator> </fields_separatator>
<!-- ... -->
<field_value_separatator>=</field_value_separatator>
- Copy the new format config to your new target’s
conf
directory with:
cp "$EXPORTERDIR/conf/SplunkRecommendedFormatDefinition.xml" "$EXPORTERDIR/targets/$LOG_EXPORTER_NAME/conf"
- Edit
$EXPORTERDIR/targets/$LOG_EXPORTER_NAME/targetConfiguration.xml
by adding the reference to the $EXPORTERDIR/targets/$LOG_EXPORTER_NAME/conf/SplunkRecommendedFormatDefinition.xml
under the key <formatHeaderFile>
.
a. For example, if $EXPORTERDIR
is /opt/CPrt-R81/log_exporter
and $LOG_EXPORTER_NAME
is SyslogToSplunk
, the absolute path will become:
<formatHeaderFile>/opt/CPrt-R81/log_exporter/targets/SyslogToSplunk/conf/SplunkRecommendedFormatDefinition.xml</formatHeaderFile>
- Restart the new log exporter with:
cp_log_export restart name "$LOG_EXPORTER_NAME"
- Warning: If you’re migrating from the old Splunk Syslog format, make sure that the older format’s log exporter is disabled, as it would lead to data duplication.