Log Exporter (Splunk)
The “Splunk Format” is legacy and should not be used for new deployments see Log Exporter (Syslog)
Key Facts
- Format is not conformant to RFC3164 avoid use
- MSG Format based filter
- Legacy BSD Format default port 514
The Splunk host field will be derived as follows using the first match
- Use the hostname field
- Use the first CN component of origin_sic_name/originsicname
- If host is not set from CN use the
hostname field
- If host is not set use the BSD syslog header host
If the host is in the format <host>-v_<bladename> use bladename for host
Links
Sourcetypes
| sourcetype |
notes |
| cp_log |
None |
Sourcetype and Index Configuration
| key |
sourcetype |
index |
notes |
| checkpoint_splunk |
cp_log |
netops |
none |
Source and Index Configuration
Checkpoint Software blades with CIM mapping have been sub-grouped into sources
to allow routing to appropriate indexes. All other source meta data is left at default
| key |
source |
index |
notes |
| checkpoint_splunk_dlp |
dlp |
netdlp |
none |
| checkpoint_splunk_email |
email |
email |
none |
| checkpoint_splunk_firewall |
firewall |
netfw |
none |
| checkpoint_splunk_os |
program:${program} |
netops |
none |
| checkpoint_splunk_sessions |
sessions |
netops |
none |
| checkpoint_splunk_web |
web |
netproxy |
none |
| checkpoint_splunk_audit |
audit |
netops |
none |
| checkpoint_splunk_endpoint |
endpoint |
netops |
none |
| checkpoint_splunk_network |
network |
netops |
|
| checkpoint_splunk_ids |
ids |
netids |
|
| checkpoint_splunk_ids_malware |
ids_malware |
netids |
|
Options
| Variable |
default |
description |
| SC4S_LISTEN_CHECKPOINT_SPLUNK_NOISE_CONTROL |
no |
Suppress any duplicate product+loguid pairs processed within 2 seconds of the last matching event |
| SC4S_LISTEN_CHECKPOINT_SPLUNK_OLD_HOST_RULES |
empty string |
when set to yes reverts host name selection order to originsicname–>origin_sic_name–>hostname |