Print Download PDF Send Feedback

Previous

Next

Deployment

In This Section:

Deploying Log Exporter - Part 1

Setting Up a New Data Input on Splunk

Deploying Log Exporter - Part 2

Compatibility

Deploying Log Exporter - Part 1

To configure a new target (Splunk server) for the logs:

On the Check Point server, run:

cp_log_export add name <name> [domain-server <domain-server>] target-server <target-server> target-port <target-port> protocol <tcp | udp> format splunk read-mode <raw | semi-unified>

Example:

cp_log_export add name my_exporter target-server 192.168.1.1 target-port 12001 protocol tcp format splunk read-mode semi-unified

On Multi-Domain Server/Multi-Domain Log Server:

  1. The domain-server argument is mandatory. You can use 'mds' as the value for domain-server to export Multi-Domain Server level audit logs.
  2. This creates a new target directory with the unique name specified in the <name> parameter under $EXPORTERDIR/targets/< name>.

    Note - On a Multi-Domain Server environment, there is an EXPORTERDIR for each domain.

  3. Set the target configuration parameters with the connection details:
    • IP Address
    • Port
    • Protocol
    • Format
    • Read-mode - The recommended read-mode is semi-unified. Semi-unified mode ensures you receive complete data.

The deployment described above exports the logs in clear text. To send the logs over an encrypted connection, refer to the “TLS Configuration” section in sk122323.

Note - After you configure the target (Splunk server), you must configure the data input on the Splunk side before you export logs from your Check Point server.

To modify an existing target for the logs to work with Splunk format:

On the Check Point server, run:

cp_log_export set name <name> format splunk read-mode <raw | semi-unified>

Example:

cp_log_export set name my_exporter format splunk read-mode semi-unified

Setting Up a New Data Input on Splunk

To configure a new data input for the logs:

  1. On the Splunk WebUI, click Settings in the upper toolbar.

  2. Under Data, select Data Inputs.

  3. Select the relevant protocol (TCP/UDP) based on what you configured in Log Exporter.

  4. Click New Local TCP/UDP.

  5. Configure the port number you configured as <target-port> on the Log Exporter.
  6. Configure the allowed incoming connections that Splunk should accept.

  7. Click Select and enter cp_log as the source type.

  8. Click Review to make sure your configuration is correct.
  9. Click Submit.

For more information on Data Inputs on Splunk, refer to Splunk documentation - Configure your inputs.

To modify an existing data input for the logs:

  1. On the Splunk WebUI, click Settings in the upper toolbar.
  2. Under Data, select Data Inputs.
  3. Select the relevant protocol (TCP/UDP) based on what you configured in Log Exporter.
  4. Click the port number you want to modify.
  5. Change the sourcetype to cp_log.
  6. Click Save.

Deploying Log Exporter - Part 2

The last step is to start the export process on your Check Point Server:

Run:

cp_log_export restart name <name>

You now can see the exported logs on your Splunk WebUI.

Compatibility

14 November 2018
Was this helpful?
Incorrect information Not what I'm looking for Too much information Confusing information
© 2018 Check Point Software Technologies Ltd. All rights reserved.