splunk-app-and-ta-development / ta-checkpoint-cef Goto Github PK

September 2018

• About Check Point CEF Add On For Splunk
• Release notes
• Prerequisites and requirements
• Support

• Hardware requirements
• Splunk Enterprise system requirements

• Check Point configuration
  • Install Log Exporter
  • Configure syslog export
• Splunk Configuration
  • Single instance
  • Distributed deployment

The Check Point CEF Add On For Splunk provides knowledge objects to allow for the Check Point Log Exporter to function within Splunk. This replaces the traditional method of using OPSEC LEA for collecting this data.

This app supports the new Log Exporter method for Check Point logging. This resolves several limitations of the OPSEC LEA method:

• A Linux heavy forwarder is no longer required for bringing in Check Point logs. All Splunk platforms are supported.
• The OPSEC LEA forwarder is no longer a single point of failure for Check Point logging. This method supports all syslog redundancy mechanisms.
• There is not a gap in logging that occurs during a logrotate on the management server (this commonly resulted in missing logs occurring daily at midnight).

Version 1.0.2 is the third release. It adds additional values to the checkpoint_cef_actions.csv lookup in support of CIM compliance.

Version 1.0.1 is the second release. It adds support for audit logging and contains minor edits to version 1.0.0.

Version 1.0.1 of the Check Point CEF Add On For Slunk For Splunk is compatible with:

This app requires that the Check Point management server controlling gateways be running a version which supports the Check Point Log Exporter, which is documented in sk122323. At the time of this writing, this includes versions R77.30, R80.10 and R80.20. Gateways do not necessarily need to be running a version supporting the Log Exporter as long as they are centrally logging to a management server or log server capable of running the Log Exporter.

This app is not officially supported by Check Point, Splunk, or Hurricane Labs. Submit an issue on Github: https://github.com/HurricaneLabs/TA-checkpoint-cef/issues

Check Point CEF Add On For Splunk supports the following server platforms in the versions supported by Splunk Enterprise:

• Platform independent (knowledge objects only)

Because this add-on runs on Splunk Enterprise, all of the Splunk Enterprise system requirements apply.

Note: it is recommended that a dedicated syslog receiver (such as syslog-ng) be used to collect the data associated with this app, as opposed to a direct TCP/UDP input in Splunk. TCP is recommended over UDP for this data input.

Install Log Exporter

1. Follow the installation instructions for your version of Check Point detailed in sk122323.
2. After completing the Splunk configuration below, configure the Log Exporter to forward logs to your Splunk environment. CEF format should be specified in the cp_log_export command.

Install to search head

1. Install the app.
2. Configure Splunk to receive and ingest the syslog data from the Check Point management server, as appropriate in your environment.

Install to search head and the first Splunk Enterprise system to receive data

The app has index-time sourcetyping operations. This app should be deployed to your search head as well as the first Splunk Enterprise system to receive your data. If you are receiving syslog on a Universal Forwarder, this app should be installed on the indexing tier. If you are receiving syslog on a Heavy Forwarder, this app should be installed on the Heavy Forwarder.

1. Install the app.
2. Configure Splunk to receive and ingest the syslog data from the Check Point management server, as appropriate in your environment.

• Several field extractions are currently untested

• App is written to mirror functionality in the Splunk Add-on for Check Point OPSEC LEA, https://splunkbase.splunk.com/app/3197/
• CEF processing is based on Igor Sher's CEF Extraction Add-on for Splunk app, https://splunkbase.splunk.com/app/487/