For integrating Splunk with Checkpoint Log server we require the following pre-requisites to be installed/configured.
- Working Splunk Setup
- Splunk Add On For Checkpoint Opsec LEA Application Installed On Splunk
- Pam libraries, GCC dependencies installed on the linux distro on which splunk in installed.
- Working Checkpoint Management/Log Server and access to Smart Dashboard.
- Working Communication between the Management/Log Server and Splunk Server
Lets start with installing the Splunk Add On For Checkpoint Opsec LEA Application on the Splunk server.
Download the application and s tore it in a location on your computer.
Login to splunk server web interface.
Go to Apps section and click on Install app from file, browse to the file which we downloaded earlier and click open.
Once the application is installed Splunk service has to be restarted, click on Restart Splunk.
Post restart you can see the application installed and you can proceed with integration of your management with Splunk.
Post restart you can see the application installed and you can proceed with integration of your management with Splunk.
Open Smartdashboard to Checkpoint Management Server.
Once Dashboard is open Go to Manage–> Click On Servers And OPSEC Applications.
Create a New OPSEC Application for the Splunk Server.
Provide a Name to the Splunk Server application. Create a new host to represent the Splunk Server’s IP Address. Click On New.
Provide a Name for the Splunk Server and also add the Splunk Server’s IP Address in the Host General Properties Page.
Once the host is created it should show up in the Host Section of the OPSEC application. Select Client Entity as LEA.
For creating trust between the Management Server and Splunk Server we need to initialize SIC. Click on Communication tab.
Give a SIC key, you need to remember this key which will be used when we pull the SIC certificate on the Splunk Server.
Click On initialize. You should be able to see Trust State as initialized But Trust Not Established.
We need to also copy the SIC DN name of the Checkpoint Management Server and The Splunk Server.
For this Double Click on the Checkpoint Management Server and from the general properties page click on Test SIC Status.
In the SIC Status Page Copy the DN name entry and save it in notepad or other edi tor this will be used later.
Open the Splunk OPSEC Application and In the Communication Section you can see the DN for the Splunk LEA Server. Copy this and save it, this will also be used later.
Post this Install Database on the Management Server Go To File–> Policy–> Install Database.
Select the management server and click Ok. Once Done you should be able to see below message.
Now we need to pull the certificate from Checkpoint management server on the Splunk Server.
Before this we need to install 2 dependencies which are crucial for getting the certificate from the management server.
Login to the Linux distro on which you have installed Splunk and install the following dependencies.
glibc.i686
pam.i686
libgcc.x86_64
pam.x86_64
Since my Splunk was installed on CentOS, below is the procedure to install these dependencies.
yum install glibc.i686
yum install pam.i686
The second command “yum install pam.i686” will not work directly. You need to install Pam 64 bit libraries and then install the 32 bit libraries. Add the below command and then run the same command again for installing these dependencies.
yum upgrade libgcc.x86_64 pam.x86_64
yum install pam.i686
Once these dependencies are install go to /opt/splunk/etc/apps/Splunk_TA_opseclea_linux22/bin direc tory.
You should be able to see pull-cert.sh script.
Run the command to generate the certificate.
./pull-cert.sh
Once done we need to configure the connection on Splunk Server. Click on the New Connection tab on the Checkpoint OPSEC LEA page.
Provide the Connection name, IP Address, Port Number and Click Next.
Important: Though not displayed in below screenshot. You may want to enable checkboxes for No-Resolve Mode and Online Mode. This will make sure your searches run faster and you have almost real-time data.
Select the Certificate From the drop down this will be the same Certificate which we generated earlier. Click Next.
Provide the SIC name and the Management SIC Name which we had copied earlier. The SIC Name is the SIC DN of the Splunk Lea created in Dashboard and Entity SIC Name is the SIC DN of the Management Server.
Click Next for completing the configuration. Post this you should be able to see the connection in the list.
For verifying the events are getting fetched you can go to Search & Reporting and check the number of events fetched.
You can also filter the events by providing a keyword as shown below.
Please feel free to add any comments or suggestion you may have.
Author: Tausif Khaleel
NOTE: You may see many Check Point fields as confidential in Splunk search. To fix this issue please follow the steps below.
- Open Smart Dashboard. Go to OPEC Splunk object. Then click on LEA Permissions.
Here you need to Change “Permission to read logs” to Show all log fields. By default this is set to “Hide all confidential log fields”. - Install Database and Push policy
- reboot Check Point management server.
Hits: 53
