We have a Splunk setup to get the ASA Check Point logs collected to heavy forwarder and send to an indexer server through the Splunk® Add-on for Check Point OPSEC LEA. That add-on was configured and installed on the Heavy forwarder.
When I checked the input files, I see the following script was added in inputs.conf file
information /opt/splunk/etc/apps/Splunk_TA_opseclea_linux22/bin/lea-loggrabber.sh --configentity Checkpoint
Now we are in the process building new indexer servers and I'm trying to find the way to change the outputs.conf and redirect the logs to the new indexers.
Here is the current data flow.
Checkpoint ---- HF -- old indexer
My new settings will be
Check point - HF - new indexer servers --
If any one knows how to update the outputs Splunk Add-on for Check Point OPSEC LEA, please let me know.
↧