For integrating Splunk with Checkpoint Log server we require the following pre-requisites to be installed/configured.

  • Working Splunk Setup
  • Splunk Add On For Checkpoint Opsec LEA Application Installed On Splunk
  • Pam libraries, GCC dependencies installed on the linux distro on which splunk in installed.
  • Working Checkpoint Management/Log Server and access to Smart Dashboard.
  • Working Communication between the Management/Log Server and Splunk Server

Lets start with installing the Splunk Add On For Checkpoint Opsec LEA Application on the Splunk server.

Download the application and store it in a location on your computer.

Login to splunk server web interface.


Go to Apps section and click on Install app from file, browse to the file which we downloaded earlier and click open.



Once the application is installed Splunk service has to be restarted, click on Restart Splunk.Capture4

Post restart you can see the application installed and you can proceed with integration of your management with Splunk.Capture4

Post restart you can see the application installed and you can proceed with integration of your management with Splunk.


Open Smartdashboard to Checkpoint Management Server.


Once Dashboard is open Go to Manage–> Click On Servers And OPSEC Applications.


Create a New OPSEC Application for the Splunk Server.


Provide a Name to the Splunk Server application. Create a new host to represent the Splunk Server’s IP Address. Click On New.


Provide a Name for the Splunk Server and also add the Splunk Server’s IP Address in the Host General Properties Page.


Once the host is created it should show up in the Host Section of the OPSEC application. Select Client Entity as LEA.


For creating trust between the Management Server and Splunk Server we need to initialize SIC. Click on Communication tab.

Give a SIC key, you need to remember this key which will be used when we pull the SIC certificate on the Splunk Server.


Click On initialize. You should be able to see Trust State as initialized But Trust Not Established.


We need to also copy the SIC DN name of the Checkpoint Management Server and The Splunk Server.

For this Double Click on the Checkpoint Management Server and from the general properties page click on Test SIC Status.


In the SIC Status Page Copy the DN name entry and save it in notepad or other editor this will be used later.


Open the Splunk OPSEC Application and In the Communication Section you can see the DN for the Splunk LEA Server. Copy this and save it, this will also be used later.


Post this Install Database on the Management Server Go To File–> Policy–> Install Database.

Select the management server and click Ok. Once Done you should be able to see below message.



Now we need to pull the certificate from Checkpoint management server on the Splunk Server.

Before this we need to install 2 dependencies which are crucial for getting the certificate from the management server.

Login to the Linux distro on which you have installed Splunk and install the following dependencies.





Since my Splunk was installed on CentOS, below is the procedure to install these dependencies.

yum install glibc.i686

yum install pam.i686

The second command “yum install pam.i686” will not work directly. You need to install Pam 64 bit libraries and then install the 32 bit libraries. Add the below command and then run the same command again for installing these dependencies.

yum upgrade libgcc.x86_64 pam.x86_64

yum install pam.i686

Once these dependencies are install go to /opt/splunk/etc/apps/Splunk_TA_opseclea_linux22/bin directory.

You should be able to see script.

Run the command to generate the certificate.



Once done we need to configure the connection on Splunk Server. Click on the New Connection tab on the Checkpoint OPSEC LEA page.Capture17

Provide the Connection name, IP Address, Port Number and Click Next.

Important:  Though not displayed in below screenshot. You may want to enable checkboxes for No-Resolve Mode and Online Mode. This will make sure your searches run faster and you have almost real-time data.


Select the Certificate From the drop down this will be the same Certificate which we generated earlier. Click Next.


Provide the SIC name and the Management SIC Name which we had copied earlier. The SIC Name is the SIC DN of the Splunk Lea created in Dashboard and Entity SIC Name is the SIC DN of the Management Server.


Click Next for completing the configuration. Post this you should be able to see the connection in the list.


For verifying the events are getting fetched you can go to Search & Reporting and check the number of events fetched.


You can also filter the events by providing a keyword as shown below.


Please feel free to add any comments or suggestion you may have.

Author: Tausif Khaleel

NOTE: You may see many Check Point fields as confidential in Splunk search. To fix this issue please follow the steps below.

  1. Open Smart Dashboard. Go to OPEC Splunk object. Then click on LEA Permissions.
    Here you need to Change “Permission to read logs” to Show all log fields. By default this is set to “Hide all confidential log fields”.
  2. lea_confidential_fix
  3. Install Database and Push policy
  4. reboot Check Point management server.

Latest posts by QOS Technology (see all)

Leave a Reply

5 Comments on "Integrate Splunk with Checkpoint Server"

Notify of
Sort by:   newest | oldest | most voted
Asim Khan

im not able to locate Once these dependencies are install go to /opt/splunk/etc/apps/Splunk_TA_opseclea_linux22/bin directory.
its shows all installed still folder missing

Hi, i’m using Check point R80 and i can’t find where is “Test SIC Status”. And after use ./ to pull cert to Splunk Success. I’m still can’t able to choose it when i add new connection on Splunk.. It show up this error : External handler failed with code ‘1’ and output: ‘REST ERROR[400]: Bad Request – Failed to fetch the certificate from server’. See splunkd.log for stderr output. And when i check file splunkd.log. I got this : 12-18-2017 03:40:32.678 +0700 ERROR ScriptRunner – stderr from ‘/opt/splunk/bin/python /opt/splunk/bin/ execute’: File “/opt/splunk/lib/python2.7/site-packages/splunk/”, line 130, in init 12-18-2017 03:40:32.678 +0700… Read more »
Ekta Siwani

Hi Quang,
I solved this issue by giving permission to the LEA Add-on folder. We have to give proper permission to “$SPLUNK_HOME/etc/apps/Splunk_TA_checkpoint-opseclea” application folder.

Sebastian Popa

Is the Splunk OPSEC application supposed to be able to receive only the URL filtering logs? In Splunk application comments, somebody comments that the URL filtering logs are not accessible. Also I cannot get them when iintegrating for first time :
With previous versión of OPEC LEA, I could get logs from other security blades like “URL Filtering”, “Application Control” and so on. Now, I only can get logs from “IDS” and “Firewall”. Any idea?


Hi Sebastian,
All kind of logs is fetched by LEA Client into the splunk. You may have to check the configuration of app in order to fix the issue.
This app is not tested with R80 and above versions.