hi all
i want to install Splunk add on OPSEC-LEA to get data from the CheckPoint
my running on RHEL 6.4 my splunk ver.6 and CheckPoint 75.4
im already done to get the certificate from the P-1 but it state " never connected "
i do some tcpdump and all my port state open and listening to 18184 but there is no traffic coming in.
from my box ( forwarder ) i can telnet to P-1 port.
what do i miss ?
checkpoint side is fine
i got this error
[ 9642 4151474992]@dcosplunkpforwarderbsd[23 Apr 2:17:49] Could not find info for ...opsec<em>shared</em>local<em>path...
[ 9642 4151474992]@dcosplunkpforwarderbsd[23 Apr 2:17:49] Could not find info for ...opsec</em>sic<em>policy</em>file...
[ 9642 4151474992]@dcosplunkpforwarderbsd[23 Apr 2:17:49] Could not find info for ...opsec<em>mt...
[ 9642 4151474992]@dcosplunkpforwarderbsd[23 Apr 2:17:49] opsec</em>init: multithread safety is not initialized
[ 9642 4151474992]@dcosplunkpforwarderbsd[23 Apr 2:17:49] cpprng<em>opsec</em>initialize: path is not initialized - will initialize
[ 9642 4151474992]@dcosplunkpforwarderbsd[23 Apr 2:17:49] cpprng<em>opsec</em>initialize: full file name is ops<em>prng
[ 9642 4151474992]@dcosplunkpforwarderbsd[23 Apr 2:17:49] fwprng</em>opsec<em>read</em>seed: could not get set out of file
[ 9642 4151474992]@dcosplunkpforwarderbsd[23 Apr 2:17:49] fwprng<em>opsec</em>write<em>seed: could not get set out of file
[ 9642 4151474992]@dcosplunkpforwarderbsd[23 Apr 2:17:49] fwrand</em>write<em>seed: Failed to write (opsec) seed.
[ 9642 4151474992]@dcosplunkpforwarderbsd[23 Apr 2:17:49] opsec</em>file<em>set</em>initialized: could not get set out of file
[ 9642 4151474992]@dcosplunkpforwarderbsd[23 Apr 2:17:49] cpprng<em>opsec</em>initialize: dev<em>urandom</em>poll returned -1
[ 9642 4151474992]@dcosplunkpforwarderbsd[23 Apr 2:17:49] opsec<em>file</em>is<em>intialized: could not get set out of file
[ 9642 4151474992]@dcosplunkpforwarderbsd[23 Apr 2:17:49] cpprng</em>opsec<em>initialize: seed init for opsec failed but file was created
[ 9642 4151474992]@dcosplunkpforwarderbsd[23 Apr 2:17:49] opsec</em>init<em>sic: failed to initialize seed. Seed will be initialized later.
[ 9642 4151474992]@dcosplunkpforwarderbsd[23 Apr 2:17:49] PM</em>policy<em>create: version 5301.
[ 9642 4151474992]@dcosplunkpforwarderbsd[23 Apr 2:17:49] PM</em>policy<em>add</em>name<em>to</em>group: finished successfully.
[ 9642 4151474992]@dcosplunkpforwarderbsd[23 Apr 2:17:49] PM<em>policy</em>set<em>local</em>names: () names. finished successfully.
[ 9642 4151474992]@dcosplunkpforwarderbsd[23 Apr 2:17:49] PM<em>policy</em>create: finished successfully.
[ 9642 4151474992]@dcosplunkpforwarderbsd[23 Apr 2:17:49] PM<em>policy</em>add<em>name</em>to<em>group: finished successfully.
[ 9642 4151474992]@dcosplunkpforwarderbsd[23 Apr 2:17:49] PM</em>policy<em>set</em>local<em>names: (local</em>sic<em>name) names. finished successfully.
[ 9642 4151474992]@dcosplunkpforwarderbsd[23 Apr 2:17:49] PM</em>policy<em>add</em>name<em>to</em>group: finished successfully.
[ 9642 4151474992]@dcosplunkpforwarderbsd[23 Apr 2:17:49] PM<em>policy</em>set<em>local</em>names: (127.0.0.1) names. finished successfully.
[ 9642 4151474992]@dcosplunkpforwarderbsd[23 Apr 2:17:49] PM<em>policy</em>add<em>name</em>to<em>group: finished successfully.
[ 9642 4151474992]@dcosplunkpforwarderbsd[23 Apr 2:17:49] PM</em>policy<em>set</em>local<em>names: ("CN=Splunk</em>JJ,O=cma<em>Perimeter</em>Access..gk4wqs") names. finished successfully.
[ 9642 4151474992]@dcosplunkpforwarderbsd[23 Apr 2:17:49] PM<em>apply</em>default<em>dn: ca</em>dn = [O=cma<em>Perimeter</em>Access..gk4wqs].
[ 9642 4151474992]@dcosplunkpforwarderbsd[23 Apr 2:17:49] PM<em>apply</em>default<em>dn: calling PM</em>policy<em>DN</em>conversion ..
[ 9642 4151474992]@dcosplunkpforwarderbsd[23 Apr 2:17:49] PM<em>apply</em>default<em>dn: finished successfully.
[ 9642 4151474992]@dcosplunkpforwarderbsd[23 Apr 2:17:49] ckpSSLctx</em>New: prefs = 12
[ 9642 4151474992]@dcosplunkpforwarderbsd[23 Apr 2:17:49] CkpRegDir: Environment variable CPDIR is not set.
[ 9642 4151474992]@dcosplunkpforwarderbsd[23 Apr 2:17:49] GenerateGlobalEntry: Unable to get registry path
[ 9642 4151474992]@dcosplunkpforwarderbsd[23 Apr 2:17:49] ckpSSLctx<em>New: prefs = 12
[ 9642 4151474992]@dcosplunkpforwarderbsd[23 Apr 2:17:49] ckpSSLctx</em>New: prefs = 32
[ 9642 4151474992]@dcosplunkpforwarderbsd[23 Apr 2:17:49] ckpSSLctx<em>New: prefs = 11
[ 9642 4151474992]@dcosplunkpforwarderbsd[23 Apr 2:17:49] ckpSSLctx</em>New: prefs = 31
[ 9642 4151474992]@dcosplunkpforwarderbsd[23 Apr 2:17:49] ckpSSLctx<em>New: prefs = 12
[ 9642 4151474992]@dcosplunkpforwarderbsd[23 Apr 2:17:49] sslcaInitCP</em>Ex: using asym client without ca cert
[ 9642 4151474992]@dcosplunkpforwarderbsd[23 Apr 2:17:49] ckpSSLctx<em>New: prefs = 12
[ 9642 4151474992]@dcosplunkpforwarderbsd[23 Apr 2:17:49] ckpSSLctx</em>New: prefs = 12
[ 9642 4151474992]@dcosplunkpforwarderbsd[23 Apr 2:17:49] sslcaInitCP<em>Ex: using asym client without ca cert
[ 9642 4151474992]@dcosplunkpforwarderbsd[23 Apr 2:17:49] ckpSSLctx</em>New: prefs = 32
[ 9642 4151474992]@dcosplunkpforwarderbsd[23 Apr 2:17:49] ckpSSLctx<em>New: prefs = 32
[ 9642 4151474992]@dcosplunkpforwarderbsd[23 Apr 2:17:49] sslcaInitCP</em>Ex: using asym client without ca cert
[ 9642 4151474992]@dcosplunkpforwarderbsd[23 Apr 2:17:49] ckpSSLctx<em>New: prefs = 11
[ 9642 4151474992]@dcosplunkpforwarderbsd[23 Apr 2:17:49] ckpSSLctx</em>New: prefs = 11
[ 9642 4151474992]@dcosplunkpforwarderbsd[23 Apr 2:17:49] sslcaInitCP<em>Ex: using asym client without ca cert
[ 9642 4151474992]@dcosplunkpforwarderbsd[23 Apr 2:17:49] ckpSSLctx</em>New: prefs = 31
[ 9642 4151474992]@dcosplunkpforwarderbsd[23 Apr 2:17:49] ckpSSLctx<em>New: prefs = 31
[ 9642 4151474992]@dcosplunkpforwarderbsd[23 Apr 2:17:49] opsec</em>init<em>sic</em>id_internal: Added sic id (ctx id = 0)
did you ensure that the checkpoint policy was pushed all of the way?
hi .. yes .. i already did do step by step but still found the error ..
i want to show the ./lea-loggrabber-debug.sh debug.log .. but to who i sent it ?
since my support very very slow to response this problem.
thx you
Did you go through this checklist step-by-step?
http://docs.splunk.com/Documentation/OPSEC-LEA/latest/Install/Checklist