All Apps and Add-ons

Splunk Add-on for Check Point LEA OPSEC Linux: Logs are getting indexed, but why am I getting no results from searches?

rafaelqueiroz
Explorer

Hello I am using the Add-on for Check Point OPSEC LEA Linux, but I'm having problems searchin on the indexed logs in Splunk. The data is indexed, the license and indexing report is showing activity, but when searching this data, I cannot get results.

I'm seeing the following errors in Splunk:

10-30-2014 14: 57: 19,532 ERROR -0200 ExecProcessor - message from "/opt/splunk/etc/apps/Splunk_TA_opseclea_linux22/bin/lea-loggrabber.sh --configentity SplunkLEA" / bin / sh: / opt / splunk /etc/apps/Splunk_TA_opseclea_linux22/bin/lea-loggrabber.sh: No such file or directory

10-30-2014 14: 57: 19,532 ERROR -0200 ExecProcessor - message from "/opt/splunk/etc/apps/Splunk_TA_opseclea_linux22/bin/lea-loggrabber.sh --configentity SplunkLEA" / bin / sh: / opt / splunk /etc/apps/Splunk_TA_opseclea_linux22/bin/lea-loggrabber.sh: No such file or directory

10-31-2014 09: 20: 49,216 ERROR -0200 ExecProcessor - message from "/opt/splunk/etc/apps/Splunk_TA_opseclea_linux22/bin/lea-loggrabber.sh --configentity SplunkLEA" sh:! [CDATA [1386266990 @ SplunkLEA : No such file or directory

The variable $ SPLUNK_HOME is working properly.

tskinnerivsec
Contributor

If this scripted input isn't working, then the data in question is not in the index = checkpoint_lea, so it is not indexed yet. Is the certificate from the checkpoint management station in the path ./certs ? and named SplunkLEA.p12? Can you test network communication on port 18185 between the splunk server and the management station? You should be able to look on the checkpoint management station and verify that you see successful logons from Splunk. you need to verify that you have the correct opsec_entity_sic_name and opsec_sic_name. I remember their being some library dependencies that the script required as well. You can manually run the script from the operating system of the splunk server to verify the it operates correctly. You should also verify that the /etc/apps/Splunk_TA_opseclea_linux22/bin/lea-loggrabber.sh file exists or not, because that is what this error is complaining about.

0 Karma

Chubbybunny
Splunk Employee
Splunk Employee

Perhaps an issue with the script or conf settings.

Can you post the contents of $splunk_home/etc/apps/Splunk_TA_opseclea_linux22/local/inputs.conf and $splunk_home/etc/apps/Splunk_TA_opseclea_linux22/local/opsec.conf,

rafaelqueiroz
Explorer

]# cat $SPLUNK_HOME/etc/apps/Splunk_TA_opseclea_linux22/local/inputs.conf
[script:///opt/splunk/etc/apps/Splunk_TA_opseclea_linux22/bin/lea-loggrabber.sh --configentity SplunkLEA]
disabled = 0
interval = 30
passAuth = splunk-system-user
sourcetype = opsec
index = checkpoint_lea

cat /opt/splunk/etc/apps/Splunk_TA_opseclea_linux22/local/opsec.conf
[SplunkLEA]
collect_audit = 0
fw_version = 75.4
is_disabled = 0
lea_server_auth_port = 18185
lea_server_auth_type = sslca
lea_server_ip = x.x.x.x
no_resolve = 1
opsec_entity_sic_name = cn=cp_mgmt,o=EGFWD01..zmib56
opsec_sic_name = CN=SplunkLEA,O=EGFWD01..zmib56
opsec_sslca_file = ../certs/SplunkLEA.p12
disabled = 0

0 Karma

Chubbybunny
Splunk Employee
Splunk Employee

both appear to be properly configured, please open a Support case and provide a diag for further analysis.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...