Getting Data In

Checkpoint OPSEC LEA client script

nickstone
Path Finder

Ok, its late and its been a fight up until this point so please forgive me for missing something basic.

I have been following the instructions to integration Check Points OPSEC LEA logs into Splunk via the standard Splunk documentation. When I get to the Configuring LEA Client portion, the following error is generated on this script:

./opsec_pull_cert -h 1.1.1.1 -n SplunkLEA -p lameplaintextpw -o newcert.p12 

``(obviously not the real IP or password 😛 )

-su: ./opsec_pull_cert: No such file or directory

and a similar error when I run through the connection wizard on the GUI:

/opt/splunk/etc/apps/Splunk_TA_opseclea_linux22/bin/pull-cert.sh: line 7: ../opsec-tools/opsec_pull_cert: No such file or directory

if I run the same script as sudo, it appears to run without error, however there is no cert generated.

any insight is much appreciated...

Tags (1)
0 Karma

rebecque
New Member

For RedHat the package names would be glibc.i686 and pam.i686

0 Karma

Jason
Motivator

You're probably running Ubuntu/Debian 64-bit. The app requires 32-bit libraries, but the Splunk docs only tell you how to get them on Red Hat based systems. Try these to get the libraries below. Then you have to symlink a crusty old library (which thankfully the TA supplies) into /lib just to get the thing to run!

apt-get install libc6:i386 libpam0g:i386
ln -s /opt/splunk/etc/apps/Splunk_TA_opseclea_linux22/bin/libcpc++-libc6.1-2.so.3 /lib/libcpc++-libc6.1-2.so.3

Evidently this has been causing issues for over 12 years, if that makes you feel any better. Thanks for the crap binary, checkpoint. https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

ejahnke
Explorer

As of today this answer was still needed, thanks.

0 Karma

araitz
Splunk Employee
Splunk Employee

Do you have your SPLUNK_ENV set? Have you logged in to Splunk?

 $SPLUNK_HOME/bin/splunk login
 $SPLUNK_HOME/bin/splunk cmd ./opsec_pull_cert

See the troubleshooting section of the docs as well:

http://docs.splunk.com/Documentation/OPSEC-LEA/latest/Install/Runlea-loggrabbermanually

0 Karma

dariusjs
New Member

Hi Nick,

What you seem to be doing is running the script from the location. Find out where that script is installed and then run it.

A nice thing if you install this on centos you get the locate utility which will find the script for you if your index is up today. I am also trying to install this today but am having connectivity issues between the splunk server and my checkpoints for now.

[root@centos-control linux22]# locate opsec_pull_cert
/opt/splunk/etc/apps/lea-loggrabber-splunk/opsec-tools/linux22/opsec_pull_cert
[root@centos-control linux22]# ./opsec_putkey -ssl -port 18184 10.1.1.1
Please enter secret key:
Please enter secret key again:

Failed to initialize authentication with 10.1.1.1

[root@centos-control linux22]#

0 Karma

nickstone
Path Finder

ok 32-bit forwarder has helped and I am now stuck with Failed to initialize authentication with...

dariusjs, did you get any futher on this?

0 Karma

nickstone
Path Finder

Sorry dariusjs,

I forgot to mention, I am already in the same directory as the script.
ie: root@spk01:/opt/splunk/etc/apps/lea-loggrabber-splunk/opsec-tools/linux22#

ls -a:
. .. opsec_pull_cert opsec_putkey

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...