Ok, its late and its been a fight up until this point so please forgive me for missing something basic.
I have been following the instructions to integration Check Points OPSEC LEA logs into Splunk via the standard Splunk documentation. When I get to the Configuring LEA Client portion, the following error is generated on this script:
./opsec_pull_cert -h 1.1.1.1 -n SplunkLEA -p lameplaintextpw -o newcert.p12
``(obviously not the real IP or password 😛 )
-su: ./opsec_pull_cert: No such file or directory
and a similar error when I run through the connection wizard on the GUI:
/opt/splunk/etc/apps/Splunk_TA_opseclea_linux22/bin/pull-cert.sh: line 7: ../opsec-tools/opsec_pull_cert: No such file or directory
if I run the same script as sudo, it appears to run without error, however there is no cert generated.
any insight is much appreciated...
For RedHat the package names would be glibc.i686 and pam.i686
You're probably running Ubuntu/Debian 64-bit. The app requires 32-bit libraries, but the Splunk docs only tell you how to get them on Red Hat based systems. Try these to get the libraries below. Then you have to symlink a crusty old library (which thankfully the TA supplies) into /lib just to get the thing to run!
apt-get install libc6:i386 libpam0g:i386
ln -s /opt/splunk/etc/apps/Splunk_TA_opseclea_linux22/bin/libcpc++-libc6.1-2.so.3 /lib/libcpc++-libc6.1-2.so.3
Evidently this has been causing issues for over 12 years, if that makes you feel any better. Thanks for the crap binary, checkpoint. https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...
As of today this answer was still needed, thanks.
Do you have your SPLUNK_ENV set? Have you logged in to Splunk?
$SPLUNK_HOME/bin/splunk login
$SPLUNK_HOME/bin/splunk cmd ./opsec_pull_cert
See the troubleshooting section of the docs as well:
http://docs.splunk.com/Documentation/OPSEC-LEA/latest/Install/Runlea-loggrabbermanually
Hi Nick,
What you seem to be doing is running the script from the location. Find out where that script is installed and then run it.
A nice thing if you install this on centos you get the locate utility which will find the script for you if your index is up today. I am also trying to install this today but am having connectivity issues between the splunk server and my checkpoints for now.
[root@centos-control linux22]# locate opsec_pull_cert
/opt/splunk/etc/apps/lea-loggrabber-splunk/opsec-tools/linux22/opsec_pull_cert
[root@centos-control linux22]# ./opsec_putkey -ssl -port 18184 10.1.1.1
Please enter secret key:
Please enter secret key again:
Failed to initialize authentication with 10.1.1.1
[root@centos-control linux22]#
ok 32-bit forwarder has helped and I am now stuck with Failed to initialize authentication with...
dariusjs, did you get any futher on this?
Sorry dariusjs,
I forgot to mention, I am already in the same directory as the script.
ie: root@spk01:/opt/splunk/etc/apps/lea-loggrabber-splunk/opsec-tools/linux22#
ls -a:
. .. opsec_pull_cert opsec_putkey