Solved: Re: OPSEC-lea with Provider-1

afaraino · ‎04-12-2011

Hello everyone, Does someone make the OPSEC-LEA app work with Provider-1? The main difference here is that the logs are sent directly to the CLM, not to the CMA.

Thanks for your help.

Best Regards, Alex

afaraino · ‎04-13-2011

Found the answer myself. I could help so I'm posting it there : Here is how it works :

SIC is established with the CMA
"fw putkey ..." is done on the CLM. Furthermore, I replaced the port 18184 by "fw".

The command became :

opsec_putkey -ssl -port fw <Source IP address of CLM>

Finnally, here is my lea.conf :

opsec_sic_name "CN=SplunkLEA,O=cma-xxxx"
opsec_sslca_file /opt/splunk/etc/apps/lea-loggrabber-splunk/bin/opsec.p12 
lea_server ip <Source IP address of CLM>
lea_server auth_port 18184
lea_server auth_type ssl_opsec
lea_server opsec_entity_sic_name "CN=clm-xxxx"

View solution in original post

afaraino · ‎04-13-2011

Found the answer myself. I could help so I'm posting it there : Here is how it works :

SIC is established with the CMA
"fw putkey ..." is done on the CLM. Furthermore, I replaced the port 18184 by "fw".

The command became :

opsec_putkey -ssl -port fw <Source IP address of CLM>

Finnally, here is my lea.conf :

opsec_sic_name "CN=SplunkLEA,O=cma-xxxx"
opsec_sslca_file /opt/splunk/etc/apps/lea-loggrabber-splunk/bin/opsec.p12 
lea_server ip <Source IP address of CLM>
lea_server auth_port 18184
lea_server auth_type ssl_opsec
lea_server opsec_entity_sic_name "CN=clm-xxxx"

EricPartington · ‎04-22-2013

has anyone been able to get the 2.0 version of SPLUNK OPSEC LEA working with this same Checkpoint architecture ?

araitz · ‎04-09-2013

Note that this applies to versions of the Splunk/OPSEC LEA integration prior to version 2.0.0.

OPSEC-lea with Provider-1

Archived Metrics Now Available for APAC and EMEA realms

Detecting Remote Code Executions With the Splunk Threat Research Team

Enter the Dashboard Challenge and Watch the .conf24 Global Broadcast!