All Apps and Add-ons

Splunk Add On OPSEC-LEA on RHEL 6.4

Gatorz
Engager

hi all

i want to install Splunk add on OPSEC-LEA to get data from the CheckPoint
my running on RHEL 6.4 my splunk ver.6 and CheckPoint 75.4

im already done to get the certificate from the P-1 but it state " never connected "
i do some tcpdump and all my port state open and listening to 18184 but there is no traffic coming in.
from my box ( forwarder ) i can telnet to P-1 port.

what do i miss ?

0 Karma

Gatorz
Engager

checkpoint side is fine

i got this error

[ 9642 4151474992]@dcosplunkpforwarderbsd[23 Apr  2:17:49] Could not find info for ...opsec<em>shared</em>local<em>path...
[ 9642 4151474992]@dcosplunkpforwarderbsd[23 Apr  2:17:49] Could not find info for ...opsec</em>sic<em>policy</em>file...
[ 9642 4151474992]@dcosplunkpforwarderbsd[23 Apr  2:17:49] Could not find info for ...opsec<em>mt...
[ 9642 4151474992]@dcosplunkpforwarderbsd[23 Apr  2:17:49] opsec</em>init: multithread safety is not initialized
[ 9642 4151474992]@dcosplunkpforwarderbsd[23 Apr  2:17:49] cpprng<em>opsec</em>initialize: path is not initialized - will initialize
[ 9642 4151474992]@dcosplunkpforwarderbsd[23 Apr  2:17:49] cpprng<em>opsec</em>initialize: full file name is ops<em>prng
[ 9642 4151474992]@dcosplunkpforwarderbsd[23 Apr  2:17:49] fwprng</em>opsec<em>read</em>seed: could not get set out of file
[ 9642 4151474992]@dcosplunkpforwarderbsd[23 Apr  2:17:49] fwprng<em>opsec</em>write<em>seed: could not get set out of file
[ 9642 4151474992]@dcosplunkpforwarderbsd[23 Apr  2:17:49] fwrand</em>write<em>seed: Failed to write (opsec) seed.
[ 9642 4151474992]@dcosplunkpforwarderbsd[23 Apr  2:17:49] opsec</em>file<em>set</em>initialized: could not get set out of file
[ 9642 4151474992]@dcosplunkpforwarderbsd[23 Apr  2:17:49] cpprng<em>opsec</em>initialize: dev<em>urandom</em>poll returned -1
[ 9642 4151474992]@dcosplunkpforwarderbsd[23 Apr  2:17:49] opsec<em>file</em>is<em>intialized: could not get set out of file
[ 9642 4151474992]@dcosplunkpforwarderbsd[23 Apr  2:17:49] cpprng</em>opsec<em>initialize: seed init for opsec failed but file was created
[ 9642 4151474992]@dcosplunkpforwarderbsd[23 Apr  2:17:49] opsec</em>init<em>sic: failed to initialize seed. Seed will be initialized later.
[ 9642 4151474992]@dcosplunkpforwarderbsd[23 Apr  2:17:49] PM</em>policy<em>create: version 5301.
[ 9642 4151474992]@dcosplunkpforwarderbsd[23 Apr  2:17:49] PM</em>policy<em>add</em>name<em>to</em>group: finished successfully.
[ 9642 4151474992]@dcosplunkpforwarderbsd[23 Apr  2:17:49] PM<em>policy</em>set<em>local</em>names: () names. finished successfully.
[ 9642 4151474992]@dcosplunkpforwarderbsd[23 Apr  2:17:49] PM<em>policy</em>create: finished successfully.
[ 9642 4151474992]@dcosplunkpforwarderbsd[23 Apr  2:17:49] PM<em>policy</em>add<em>name</em>to<em>group: finished successfully.
[ 9642 4151474992]@dcosplunkpforwarderbsd[23 Apr  2:17:49] PM</em>policy<em>set</em>local<em>names: (local</em>sic<em>name) names. finished successfully.
[ 9642 4151474992]@dcosplunkpforwarderbsd[23 Apr  2:17:49] PM</em>policy<em>add</em>name<em>to</em>group: finished successfully.
[ 9642 4151474992]@dcosplunkpforwarderbsd[23 Apr  2:17:49] PM<em>policy</em>set<em>local</em>names: (127.0.0.1) names. finished successfully.
[ 9642 4151474992]@dcosplunkpforwarderbsd[23 Apr  2:17:49] PM<em>policy</em>add<em>name</em>to<em>group: finished successfully.
[ 9642 4151474992]@dcosplunkpforwarderbsd[23 Apr  2:17:49] PM</em>policy<em>set</em>local<em>names: ("CN=Splunk</em>JJ,O=cma<em>Perimeter</em>Access..gk4wqs") names. finished successfully.
[ 9642 4151474992]@dcosplunkpforwarderbsd[23 Apr  2:17:49] PM<em>apply</em>default<em>dn: ca</em>dn = [O=cma<em>Perimeter</em>Access..gk4wqs].
[ 9642 4151474992]@dcosplunkpforwarderbsd[23 Apr  2:17:49] PM<em>apply</em>default<em>dn: calling PM</em>policy<em>DN</em>conversion ..
[ 9642 4151474992]@dcosplunkpforwarderbsd[23 Apr  2:17:49] PM<em>apply</em>default<em>dn: finished successfully.
[ 9642 4151474992]@dcosplunkpforwarderbsd[23 Apr  2:17:49] ckpSSLctx</em>New: prefs = 12
[ 9642 4151474992]@dcosplunkpforwarderbsd[23 Apr  2:17:49] CkpRegDir: Environment variable CPDIR is not set.
[ 9642 4151474992]@dcosplunkpforwarderbsd[23 Apr  2:17:49] GenerateGlobalEntry: Unable to get registry path
[ 9642 4151474992]@dcosplunkpforwarderbsd[23 Apr  2:17:49] ckpSSLctx<em>New: prefs = 12
[ 9642 4151474992]@dcosplunkpforwarderbsd[23 Apr  2:17:49] ckpSSLctx</em>New: prefs = 32
[ 9642 4151474992]@dcosplunkpforwarderbsd[23 Apr  2:17:49] ckpSSLctx<em>New: prefs = 11
[ 9642 4151474992]@dcosplunkpforwarderbsd[23 Apr  2:17:49] ckpSSLctx</em>New: prefs = 31
[ 9642 4151474992]@dcosplunkpforwarderbsd[23 Apr  2:17:49] ckpSSLctx<em>New: prefs = 12
[ 9642 4151474992]@dcosplunkpforwarderbsd[23 Apr  2:17:49] sslcaInitCP</em>Ex: using asym client without ca cert
[ 9642 4151474992]@dcosplunkpforwarderbsd[23 Apr  2:17:49] ckpSSLctx<em>New: prefs = 12
[ 9642 4151474992]@dcosplunkpforwarderbsd[23 Apr  2:17:49] ckpSSLctx</em>New: prefs = 12
[ 9642 4151474992]@dcosplunkpforwarderbsd[23 Apr  2:17:49] sslcaInitCP<em>Ex: using asym client without ca cert
[ 9642 4151474992]@dcosplunkpforwarderbsd[23 Apr  2:17:49] ckpSSLctx</em>New: prefs = 32
[ 9642 4151474992]@dcosplunkpforwarderbsd[23 Apr  2:17:49] ckpSSLctx<em>New: prefs = 32
[ 9642 4151474992]@dcosplunkpforwarderbsd[23 Apr  2:17:49] sslcaInitCP</em>Ex: using asym client without ca cert
[ 9642 4151474992]@dcosplunkpforwarderbsd[23 Apr  2:17:49] ckpSSLctx<em>New: prefs = 11
[ 9642 4151474992]@dcosplunkpforwarderbsd[23 Apr  2:17:49] ckpSSLctx</em>New: prefs = 11
[ 9642 4151474992]@dcosplunkpforwarderbsd[23 Apr  2:17:49] sslcaInitCP<em>Ex: using asym client without ca cert
[ 9642 4151474992]@dcosplunkpforwarderbsd[23 Apr  2:17:49] ckpSSLctx</em>New: prefs = 31
[ 9642 4151474992]@dcosplunkpforwarderbsd[23 Apr  2:17:49] ckpSSLctx<em>New: prefs = 31
[ 9642 4151474992]@dcosplunkpforwarderbsd[23 Apr  2:17:49] opsec</em>init<em>sic</em>id_internal: Added sic id (ctx id = 0)
0 Karma

w531t4
Path Finder

did you ensure that the checkpoint policy was pushed all of the way?

0 Karma

Gatorz
Engager

hi .. yes .. i already did do step by step but still found the error ..

i want to show the ./lea-loggrabber-debug.sh debug.log .. but to who i sent it ?

since my support very very slow to response this problem.

thx you

0 Karma

araitz
Splunk Employee
Splunk Employee

Did you go through this checklist step-by-step?

http://docs.splunk.com/Documentation/OPSEC-LEA/latest/Install/Checklist

0 Karma
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...