Hello I am using the Add-on for Check Point OPSEC LEA Linux, but I'm having problems searchin on the indexed logs in Splunk. The data is indexed, the license and indexing report is showing activity, but when searching this data, I cannot get results.
I'm seeing the following errors in Splunk:
10-30-2014 14: 57: 19,532 ERROR -0200 ExecProcessor - message from "/opt/splunk/etc/apps/Splunk_TA_opseclea_linux22/bin/lea-loggrabber.sh --configentity SplunkLEA" / bin / sh: / opt / splunk /etc/apps/Splunk_TA_opseclea_linux22/bin/lea-loggrabber.sh: No such file or directory
10-30-2014 14: 57: 19,532 ERROR -0200 ExecProcessor - message from "/opt/splunk/etc/apps/Splunk_TA_opseclea_linux22/bin/lea-loggrabber.sh --configentity SplunkLEA" / bin / sh: / opt / splunk /etc/apps/Splunk_TA_opseclea_linux22/bin/lea-loggrabber.sh: No such file or directory
10-31-2014 09: 20: 49,216 ERROR -0200 ExecProcessor - message from "/opt/splunk/etc/apps/Splunk_TA_opseclea_linux22/bin/lea-loggrabber.sh --configentity SplunkLEA" sh:! [CDATA [1386266990 @ SplunkLEA : No such file or directory
The variable $ SPLUNK_HOME is working properly.
If this scripted input isn't working, then the data in question is not in the index = checkpoint_lea, so it is not indexed yet. Is the certificate from the checkpoint management station in the path ./certs ? and named SplunkLEA.p12? Can you test network communication on port 18185 between the splunk server and the management station? You should be able to look on the checkpoint management station and verify that you see successful logons from Splunk. you need to verify that you have the correct opsec_entity_sic_name and opsec_sic_name. I remember their being some library dependencies that the script required as well. You can manually run the script from the operating system of the splunk server to verify the it operates correctly. You should also verify that the /etc/apps/Splunk_TA_opseclea_linux22/bin/lea-loggrabber.sh file exists or not, because that is what this error is complaining about.
Perhaps an issue with the script or conf settings.
Can you post the contents of $splunk_home/etc/apps/Splunk_TA_opseclea_linux22/local/inputs.conf and $splunk_home/etc/apps/Splunk_TA_opseclea_linux22/local/opsec.conf,
]# cat $SPLUNK_HOME/etc/apps/Splunk_TA_opseclea_linux22/local/inputs.conf
[script:///opt/splunk/etc/apps/Splunk_TA_opseclea_linux22/bin/lea-loggrabber.sh --configentity SplunkLEA]
disabled = 0
interval = 30
passAuth = splunk-system-user
sourcetype = opsec
index = checkpoint_lea
cat /opt/splunk/etc/apps/Splunk_TA_opseclea_linux22/local/opsec.conf
[SplunkLEA]
collect_audit = 0
fw_version = 75.4
is_disabled = 0
lea_server_auth_port = 18185
lea_server_auth_type = sslca
lea_server_ip = x.x.x.x
no_resolve = 1
opsec_entity_sic_name = cn=cp_mgmt,o=EGFWD01..zmib56
opsec_sic_name = CN=SplunkLEA,O=EGFWD01..zmib56
opsec_sslca_file = ../certs/SplunkLEA.p12
disabled = 0
both appear to be properly configured, please open a Support case and provide a diag for further analysis.