Solved: Splunk Add-on for Check Point OPSEC LEA Linux: Why...

rodrigorsilva · ‎03-05-2015

Hello everyone,

I'm trying to set up a manage CheckPoint OPSEC performed using the procedure as the documentation:

This time to run tests with the add-on:

/opt/splunk/bin/splunk cmd /opt/splunk/etc/apps/Splunk_TA_opseclea_linux22/bin/lea-loggrabber-debug.sh

I get the following message:

DEBUG: OPSEC_SESSION_END_HANDLER called
ERROR: SIC ERROR 119 - SIC Error for lea: Client could not choose an authentication method for service lea

Would anyone have a clue what I might be missing?

Thanks to all

Rodrigo Ribeiro

Chubbybunny · ‎03-05-2015

can you post your opsec_entity_sic_name and opsec_sic_name details in opsec.conf?
SIC 119 is generally caused by misconfigured settings in this file.

Chubbybunny · ‎03-05-2015

can you post your opsec_entity_sic_name and opsec_sic_name details in opsec.conf?
SIC 119 is generally caused by misconfigured settings in this file.

rodrigorsilva · ‎03-05-2015

It worked, the file you indicated has a parameter:

opsec_sslca_file = ../certs/SplunkLEA.p12

When I ran the push the files were stored in:

/opt/splunk/etc/apps/Splunk_TA_opseclea_linux22/opsec-tools

Basically moved the files to the location pointed to:

[root@LABO2 opsec-tools]# pwd
/opt/splunk/etc/apps/Splunk_TA_opseclea_linux22/opsec-tools
[root@LABO2 opsec-tools]# cp *.p12 ../certs/

In a way your tip led me to the exact point, thank you.

Rodrigo Ribeiro

Splunk Add-on for Check Point OPSEC LEA Linux: Why am I getting error "Client could not choose an authentication method for service lea"?