All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

OPSEC lea_loggrabber connects but returns nothing?

gowen
Path Finder
‎07-18-2011 02:37 PM

We have two Splunk servers and two Check Point R71 management servers. One of the management servers is the standby management, but both act as log servers, as validated using 'tracker'.

Our first Splunk box grabs logs from the primary CPM, no problems.

I'm trying to configure the other Splunk box to grab logs from the secondary CPM. fwopsec.conf is configured appropriately, the opsec key is pulled down to the Splunk box, and lea_loggrabber is able to connect to the CPM without errors. However, it just doesn't get any logs. After opsec_mainloop gets called, there never is any callback to LeaRecordHandler, it just exits. LeaEndHandler things that it's at line 0 in the log (as per lea_get_record_pos) and writes that out to lea_log_rec_num.cache.

Has anyone experienced this sort of issue where lea_loggrabber connects properly, but thinks the log is empty even through other methods of looking tell us there is something in it?

Tags (2)
Reply

Chubbybunny
Splunk Employee
Splunk Employee
‎08-04-2011 11:03 PM

I recently came across a similar problem today only to find out my firewall ACL was rejecting access to port 18184 to the Checkpoint manager from the splunk forwarder. As a quick test, try using netcat to ensure the checkpoint auth_port is indeed accessible from the splunk server.
'nc -z IP 18184'
It took me a while to figure it out since the lea_loggrabber binary very much appeared to connect and wrote the cache file. I would expect it to error if communication was offline.

Reply

Chubbybunny
Splunk Employee
Splunk Employee
‎11-07-2011 06:24 PM

in addition, include OPSEC debugging on the lea client:

OPSEC_DEBUG_LEVEL=3; export OPSEC_DEBUG_LEVEL

./lea_loggrabber --lea-config-file ./lea.conf

0 Karma
Reply

Chubbybunny
Splunk Employee
Splunk Employee
‎11-04-2011 02:36 PM

Can you post a capture of the network traffic using (tcpdump -s0 -xX port 18184) and include a copy of your lea.conf ??

0 Karma
Reply

gowen
Path Finder
‎10-25-2011 08:28 AM

Thanks, but in our case that's not the problem. tcpdump on the splunk host clearly shows the TCP connection, including 3-way handshake and 20 or so packets of psh - ack back and forth before a proper close. Also, the firewall logs mark the connection as allowed.

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...