All Apps and Add-ons

OPSEC lea_loggrabber connects but returns nothing?

gowen
Path Finder

We have two Splunk servers and two Check Point R71 management servers. One of the management servers is the standby management, but both act as log servers, as validated using 'tracker'.

Our first Splunk box grabs logs from the primary CPM, no problems.

I'm trying to configure the other Splunk box to grab logs from the secondary CPM. fwopsec.conf is configured appropriately, the opsec key is pulled down to the Splunk box, and lea_loggrabber is able to connect to the CPM without errors. However, it just doesn't get any logs. After opsec_mainloop gets called, there never is any callback to LeaRecordHandler, it just exits. LeaEndHandler things that it's at line 0 in the log (as per lea_get_record_pos) and writes that out to lea_log_rec_num.cache.

Has anyone experienced this sort of issue where lea_loggrabber connects properly, but thinks the log is empty even through other methods of looking tell us there is something in it?

Tags (2)

Chubbybunny
Splunk Employee
Splunk Employee

I recently came across a similar problem today only to find out my firewall ACL was rejecting access to port 18184 to the Checkpoint manager from the splunk forwarder. As a quick test, try using netcat to ensure the checkpoint auth_port is indeed accessible from the splunk server.
'nc -z IP 18184'
It took me a while to figure it out since the lea_loggrabber binary very much appeared to connect and wrote the cache file. I would expect it to error if communication was offline.

Chubbybunny
Splunk Employee
Splunk Employee

in addition, include OPSEC debugging on the lea client:

OPSEC_DEBUG_LEVEL=3; export OPSEC_DEBUG_LEVEL

./lea_loggrabber --lea-config-file ./lea.conf

0 Karma

Chubbybunny
Splunk Employee
Splunk Employee

Can you post a capture of the network traffic using (tcpdump -s0 -xX port 18184) and include a copy of your lea.conf ??

0 Karma

gowen
Path Finder

Thanks, but in our case that's not the problem. tcpdump on the splunk host clearly shows the TCP connection, including 3-way handshake and 20 or so packets of psh - ack back and forth before a proper close. Also, the firewall logs mark the connection as allowed.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...