I have a problem, and I hope that you can help me, please:
I'm installing the Splunk Add-on for Check Point OPSEC LEA, and I can't set up lea_loggrabber:
I'm using CentOS 7.1, and I have only one machine with Splunk.
I have attached the output file in this message.
Any help, I'll be very grateful
Regards
./lea-loggrabber-debug.sh
Using Splunk instance: /opt/splunk, app name Splunk_TA_opseclea_linux22
Splunk username: admin
Password:
DEBUG: LOGGRABBER configuration file is: /opt/splunk/etc/apps/Splunk_TA_opseclea_linux22/bin/fw1-loggrabber.conf
DEBUG: function string_trim
DEBUG: function string_left_trim
DEBUG: function string_right_trim
DEBUG: function string_trim
DEBUG: function string_left_trim
DEBUG: function string_right_trim
DEBUG: function string_trim
DEBUG: function string_left_trim
DEBUG: function string_right_trim
DEBUG: function string_trim
DEBUG: function string_left_trim
DEBUG: function string_right_trim
DEBUG: function string_trim
DEBUG: function string_left_trim
DEBUG: function string_right_trim
DEBUG: function string_trim
DEBUG: function string_left_trim
DEBUG: function string_right_trim
DEBUG: function string_trim
DEBUG: function string_left_trim
DEBUG: function string_right_trim
DEBUG: function string_trim
DEBUG: function string_left_trim
DEBUG: function string_right_trim
DEBUG: function string_duplicate
DEBUG: function string_trim
DEBUG: function string_left_trim
DEBUG: function string_right_trim
DEBUG: function string_trim
DEBUG: function string_left_trim
DEBUG: function string_right_trim
DEBUG: function string_trim
DEBUG: function string_left_trim
DEBUG: function string_right_trim
DEBUG: function string_trim
DEBUG: function string_left_trim
DEBUG: function string_right_trim
DEBUG: function string_trim
DEBUG: function string_left_trim
DEBUG: function string_right_trim
DEBUG: function string_duplicate
DEBUG: function string_icmp
DEBUG: function string_duplicate
DEBUG: function string_duplicate
DEBUG: function string_icmp
DEBUG: function string_duplicate
DEBUG: function string_duplicate
DEBUG: function string_trim
DEBUG: function string_left_trim
DEBUG: function string_right_trim
DEBUG: function string_trim
DEBUG: function string_left_trim
DEBUG: function string_right_trim
DEBUG: function string_trim
DEBUG: function string_left_trim
DEBUG: function string_right_trim
DEBUG: function string_trim
DEBUG: function string_left_trim
DEBUG: function string_right_trim
DEBUG: function string_trim
DEBUG: function string_left_trim
DEBUG: function string_right_trim
DEBUG: function string_duplicate
DEBUG: function string_icmp
DEBUG: function string_duplicate
DEBUG: function string_duplicate
DEBUG: function string_trim
DEBUG: function string_left_trim
DEBUG: function string_right_trim
DEBUG: function string_trim
DEBUG: function string_left_trim
DEBUG: function string_right_trim
DEBUG: function string_trim
DEBUG: function string_left_trim
DEBUG: function string_right_trim
DEBUG: function string_trim
DEBUG: function string_left_trim
DEBUG: function string_right_trim
DEBUG: function string_trim
DEBUG: function string_left_trim
DEBUG: function string_right_trim
DEBUG: function string_duplicate
DEBUG: function string_icmp
DEBUG: function string_duplicate
DEBUG: function string_duplicate
DEBUG: function string_trim
DEBUG: function string_left_trim
DEBUG: function string_right_trim
DEBUG: function string_trim
DEBUG: function string_left_trim
DEBUG: function string_right_trim
DEBUG: function string_trim
DEBUG: function string_left_trim
DEBUG: function string_right_trim
DEBUG: function string_trim
DEBUG: function string_left_trim
DEBUG: function string_right_trim
DEBUG: function string_trim
DEBUG: function string_left_trim
DEBUG: function string_right_trim
DEBUG: function string_duplicate
DEBUG: function string_icmp
DEBUG: function string_duplicate
DEBUG: function string_duplicate
DEBUG: function string_trim
DEBUG: function string_left_trim
DEBUG: function string_right_trim
DEBUG: function string_trim
DEBUG: function string_left_trim
DEBUG: function string_right_trim
DEBUG: function string_trim
DEBUG: function string_left_trim
DEBUG: function string_right_trim
DEBUG: function string_trim
DEBUG: function string_left_trim
DEBUG: function string_right_trim
DEBUG: function string_trim
DEBUG: function string_left_trim
DEBUG: function string_right_trim
DEBUG: function string_duplicate
DEBUG: function string_icmp
DEBUG: function string_duplicate
DEBUG: function string_duplicate
DEBUG: function string_trim
DEBUG: function string_left_trim
DEBUG: function string_right_trim
DEBUG: function string_trim
DEBUG: function string_left_trim
DEBUG: function string_right_trim
DEBUG: function string_trim
DEBUG: function string_left_trim
DEBUG: function string_right_trim
DEBUG: function string_trim
DEBUG: function string_left_trim
DEBUG: function string_right_trim
DEBUG: function string_trim
DEBUG: function string_left_trim
DEBUG: function string_right_trim
DEBUG: function string_trim
DEBUG: function string_left_trim
DEBUG: function string_right_trim
DEBUG: function string_trim
DEBUG: function string_left_trim
DEBUG: function string_right_trim
DEBUG: function string_trim
DEBUG: function string_left_trim
DEBUG: function string_right_trim
DEBUG: function string_trim
DEBUG: function string_left_trim
DEBUG: function string_right_trim
DEBUG: function string_trim
DEBUG: function string_left_trim
DEBUG: function string_right_trim
DEBUG: function string_trim
DEBUG: function string_left_trim
DEBUG: function string_right_trim
DEBUG: function string_trim
DEBUG: function string_left_trim
DEBUG: function string_right_trim
DEBUG: function string_trim
DEBUG: function string_left_trim
DEBUG: function string_right_trim
DEBUG: function string_trim
DEBUG: function string_left_trim
DEBUG: function string_right_trim
DEBUG: function string_duplicate
DEBUG: function string_icmp
DEBUG: function string_duplicate
DEBUG: function string_duplicate
DEBUG: function string_trim
DEBUG: function string_left_trim
DEBUG: function string_right_trim
DEBUG: function string_trim
DEBUG: function string_left_trim
DEBUG: function string_right_trim
DEBUG: function string_trim
DEBUG: function string_left_trim
DEBUG: function string_right_trim
DEBUG: function string_trim
DEBUG: function string_left_trim
DEBUG: function string_right_trim
DEBUG: function string_trim
DEBUG: function string_left_trim
DEBUG: function string_right_trim
DEBUG: function string_trim
DEBUG: function string_left_trim
DEBUG: function string_right_trim
DEBUG: function string_duplicate
DEBUG: function string_icmp
DEBUG: function string_duplicate
DEBUG: function string_duplicate
DEBUG: function string_trim
DEBUG: function string_left_trim
DEBUG: function string_right_trim
DEBUG: function string_trim
DEBUG: function string_left_trim
DEBUG: function string_right_trim
DEBUG: function string_trim
DEBUG: function string_left_trim
DEBUG: function string_right_trim
DEBUG: function string_trim
DEBUG: function string_left_trim
DEBUG: function string_right_trim
DEBUG: function string_trim
DEBUG: function string_left_trim
DEBUG: function string_right_trim
DEBUG: function string_duplicate
DEBUG: function string_trim
DEBUG: function string_left_trim
DEBUG: function string_right_trim
DEBUG: function string_trim
DEBUG: function string_left_trim
DEBUG: function string_right_trim
DEBUG: function string_trim
DEBUG: function string_left_trim
DEBUG: function string_right_trim
DEBUG: function string_trim
DEBUG: function string_left_trim
DEBUG: function string_right_trim
DEBUG: function string_trim
DEBUG: function string_left_trim
DEBUG: function string_right_trim
DEBUG: function string_trim
DEBUG: function string_left_trim
DEBUG: function string_right_trim
DEBUG: function string_trim
DEBUG: function string_left_trim
DEBUG: function string_right_trim
DEBUG: function string_trim
DEBUG: function string_left_trim
DEBUG: function string_right_trim
DEBUG: function string_trim
DEBUG: function string_left_trim
DEBUG: function string_right_trim
DEBUG: function string_trim
DEBUG: function string_left_trim
DEBUG: function string_right_trim
DEBUG: function string_trim
DEBUG: function string_left_trim
DEBUG: function string_right_trim
DEBUG: function string_trim
DEBUG: function string_left_trim
DEBUG: function string_right_trim
DEBUG: function string_trim
DEBUG: function string_left_trim
DEBUG: function string_right_trim
DEBUG: function string_trim
DEBUG: function string_left_trim
DEBUG: function string_right_trim
DEBUG: function string_trim
DEBUG: function string_left_trim
DEBUG: function string_right_trim
DEBUG: function string_trim
DEBUG: function string_left_trim
DEBUG: function string_right_trim
DEBUG: function string_trim
DEBUG: function string_left_trim
DEBUG: function string_right_trim
DEBUG: function string_trim
DEBUG: function string_left_trim
DEBUG: function string_right_trim
DEBUG: function logging_init_env
DEBUG: function open_screen
DEBUG: Open connection to screen.
DEBUG: Logfilename : fw.log
DEBUG: Record Separator : |
DEBUG: Resolve Addresses: No
DEBUG: Show Filenames : No
DEBUG: FW1-2000 : No
DEBUG: Online-Mode : No
DEBUG: Audit-Log : No
DEBUG: Show Fieldnames : Yes
DEBUG: function get_fw1_logfiles
splunk internal call command: $SPLUNK_HOME/bin/splunk _internal call /servicesNS/nobody/Splunk_TA_opseclea_linux22/opsec/opsec_conf/
splunk output: QUERYING: 'https://127.0.0.1:8089/servicesNS/nobody/Splunk_TA_opseclea_linux22/opsec/opsec_conf/'
HTTP Status: 200.
Content:
<?xml version="1.0" encoding="UTF-8"?>
<!--This is to override browser formatting; see server.conf[httpServer] to disable. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .-->
<?xml-stylesheet type="text/xml" href="/static/atom.xsl"?>
<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest" xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title></title>
<id>https://127.0.0.1:8089/servicesNS/nobody/Splunk_TA_opseclea_linux22/opsec/opsec_conf</id>
<updated>2015-08-14T13:31:37-03:00</updated>
<generator build="271043" version="6.2.4"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/nobody/Splunk_TA_opseclea_linux22/opsec/opsec_conf/_new" rel="create"/>
<opensearch:totalResults>1</opensearch:totalResults>
<opensearch:itemsPerPage>30</opensearch:itemsPerPage>
<opensearch:startIndex>0</opensearch:startIndex>
<s:messages/>
<entry>
<title>CheckPoint_Internet</title>
<id>https://127.0.0.1:8089/servicesNS/nobody/Splunk_TA_opseclea_linux22/opsec/opsec_conf/CheckPoint_Internet</id>
<updated>2015-08-14T13:31:37-03:00</updated>
<link href="/servicesNS/nobody/Splunk_TA_opseclea_linux22/opsec/opsec_conf/CheckPoint_Internet" rel="alternate"/>
<author>
<name>admin</name>
</author>
<link href="/servicesNS/nobody/Splunk_TA_opseclea_linux22/opsec/opsec_conf/CheckPoint_Internet" rel="list"/>
<link href="/servicesNS/nobody/Splunk_TA_opseclea_linux22/opsec/opsec_conf/CheckPoint_Internet" rel="edit"/>
<link href="/servicesNS/nobody/Splunk_TA_opseclea_linux22/opsec/opsec_conf/CheckPoint_Internet" rel="remove"/>
<content type="text/xml">
<s:dict>
<s:key name="disabled">0</s:key>
<s:key name="eai:acl">
<s:dict>
<s:key name="app">Splunk_TA_opseclea_linux22</s:key>
<s:key name="can_change_perms">1</s:key>
<s:key name="can_list">1</s:key>
<s:key name="can_share_app">1</s:key>
<s:key name="can_share_global">1</s:key>
<s:key name="can_share_user">1</s:key>
<s:key name="can_write">1</s:key>
<s:key name="modifiable">1</s:key>
<s:key name="owner">admin</s:key>
<s:key name="perms">
<s:dict>
<s:key name="read">
<s:list>
<s:item>admin</s:item>
</s:list>
</s:key>
<s:key name="write">
<s:list>
<s:item>admin</s:item>
</s:list>
</s:key>
</s:dict>
</s:key>
<s:key name="removable">1</s:key>
<s:key name="sharing">app</s:key>
</s:dict>
</s:key>
<s:key name="eai:appName">Splunk_TA_opseclea_linux22</s:key>
<s:key name="eai:userName">nobody</s:key>
<s:key name="fw_version">77</s:key>
<s:key name="is_disabled">0</s:key>
<s:key name="lea_server_auth_port">18184</s:key>
<s:key name="lea_server_auth_type">sslca</s:key>
<s:key name="lea_server_ip">10.1.4.41</s:key>
<s:key name="mode">fw</s:key>
<s:key name="no_resolve">1</s:key>
<s:key name="online_mode">1</s:key>
<s:key name="opsec_entity_sic_name">CN=SensorSplunk,0=mngt-blackhole..rq9q26</s:key>
<s:key name="opsec_sic_name">cn=cp_mgmt,o=mngt-blackhole..rq9q26</s:key>
<s:key name="opsec_sslca_file">../certs/newFile.p12</s:key>
</s:dict>
</content>
</entry>
</feed>
mode: fw
addFilter: product=VPN-1 & FireWall-1
DEBUG: function string_duplicate
-v opsec_sic_name cn=cp_mgmt,o=mngt-xxx26-v opsec_sslca_file ../certs/newFile.p12 -v lea_server ip 10.1.4.41 -v lea_server auth_port 18184 -v lea_server auth_type sslca -v lea_server opsec_entity_sic_name CN=SensorSplunk,0=mngt-xxx26
[ 627 4149561024]@localhost.localdomain[14 Aug 13:31:37] Env Configuration:
(
:type (opsec_info)
:lea_server (
:opsec_entity_sic_name ("CN=SensorSplunk,0=mngt-blackhole..rq9q26")
:auth_type (sslca)
:auth_port (18184)
:ip (10.1.4.41)
)
:opsec_sslca_file ("../certs/newFile.p12")
:opsec_sic_name ("cn=cp_mgmt,o=mngt-blackhole..rq9q26")
)
[ 627 4149561024]@localhost.localdomain[14 Aug 13:31:37] Could not find info for ...opsec_shared_local_path...
[ 627 4149561024]@localhost.localdomain[14 Aug 13:31:37] Could not find info for ...opsec_sic_policy_file...
[ 627 4149561024]@localhost.localdomain[14 Aug 13:31:37] Could not find info for ...opsec_mt...
[ 627 4149561024]@localhost.localdomain[14 Aug 13:31:37] opsec_init: multithread safety is not initialized
[ 627 4149561024]@localhost.localdomain[14 Aug 13:31:37] cpprng_opsec_initialize: path is not initialized - will initialize
[ 627 4149561024]@localhost.localdomain[14 Aug 13:31:37] cpprng_opsec_initialize: full file name is ops_prng
[ 627 4149561024]@localhost.localdomain[14 Aug 13:31:37] cpprng_opsec_initialize: dev_urandom_poll returned 0
[ 627 4149561024]@localhost.localdomain[14 Aug 13:31:37] opsec_file_is_intialized: seed is initialized
[ 627 4149561024]@localhost.localdomain[14 Aug 13:31:37] cpprng_opsec_initialize: seed init for opsec succeeded
[ 627 4149561024]@localhost.localdomain[14 Aug 13:31:37] PM_policy_create: version 5301.
[ 627 4149561024]@localhost.localdomain[14 Aug 13:31:37] PM_policy_add_name_to_group: finished successfully.
[ 627 4149561024]@localhost.localdomain[14 Aug 13:31:37] PM_policy_set_local_names: () names. finished successfully.
[ 627 4149561024]@localhost.localdomain[14 Aug 13:31:37] PM_policy_create: finished successfully.
[ 627 4149561024]@localhost.localdomain[14 Aug 13:31:37] PM_policy_add_name_to_group: finished successfully.
[ 627 4149561024]@localhost.localdomain[14 Aug 13:31:37] PM_policy_set_local_names: (local_sic_name) names. finished successfully.
[ 627 4149561024]@localhost.localdomain[14 Aug 13:31:37] PM_policy_add_name_to_group: finished successfully.
[ 627 4149561024]@localhost.localdomain[14 Aug 13:31:37] PM_policy_set_local_names: (127.0.0.1) names. finished successfully.
[ 627 4149561024]@localhost.localdomain[14 Aug 13:31:37] PM_policy_add_name_to_group: finished successfully.
[ 627 4149561024]@localhost.localdomain[14 Aug 13:31:37] PM_policy_set_local_names: ("cn=cp_mgmt,o=mngt-blackhole..rq9q26") names. finished successfully.
[ 627 4149561024]@localhost.localdomain[14 Aug 13:31:37] PM_apply_default_dn: ca_dn = [O=mngt-blackhole..rq9q26].
[ 627 4149561024]@localhost.localdomain[14 Aug 13:31:37] PM_apply_default_dn: calling PM_policy_DN_conversion ..
[ 627 4149561024]@localhost.localdomain[14 Aug 13:31:37] PM_apply_default_dn: finished successfully.
[ 627 4149561024]@localhost.localdomain[14 Aug 13:31:37] sslcaInitCP_Ex: failed to create keyholder
[ 627 4149561024]@localhost.localdomain[14 Aug 13:31:37] opsec_init_sslca: no key holder - symmetric SSLCA not started
[ 627 4149561024]@localhost.localdomain[14 Aug 13:31:37] sslcaInitCP_Ex: using asym client without ca cert
[ 627 4149561024]@localhost.localdomain[14 Aug 13:31:37] ckpSSLctx_New: prefs = 12
[ 627 4149561024]@localhost.localdomain[14 Aug 13:31:37] CkpRegDir: Environment variable CPDIR is not set.
[ 627 4149561024]@localhost.localdomain[14 Aug 13:31:37] GenerateGlobalEntry: Unable to get registry path
[ 627 4149561024]@localhost.localdomain[14 Aug 13:31:37] sslcaInitCP_Ex: using asym client without ca cert
[ 627 4149561024]@localhost.localdomain[14 Aug 13:31:37] ckpSSLctx_New: prefs = 32
[ 627 4149561024]@localhost.localdomain[14 Aug 13:31:37] sslcaInitCP_Ex: using asym client without ca cert
[ 627 4149561024]@localhost.localdomain[14 Aug 13:31:37] ckpSSLctx_New: prefs = 11
[ 627 4149561024]@localhost.localdomain[14 Aug 13:31:37] sslcaInitCP_Ex: using asym client without ca cert
[ 627 4149561024]@localhost.localdomain[14 Aug 13:31:37] ckpSSLctx_New: prefs = 31
[ 627 4149561024]@localhost.localdomain[14 Aug 13:31:37] opsec_init_sic_id_internal: Added sic id (ctx id = 0)
DEBUG: OPSEC LEA conf file is lea.conf
DEBUG: Authentication mode has been used.
DEBUG: Server-IP : 10.1.4.41
DEBUG: Server-Port : 18184
DEBUG: Authentication type: sslca
DEBUG: OPSEC sic certificate file name : ../certs/newFile.p12
DEBUG: Server DN (sic name) : CN=SensorSplunk,0=mngt-blackhole..rq9q26
DEBUG: OPSEC LEA client DN (sic name) : cn=cp_mgmt,o=mngt-blackhole..rq9q26
[ 627 4149561024]@localhost.localdomain[14 Aug 13:31:37] opsec_init_entity_sic: called for the client side
[ 627 4149561024]@localhost.localdomain[14 Aug 13:31:37] Configuring entity lea_server
[ 627 4149561024]@localhost.localdomain[14 Aug 13:31:37] Could not find info for ...conn_buf_size...
[ 627 4149561024]@localhost.localdomain[14 Aug 13:31:37] Could not find info for ...no_nagle...
[ 627 4149561024]@localhost.localdomain[14 Aug 13:31:37] Could not find info for ...port...
[ 627 4149561024]@localhost.localdomain[14 Aug 13:31:37] opsec_entity_add_sic_rule: adding rules: apply_to: ME, peer: CN=SensorSplunk,0=mngt-blackhole..rq9q26, d_ip: NULL, dport 18184, svc: lea, method: sslca
[ 627 4149561024]@localhost.localdomain[14 Aug 13:31:37] opsec_entity_add_sic_rule: adding INBOUND rule
[ 627 4149561024]@localhost.localdomain[14 Aug 13:31:37] opsec_entity_add_sic_rule: adding OUTBOUND rule
[ 627 4149561024]@localhost.localdomain[14 Aug 13:31:37] fwDN_add_CN: new dn is illegal
[ 627 4149561024]@localhost.localdomain[14 Aug 13:31:37] opsec_get_comm: creating comm for ent=8cf3e68 peer=8ceae48 passive=0 key=2 info=0
[ 627 4149561024]@localhost.localdomain[14 Aug 13:31:37] c=0x8cf3e68 s=0x8ceae48 comm_type=4
[ 627 4149561024]@localhost.localdomain[14 Aug 13:31:37] Could not find info for ...opsec_client...
[ 627 4149561024]@localhost.localdomain[14 Aug 13:31:37] opsec_get_comm: Creating session hash (size=256)
[ 627 4149561024]@localhost.localdomain[14 Aug 13:31:37] opsec_get_comm: ADDING comm=0x8cf6968 to ent=0x8cf3e68 with key=2
[ 627 4149561024]@localhost.localdomain[14 Aug 13:31:37] opsec_env_get_context_id_by_peer_sic_name: illegal DN of sic name: CN=SensorSplunk,0=mngt-blackhole..rq9q26
[ 627 4149561024]@localhost.localdomain[14 Aug 13:31:37] OPSEC_SET_ERRNO: err = 4 Argument is NULL or lacks some data (pre = 0)
[ 627 4149561024]@localhost.localdomain[14 Aug 13:31:37] opsec_sic_connect: failed to get context id for connection
[ 627 4149561024]@localhost.localdomain[14 Aug 13:31:37] opsec_get_comm: error in opsec_sic_connect
[ 627 4149561024]@localhost.localdomain[14 Aug 13:31:37] destroying comm 0x8cf6968
[ 627 4149561024]@localhost.localdomain[14 Aug 13:31:37] Destroying comm 0x8cf6968 with 0 active sessions
[ 627 4149561024]@localhost.localdomain[14 Aug 13:31:37] pulling dgtype=ffffffff len=-1 to list=0x8cf6984
[ 627 4149561024]@localhost.localdomain[14 Aug 13:31:37] REMOVING comm=0x8cf6968 from ent=0x8cf3e68 with key=2
[ 627 4149561024]@localhost.localdomain[14 Aug 13:31:37] Unable to make session
ERROR: failed to create session (Argument is NULL or lacks some data)
DEBUG: function cleanup_fw1_environment
[ 627 4149561024]@localhost.localdomain[14 Aug 13:31:37] Destroying entity 1 with 0 active comms
[ 627 4149561024]@localhost.localdomain[14 Aug 13:31:37] opsec_destroy_entity_sic: deleting sic rules for entity 0x8cf3e68
[ 627 4149561024]@localhost.localdomain[14 Aug 13:31:37] Destroying entity 2 with 0 active comms
[ 627 4149561024]@localhost.localdomain[14 Aug 13:31:37] opsec_destroy_entity_sic: deleting sic rules for entity 0x8ceae48
[ 627 4149561024]@localhost.localdomain[14 Aug 13:31:37] IpcUnMapFile: unmapping file (handle=0x8cea748)
[ 627 4149561024]@localhost.localdomain[14 Aug 13:31:37] IpcUnMapFile: unmapping file (handle=0x8cea7f8)
[ 627 4149561024]@localhost.localdomain[14 Aug 13:31:37] IpcUnMapFile: unmapping file (handle=0x8cea8a8)
[ 627 4149561024]@localhost.localdomain[14 Aug 13:31:37] IpcUnMapFile: unmapping file (handle=0x8cea948)
[ 627 4149561024]@localhost.localdomain[14 Aug 13:31:37] IpcUnMapFile: unmapping file (handle=0x8cea9c8)
[ 627 4149561024]@localhost.localdomain[14 Aug 13:31:37] PM_policy_destroy: finished successfully.
[ 627 4149561024]@localhost.localdomain[14 Aug 13:31:37] opsec_destroy_sic_id_internal: Destroyed sic id (ctx id=0)
[ 627 4149561024]@localhost.localdomain[14 Aug 13:31:37] opsec_env_destroy_sic_id_hash: Destroyed sic id hash
[ 627 4149561024]@localhost.localdomain[14 Aug 13:31:37] fwd_env_destroy: env 0x8ccdfa0 (alloced = 1)
[ 627 4149561024]@localhost.localdomain[14 Aug 13:31:37] T_env_destroy: env 0x8ccdfa0
[ 627 4149561024]@localhost.localdomain[14 Aug 13:31:37] do_fwd_env_destroy: really destroy 0x8ccdfa0
DEBUG: function exit_loggrabber
DEBUG: function free_lfield_arrays
DEBUG: function free_afield_arrays
DEBUG: function free_lfield_arrays
DEBUG: function free_afield_arrays
just guessing, but did you install the 32 bit libraries mentioned here? http://docs.splunk.com/Documentation/OPSEC-LEA/3.1.0/Install/Systemrequirements