All Apps and Add-ons

Splunk Add-on for Check Point OPSEC LEA: Why am I unable to set up lea_loggrabber?

rubeniturrieta
Communicator

I have a problem, and I hope that you can help me, please:

I'm installing the Splunk Add-on for Check Point OPSEC LEA, and I can't set up lea_loggrabber:

I'm using CentOS 7.1, and I have only one machine with Splunk.

I have attached the output file in this message.

Any help, I'll be very grateful

Regards

  ./lea-loggrabber-debug.sh 
    Using Splunk instance: /opt/splunk, app name Splunk_TA_opseclea_linux22
    Splunk username: admin
    Password: 
    DEBUG: LOGGRABBER configuration file is: /opt/splunk/etc/apps/Splunk_TA_opseclea_linux22/bin/fw1-loggrabber.conf
    DEBUG: function string_trim
    DEBUG: function string_left_trim
    DEBUG: function string_right_trim
    DEBUG: function string_trim
    DEBUG: function string_left_trim
    DEBUG: function string_right_trim
    DEBUG: function string_trim
    DEBUG: function string_left_trim
    DEBUG: function string_right_trim
    DEBUG: function string_trim
    DEBUG: function string_left_trim
    DEBUG: function string_right_trim
    DEBUG: function string_trim
    DEBUG: function string_left_trim
    DEBUG: function string_right_trim
    DEBUG: function string_trim
    DEBUG: function string_left_trim
    DEBUG: function string_right_trim
    DEBUG: function string_trim
    DEBUG: function string_left_trim
    DEBUG: function string_right_trim
    DEBUG: function string_trim
    DEBUG: function string_left_trim
    DEBUG: function string_right_trim
    DEBUG: function string_duplicate
    DEBUG: function string_trim
    DEBUG: function string_left_trim
    DEBUG: function string_right_trim
    DEBUG: function string_trim
    DEBUG: function string_left_trim
    DEBUG: function string_right_trim
    DEBUG: function string_trim
    DEBUG: function string_left_trim
    DEBUG: function string_right_trim
    DEBUG: function string_trim
    DEBUG: function string_left_trim
    DEBUG: function string_right_trim
    DEBUG: function string_trim
    DEBUG: function string_left_trim
    DEBUG: function string_right_trim
    DEBUG: function string_duplicate
    DEBUG: function string_icmp
    DEBUG: function string_duplicate
    DEBUG: function string_duplicate
    DEBUG: function string_icmp
    DEBUG: function string_duplicate
    DEBUG: function string_duplicate
    DEBUG: function string_trim
    DEBUG: function string_left_trim
    DEBUG: function string_right_trim
    DEBUG: function string_trim
    DEBUG: function string_left_trim
    DEBUG: function string_right_trim
    DEBUG: function string_trim
    DEBUG: function string_left_trim
    DEBUG: function string_right_trim
    DEBUG: function string_trim
    DEBUG: function string_left_trim
    DEBUG: function string_right_trim
    DEBUG: function string_trim
    DEBUG: function string_left_trim
    DEBUG: function string_right_trim
    DEBUG: function string_duplicate
    DEBUG: function string_icmp
    DEBUG: function string_duplicate
    DEBUG: function string_duplicate
    DEBUG: function string_trim
    DEBUG: function string_left_trim
    DEBUG: function string_right_trim
    DEBUG: function string_trim
    DEBUG: function string_left_trim
    DEBUG: function string_right_trim
    DEBUG: function string_trim
    DEBUG: function string_left_trim
    DEBUG: function string_right_trim
    DEBUG: function string_trim
    DEBUG: function string_left_trim
    DEBUG: function string_right_trim
    DEBUG: function string_trim
    DEBUG: function string_left_trim
    DEBUG: function string_right_trim
    DEBUG: function string_duplicate
    DEBUG: function string_icmp
    DEBUG: function string_duplicate
    DEBUG: function string_duplicate
    DEBUG: function string_trim
    DEBUG: function string_left_trim
    DEBUG: function string_right_trim
    DEBUG: function string_trim
    DEBUG: function string_left_trim
    DEBUG: function string_right_trim
    DEBUG: function string_trim
    DEBUG: function string_left_trim
    DEBUG: function string_right_trim
    DEBUG: function string_trim
    DEBUG: function string_left_trim
    DEBUG: function string_right_trim
    DEBUG: function string_trim
    DEBUG: function string_left_trim
    DEBUG: function string_right_trim
    DEBUG: function string_duplicate
    DEBUG: function string_icmp
    DEBUG: function string_duplicate
    DEBUG: function string_duplicate
    DEBUG: function string_trim
    DEBUG: function string_left_trim
    DEBUG: function string_right_trim
    DEBUG: function string_trim
    DEBUG: function string_left_trim
    DEBUG: function string_right_trim
    DEBUG: function string_trim
    DEBUG: function string_left_trim
    DEBUG: function string_right_trim
    DEBUG: function string_trim
    DEBUG: function string_left_trim
    DEBUG: function string_right_trim
    DEBUG: function string_trim
    DEBUG: function string_left_trim
    DEBUG: function string_right_trim
    DEBUG: function string_duplicate
    DEBUG: function string_icmp
    DEBUG: function string_duplicate
    DEBUG: function string_duplicate
    DEBUG: function string_trim
    DEBUG: function string_left_trim
    DEBUG: function string_right_trim
    DEBUG: function string_trim
    DEBUG: function string_left_trim
    DEBUG: function string_right_trim
    DEBUG: function string_trim
    DEBUG: function string_left_trim
    DEBUG: function string_right_trim
    DEBUG: function string_trim
    DEBUG: function string_left_trim
    DEBUG: function string_right_trim
    DEBUG: function string_trim
    DEBUG: function string_left_trim
    DEBUG: function string_right_trim
    DEBUG: function string_trim
    DEBUG: function string_left_trim
    DEBUG: function string_right_trim
    DEBUG: function string_trim
    DEBUG: function string_left_trim
    DEBUG: function string_right_trim
    DEBUG: function string_trim
    DEBUG: function string_left_trim
    DEBUG: function string_right_trim
    DEBUG: function string_trim
    DEBUG: function string_left_trim
    DEBUG: function string_right_trim
    DEBUG: function string_trim
    DEBUG: function string_left_trim
    DEBUG: function string_right_trim
    DEBUG: function string_trim
    DEBUG: function string_left_trim
    DEBUG: function string_right_trim
    DEBUG: function string_trim
    DEBUG: function string_left_trim
    DEBUG: function string_right_trim
    DEBUG: function string_trim
    DEBUG: function string_left_trim
    DEBUG: function string_right_trim
    DEBUG: function string_trim
    DEBUG: function string_left_trim
    DEBUG: function string_right_trim
    DEBUG: function string_duplicate
    DEBUG: function string_icmp
    DEBUG: function string_duplicate
    DEBUG: function string_duplicate
    DEBUG: function string_trim
    DEBUG: function string_left_trim
    DEBUG: function string_right_trim
    DEBUG: function string_trim
    DEBUG: function string_left_trim
    DEBUG: function string_right_trim
    DEBUG: function string_trim
    DEBUG: function string_left_trim
    DEBUG: function string_right_trim
    DEBUG: function string_trim
    DEBUG: function string_left_trim
    DEBUG: function string_right_trim
    DEBUG: function string_trim
    DEBUG: function string_left_trim
    DEBUG: function string_right_trim
    DEBUG: function string_trim
    DEBUG: function string_left_trim
    DEBUG: function string_right_trim
    DEBUG: function string_duplicate
    DEBUG: function string_icmp
    DEBUG: function string_duplicate
    DEBUG: function string_duplicate
    DEBUG: function string_trim
    DEBUG: function string_left_trim
    DEBUG: function string_right_trim
    DEBUG: function string_trim
    DEBUG: function string_left_trim
    DEBUG: function string_right_trim
    DEBUG: function string_trim
    DEBUG: function string_left_trim
    DEBUG: function string_right_trim
    DEBUG: function string_trim
    DEBUG: function string_left_trim
    DEBUG: function string_right_trim
    DEBUG: function string_trim
    DEBUG: function string_left_trim
    DEBUG: function string_right_trim
    DEBUG: function string_duplicate
    DEBUG: function string_trim
    DEBUG: function string_left_trim
    DEBUG: function string_right_trim
    DEBUG: function string_trim
    DEBUG: function string_left_trim
    DEBUG: function string_right_trim
    DEBUG: function string_trim
    DEBUG: function string_left_trim
    DEBUG: function string_right_trim
    DEBUG: function string_trim
    DEBUG: function string_left_trim
    DEBUG: function string_right_trim
    DEBUG: function string_trim
    DEBUG: function string_left_trim
    DEBUG: function string_right_trim
    DEBUG: function string_trim
    DEBUG: function string_left_trim
    DEBUG: function string_right_trim
    DEBUG: function string_trim
    DEBUG: function string_left_trim
    DEBUG: function string_right_trim
    DEBUG: function string_trim
    DEBUG: function string_left_trim
    DEBUG: function string_right_trim
    DEBUG: function string_trim
    DEBUG: function string_left_trim
    DEBUG: function string_right_trim
    DEBUG: function string_trim
    DEBUG: function string_left_trim
    DEBUG: function string_right_trim
    DEBUG: function string_trim
    DEBUG: function string_left_trim
    DEBUG: function string_right_trim
    DEBUG: function string_trim
    DEBUG: function string_left_trim
    DEBUG: function string_right_trim
    DEBUG: function string_trim
    DEBUG: function string_left_trim
    DEBUG: function string_right_trim
    DEBUG: function string_trim
    DEBUG: function string_left_trim
    DEBUG: function string_right_trim
    DEBUG: function string_trim
    DEBUG: function string_left_trim
    DEBUG: function string_right_trim
    DEBUG: function string_trim
    DEBUG: function string_left_trim
    DEBUG: function string_right_trim
    DEBUG: function string_trim
    DEBUG: function string_left_trim
    DEBUG: function string_right_trim
    DEBUG: function string_trim
    DEBUG: function string_left_trim
    DEBUG: function string_right_trim
    DEBUG: function logging_init_env
    DEBUG: function open_screen
    DEBUG: Open connection to screen.
    DEBUG: Logfilename      : fw.log
    DEBUG: Record Separator : |
    DEBUG: Resolve Addresses: No
    DEBUG: Show Filenames   : No
    DEBUG: FW1-2000         : No
    DEBUG: Online-Mode      : No
    DEBUG: Audit-Log        : No
    DEBUG: Show Fieldnames  : Yes
    DEBUG: function get_fw1_logfiles
    splunk internal call command: $SPLUNK_HOME/bin/splunk _internal call /servicesNS/nobody/Splunk_TA_opseclea_linux22/opsec/opsec_conf/
    splunk output: QUERYING: 'https://127.0.0.1:8089/servicesNS/nobody/Splunk_TA_opseclea_linux22/opsec/opsec_conf/'
    HTTP Status: 200.
    Content:
    <?xml version="1.0" encoding="UTF-8"?>
    <!--This is to override browser formatting; see server.conf[httpServer] to disable. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .-->
    <?xml-stylesheet type="text/xml" href="/static/atom.xsl"?>
    <feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest" xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
      <title></title>
      <id>https://127.0.0.1:8089/servicesNS/nobody/Splunk_TA_opseclea_linux22/opsec/opsec_conf</id>
      <updated>2015-08-14T13:31:37-03:00</updated>
      <generator build="271043" version="6.2.4"/>
      <author>
        <name>Splunk</name>
      </author>
      <link href="/servicesNS/nobody/Splunk_TA_opseclea_linux22/opsec/opsec_conf/_new" rel="create"/>
      <opensearch:totalResults>1</opensearch:totalResults>
      <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
      <opensearch:startIndex>0</opensearch:startIndex>
      <s:messages/>
      <entry>
        <title>CheckPoint_Internet</title>
        <id>https://127.0.0.1:8089/servicesNS/nobody/Splunk_TA_opseclea_linux22/opsec/opsec_conf/CheckPoint_Internet</id>
        <updated>2015-08-14T13:31:37-03:00</updated>
        <link href="/servicesNS/nobody/Splunk_TA_opseclea_linux22/opsec/opsec_conf/CheckPoint_Internet" rel="alternate"/>
        <author>
          <name>admin</name>
        </author>
        <link href="/servicesNS/nobody/Splunk_TA_opseclea_linux22/opsec/opsec_conf/CheckPoint_Internet" rel="list"/>
        <link href="/servicesNS/nobody/Splunk_TA_opseclea_linux22/opsec/opsec_conf/CheckPoint_Internet" rel="edit"/>
        <link href="/servicesNS/nobody/Splunk_TA_opseclea_linux22/opsec/opsec_conf/CheckPoint_Internet" rel="remove"/>
        <content type="text/xml">
          <s:dict>
            <s:key name="disabled">0</s:key>
            <s:key name="eai:acl">
              <s:dict>
                <s:key name="app">Splunk_TA_opseclea_linux22</s:key>
                <s:key name="can_change_perms">1</s:key>
                <s:key name="can_list">1</s:key>
                <s:key name="can_share_app">1</s:key>
                <s:key name="can_share_global">1</s:key>
                <s:key name="can_share_user">1</s:key>
                <s:key name="can_write">1</s:key>
                <s:key name="modifiable">1</s:key>
                <s:key name="owner">admin</s:key>
                <s:key name="perms">
                  <s:dict>
                    <s:key name="read">
                      <s:list>
                        <s:item>admin</s:item>
                      </s:list>
                    </s:key>
                    <s:key name="write">
                      <s:list>
                        <s:item>admin</s:item>
                      </s:list>
                    </s:key>
                  </s:dict>
                </s:key>
                <s:key name="removable">1</s:key>
                <s:key name="sharing">app</s:key>
              </s:dict>
            </s:key>
            <s:key name="eai:appName">Splunk_TA_opseclea_linux22</s:key>
            <s:key name="eai:userName">nobody</s:key>
            <s:key name="fw_version">77</s:key>
            <s:key name="is_disabled">0</s:key>
            <s:key name="lea_server_auth_port">18184</s:key>
            <s:key name="lea_server_auth_type">sslca</s:key>
            <s:key name="lea_server_ip">10.1.4.41</s:key>
            <s:key name="mode">fw</s:key>
            <s:key name="no_resolve">1</s:key>
            <s:key name="online_mode">1</s:key>
            <s:key name="opsec_entity_sic_name">CN=SensorSplunk,0=mngt-blackhole..rq9q26</s:key>
            <s:key name="opsec_sic_name">cn=cp_mgmt,o=mngt-blackhole..rq9q26</s:key>
            <s:key name="opsec_sslca_file">../certs/newFile.p12</s:key>
          </s:dict>
        </content>
      </entry>
    </feed>


    mode: fw
    addFilter: product=VPN-1 & FireWall-1
    DEBUG: function string_duplicate
    -v opsec_sic_name cn=cp_mgmt,o=mngt-xxx26-v opsec_sslca_file ../certs/newFile.p12 -v lea_server ip 10.1.4.41 -v lea_server auth_port 18184 -v lea_server auth_type sslca -v lea_server opsec_entity_sic_name CN=SensorSplunk,0=mngt-xxx26
    [ 627 4149561024]@localhost.localdomain[14 Aug 13:31:37] Env Configuration:
    (
        :type (opsec_info)
        :lea_server (
            :opsec_entity_sic_name ("CN=SensorSplunk,0=mngt-blackhole..rq9q26")
            :auth_type (sslca)
            :auth_port (18184)
            :ip (10.1.4.41)
        )
        :opsec_sslca_file ("../certs/newFile.p12")
        :opsec_sic_name ("cn=cp_mgmt,o=mngt-blackhole..rq9q26")
    )

    [ 627 4149561024]@localhost.localdomain[14 Aug 13:31:37] Could not find info for ...opsec_shared_local_path...
    [ 627 4149561024]@localhost.localdomain[14 Aug 13:31:37] Could not find info for ...opsec_sic_policy_file...
    [ 627 4149561024]@localhost.localdomain[14 Aug 13:31:37] Could not find info for ...opsec_mt...
    [ 627 4149561024]@localhost.localdomain[14 Aug 13:31:37] opsec_init: multithread safety is not initialized
    [ 627 4149561024]@localhost.localdomain[14 Aug 13:31:37] cpprng_opsec_initialize: path is not initialized - will initialize
    [ 627 4149561024]@localhost.localdomain[14 Aug 13:31:37] cpprng_opsec_initialize: full file name is ops_prng
    [ 627 4149561024]@localhost.localdomain[14 Aug 13:31:37] cpprng_opsec_initialize: dev_urandom_poll returned 0
    [ 627 4149561024]@localhost.localdomain[14 Aug 13:31:37] opsec_file_is_intialized: seed is initialized
    [ 627 4149561024]@localhost.localdomain[14 Aug 13:31:37] cpprng_opsec_initialize: seed init for opsec succeeded
    [ 627 4149561024]@localhost.localdomain[14 Aug 13:31:37] PM_policy_create: version 5301.
    [ 627 4149561024]@localhost.localdomain[14 Aug 13:31:37] PM_policy_add_name_to_group: finished successfully.
    [ 627 4149561024]@localhost.localdomain[14 Aug 13:31:37] PM_policy_set_local_names: () names. finished successfully.
    [ 627 4149561024]@localhost.localdomain[14 Aug 13:31:37] PM_policy_create: finished successfully.
    [ 627 4149561024]@localhost.localdomain[14 Aug 13:31:37] PM_policy_add_name_to_group: finished successfully.
    [ 627 4149561024]@localhost.localdomain[14 Aug 13:31:37] PM_policy_set_local_names: (local_sic_name) names. finished successfully.
    [ 627 4149561024]@localhost.localdomain[14 Aug 13:31:37] PM_policy_add_name_to_group: finished successfully.
    [ 627 4149561024]@localhost.localdomain[14 Aug 13:31:37] PM_policy_set_local_names: (127.0.0.1) names. finished successfully.
    [ 627 4149561024]@localhost.localdomain[14 Aug 13:31:37] PM_policy_add_name_to_group: finished successfully.
    [ 627 4149561024]@localhost.localdomain[14 Aug 13:31:37] PM_policy_set_local_names: ("cn=cp_mgmt,o=mngt-blackhole..rq9q26") names. finished successfully.
    [ 627 4149561024]@localhost.localdomain[14 Aug 13:31:37] PM_apply_default_dn: ca_dn = [O=mngt-blackhole..rq9q26].
    [ 627 4149561024]@localhost.localdomain[14 Aug 13:31:37] PM_apply_default_dn: calling PM_policy_DN_conversion ..
    [ 627 4149561024]@localhost.localdomain[14 Aug 13:31:37] PM_apply_default_dn: finished successfully.
    [ 627 4149561024]@localhost.localdomain[14 Aug 13:31:37] sslcaInitCP_Ex: failed to create keyholder
    [ 627 4149561024]@localhost.localdomain[14 Aug 13:31:37] opsec_init_sslca: no key holder - symmetric SSLCA not started
    [ 627 4149561024]@localhost.localdomain[14 Aug 13:31:37] sslcaInitCP_Ex: using asym client without ca cert
    [ 627 4149561024]@localhost.localdomain[14 Aug 13:31:37] ckpSSLctx_New: prefs = 12
    [ 627 4149561024]@localhost.localdomain[14 Aug 13:31:37] CkpRegDir: Environment variable CPDIR is not set.
    [ 627 4149561024]@localhost.localdomain[14 Aug 13:31:37] GenerateGlobalEntry: Unable to get registry path
    [ 627 4149561024]@localhost.localdomain[14 Aug 13:31:37] sslcaInitCP_Ex: using asym client without ca cert
    [ 627 4149561024]@localhost.localdomain[14 Aug 13:31:37] ckpSSLctx_New: prefs = 32
    [ 627 4149561024]@localhost.localdomain[14 Aug 13:31:37] sslcaInitCP_Ex: using asym client without ca cert
    [ 627 4149561024]@localhost.localdomain[14 Aug 13:31:37] ckpSSLctx_New: prefs = 11
    [ 627 4149561024]@localhost.localdomain[14 Aug 13:31:37] sslcaInitCP_Ex: using asym client without ca cert
    [ 627 4149561024]@localhost.localdomain[14 Aug 13:31:37] ckpSSLctx_New: prefs = 31
    [ 627 4149561024]@localhost.localdomain[14 Aug 13:31:37] opsec_init_sic_id_internal: Added sic id (ctx id = 0)
    DEBUG: OPSEC LEA conf file is lea.conf
    DEBUG: Authentication mode has been used.
    DEBUG: Server-IP     : 10.1.4.41
    DEBUG: Server-Port     : 18184
    DEBUG: Authentication type: sslca
    DEBUG: OPSEC sic certificate file name : ../certs/newFile.p12
    DEBUG: Server DN (sic name) : CN=SensorSplunk,0=mngt-blackhole..rq9q26
    DEBUG: OPSEC LEA client DN (sic name) : cn=cp_mgmt,o=mngt-blackhole..rq9q26
    [ 627 4149561024]@localhost.localdomain[14 Aug 13:31:37] opsec_init_entity_sic: called for the client side
    [ 627 4149561024]@localhost.localdomain[14 Aug 13:31:37] Configuring entity lea_server
    [ 627 4149561024]@localhost.localdomain[14 Aug 13:31:37] Could not find info for ...conn_buf_size...
    [ 627 4149561024]@localhost.localdomain[14 Aug 13:31:37] Could not find info for ...no_nagle...
    [ 627 4149561024]@localhost.localdomain[14 Aug 13:31:37] Could not find info for ...port...
    [ 627 4149561024]@localhost.localdomain[14 Aug 13:31:37] opsec_entity_add_sic_rule: adding rules: apply_to: ME, peer: CN=SensorSplunk,0=mngt-blackhole..rq9q26, d_ip: NULL, dport 18184, svc: lea, method: sslca
    [ 627 4149561024]@localhost.localdomain[14 Aug 13:31:37] opsec_entity_add_sic_rule: adding INBOUND rule
    [ 627 4149561024]@localhost.localdomain[14 Aug 13:31:37] opsec_entity_add_sic_rule: adding OUTBOUND rule
    [ 627 4149561024]@localhost.localdomain[14 Aug 13:31:37] fwDN_add_CN: new dn is illegal
    [ 627 4149561024]@localhost.localdomain[14 Aug 13:31:37] opsec_get_comm: creating comm for ent=8cf3e68  peer=8ceae48 passive=0 key=2 info=0
    [ 627 4149561024]@localhost.localdomain[14 Aug 13:31:37] c=0x8cf3e68 s=0x8ceae48 comm_type=4

    [ 627 4149561024]@localhost.localdomain[14 Aug 13:31:37] Could not find info for ...opsec_client...
    [ 627 4149561024]@localhost.localdomain[14 Aug 13:31:37] opsec_get_comm: Creating session hash (size=256)
    [ 627 4149561024]@localhost.localdomain[14 Aug 13:31:37] opsec_get_comm: ADDING comm=0x8cf6968 to ent=0x8cf3e68 with key=2
    [ 627 4149561024]@localhost.localdomain[14 Aug 13:31:37] opsec_env_get_context_id_by_peer_sic_name: illegal DN of sic name: CN=SensorSplunk,0=mngt-blackhole..rq9q26
    [ 627 4149561024]@localhost.localdomain[14 Aug 13:31:37] OPSEC_SET_ERRNO: err =  4  Argument is NULL or lacks some data (pre =  0)
    [ 627 4149561024]@localhost.localdomain[14 Aug 13:31:37] opsec_sic_connect: failed to get context id for connection
    [ 627 4149561024]@localhost.localdomain[14 Aug 13:31:37] opsec_get_comm: error in opsec_sic_connect
    [ 627 4149561024]@localhost.localdomain[14 Aug 13:31:37] destroying comm 0x8cf6968
    [ 627 4149561024]@localhost.localdomain[14 Aug 13:31:37] Destroying comm 0x8cf6968 with 0 active sessions
    [ 627 4149561024]@localhost.localdomain[14 Aug 13:31:37] pulling dgtype=ffffffff len=-1 to list=0x8cf6984
    [ 627 4149561024]@localhost.localdomain[14 Aug 13:31:37] REMOVING comm=0x8cf6968 from ent=0x8cf3e68 with key=2
    [ 627 4149561024]@localhost.localdomain[14 Aug 13:31:37] Unable to make session
    ERROR: failed to create session (Argument is NULL or lacks some data)
    DEBUG: function cleanup_fw1_environment
    [ 627 4149561024]@localhost.localdomain[14 Aug 13:31:37] Destroying entity 1 with 0 active comms
    [ 627 4149561024]@localhost.localdomain[14 Aug 13:31:37] opsec_destroy_entity_sic: deleting sic rules for entity 0x8cf3e68
    [ 627 4149561024]@localhost.localdomain[14 Aug 13:31:37] Destroying entity 2 with 0 active comms
    [ 627 4149561024]@localhost.localdomain[14 Aug 13:31:37] opsec_destroy_entity_sic: deleting sic rules for entity 0x8ceae48
    [ 627 4149561024]@localhost.localdomain[14 Aug 13:31:37] IpcUnMapFile: unmapping file (handle=0x8cea748)
    [ 627 4149561024]@localhost.localdomain[14 Aug 13:31:37] IpcUnMapFile: unmapping file (handle=0x8cea7f8)
    [ 627 4149561024]@localhost.localdomain[14 Aug 13:31:37] IpcUnMapFile: unmapping file (handle=0x8cea8a8)
    [ 627 4149561024]@localhost.localdomain[14 Aug 13:31:37] IpcUnMapFile: unmapping file (handle=0x8cea948)
    [ 627 4149561024]@localhost.localdomain[14 Aug 13:31:37] IpcUnMapFile: unmapping file (handle=0x8cea9c8)
    [ 627 4149561024]@localhost.localdomain[14 Aug 13:31:37] PM_policy_destroy: finished successfully.
    [ 627 4149561024]@localhost.localdomain[14 Aug 13:31:37] opsec_destroy_sic_id_internal: Destroyed sic id (ctx id=0)
    [ 627 4149561024]@localhost.localdomain[14 Aug 13:31:37] opsec_env_destroy_sic_id_hash: Destroyed sic id hash
    [ 627 4149561024]@localhost.localdomain[14 Aug 13:31:37] fwd_env_destroy: env 0x8ccdfa0 (alloced = 1)
    [ 627 4149561024]@localhost.localdomain[14 Aug 13:31:37] T_env_destroy: env 0x8ccdfa0 
    [ 627 4149561024]@localhost.localdomain[14 Aug 13:31:37] do_fwd_env_destroy:  really destroy 0x8ccdfa0
    DEBUG: function exit_loggrabber
    DEBUG: function free_lfield_arrays
    DEBUG: function free_afield_arrays
    DEBUG: function free_lfield_arrays
    DEBUG: function free_afield_arrays
0 Karma

jcoates_splunk
Splunk Employee
Splunk Employee

just guessing, but did you install the 32 bit libraries mentioned here? http://docs.splunk.com/Documentation/OPSEC-LEA/3.1.0/Install/Systemrequirements

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...