Solved: Splunk Add-on for Check Point OPSEC LEA: LEA Loggr...

jimbul · ‎09-16-2015

Hi,

I'm running Centos 6.7 with the latest Splunk 6.2 and version 3.1 of the OPSEC LEA Loggrabber against an R77.30 Checkpoint management box in the same LAN segment.

It set up absolutely fine, trust is established. All great.

So, I'm banging my head against the wall here. If I run [root@eulonlog01 bin]# ./lea-loggrabber.sh -debug, I get logs returned from Check Point, easy. It connects straight away, puts them up on the screen in terminal, so the the grabber is authenticating and retrieving logs fine.

However, ordinarily NOTHING shows up in Splunk. Nothing. If I manually run lea-loggrabber.sh, the session hangs till I ctrl-c it.

There is nothing in Splunkd.log or web_services.log.

What am I doing wrong? Any guidance or questions appreciated.

Thanks all,

Jim

jimbul · ‎09-18-2015

Also there was no definition for passAuth for this script in inputs.conf in /opt/splunk/etc/system/local/inputs.conf so i added the script below:

 [script:$SPLUNK_HOME/etc/apps/Splunk_TA_opseclea_linux22/bin/lea-loggrabber.sh --configentity SplunkLEA]
 passAuth = admin

After this change was made the logs started to flow in. Presume something was missing in terms of permissions when the loggrabber was installed or it's a problem with the package - unless noone else has seen this?

Add your comment...

View solution in original post

jimbul · ‎09-18-2015

Also there was no definition for passAuth for this script in inputs.conf in /opt/splunk/etc/system/local/inputs.conf so i added the script below:

 [script:$SPLUNK_HOME/etc/apps/Splunk_TA_opseclea_linux22/bin/lea-loggrabber.sh --configentity SplunkLEA]
 passAuth = admin

After this change was made the logs started to flow in. Presume something was missing in terms of permissions when the loggrabber was installed or it's a problem with the package - unless noone else has seen this?

Add your comment...

jimbul · ‎09-17-2015

Also there was no definition for passAuth for this script in inputs.conf in /opt/splunk/etc/system/local/inputs.conf so i added the script below:

[script:$SPLUNK_HOME/etc/apps/Splunk_TA_opseclea_linux22/bin/lea-loggrabber.sh --configentity SplunkLEA]
passAuth = admin

After this change was made the logs started to flow in.

jimbul · ‎09-16-2015

A little more information:

If i debug lea-loggrabber.sh- it sticks on +read auth_key and doesn't go past it. Any ideas?

Jim

alacercogitatus · ‎09-17-2015

Is the input enabled? can you see the script running on a "ps -ef " ?

jimbul · ‎09-17-2015

Thanks much for your reply,

I see splunk 61889 52865 0 22:39 pts/0 00:00:00 grep --color=auto lea-loggrabber when i grep ps -ef.

but i do not see the script running.

When you say is the input enabled, i'm not sure what you mean, i've installed the LEA-Loggrabber app in Splunk and configured it. i've looked in inputs in the web interface and i see that this script

:/opt/splunk/etc/apps/Splunk_TA_opseclea_linux22/bin/migrate.py

is enabled.

Additionally to further investigate the lea-loggrabber.sh script given the auth_key fail i commented out the lines:

read auth_key
SPLUNK_TOK=$auth_key
export SPLUNK_TOK

At which point the script runs and data is collected and output to screen, if these lines are left not commented and i run and bash -x lea-loggrabber.sh it sticks at

+read auth_key

So i looked and checked that this was ok and found $Home is writeable and there is a .splunk directory created and in it there is what looks like an authorisation key.

Any guidance appreciated!

Splunk Add-on for Check Point OPSEC LEA: LEA Loggrabber works in debug, but why does nothing show up in Splunk?

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Adoption of RUM and APM at Splunk