All Apps and Add-ons

Splunk Add-on for Check Point OPSEC LEA: How to resolve error "Invalid key in stanza [schq] in Splunk_TA_checkpoint-opseclea/local/opseclea_connection.conf"?

zeebo101
Explorer

Hello,

Setup:
Centos7(64) with pam.i686 and gclibd.i686 - Splunk 6.5.2 - Checkpoint_splunk_TA 4.1.0(build 1) - iptables permitted 18184 18210
Checkpoint R77.30 on Gaia Single management (smartcentre) server that is the one and only log host. Not running provider-1.

Problem:
I have managed to install the Splunk Add-on for Check Point OPSEC LEA and configure the connection. I have followed the document carefully and i have successfully pulled the certificate from checkpoint (as described in the notes for this add-on), and established SIC. I have created the connection, but never receive any logs and when I run splunk btool check, I get this error:

[root@localhost bin]# ./splunk btool check
Invalid key in stanza [schq] in /opt/splunk/etc/apps/Splunk_TA_checkpoint-opseclea/local/opseclea_connection.conf, line 9: management_server_ip  (value:  10.10.10.38)

The conf file is:

[schq]
cert_name = schq_2654242918.p12
fw_version = R77
lea_app_name = SplunkLEA
lea_server_auth_port = 18184
lea_server_auth_type = sslca
lea_server_ip = 10.10.10.38
lea_server_type = primary
management_server_ip = 10.10.10.38
opsec_entity_sic_name = CN=cp_mgmt,O=schq.domain.com.fjj4jw
opsec_sic_name = CN=SplunkLEA,O=schq.domain.com.fjj4jw
disabled = 0

I have ip tables open for 18210 18184 and can see the fw-ica-pull when the certificate is successfully retrieved and SIC is working fine.

I have a single management server which is also the only log server, so the log server and management server IP are the same.

I have read all of the answers i could find and all of the troubleshooting in: http://docs.splunk.com/Documentation/AddOns/released/OPSEC-LEA/Setup2 but I'm stuck.

I would be very happy for any help you can offer.

Thanks

0 Karma
1 Solution

zeebo101
Explorer

Clean install of Centos7 still had this error. I did some googling and saw that splunk had pretty much re-used the opensource version of this app (log grabber etc) but the splunk built GUI adds the management_ip line int he opseclea-cong file... Removing this line and changing the LEA port to a different one on the server and the firewall seemed to resolve it.

View solution in original post

0 Karma

zeebo101
Explorer

Clean install of Centos7 still had this error. I did some googling and saw that splunk had pretty much re-used the opensource version of this app (log grabber etc) but the splunk built GUI adds the management_ip line int he opseclea-cong file... Removing this line and changing the LEA port to a different one on the server and the firewall seemed to resolve it.

0 Karma

zeebo101
Explorer

Ok, so splunk support won't help as our contract expired (I emailed the account manager but he doesn't reply), so I'm on my own. I will wipe my machine and do a complete reinstall of centos, splunk and cp add on.. however I have tried this already so not too hopeful. I might try an older version of the add-on as i can see other people have this working.

Could i just ask, does anyone have this working with R77.30 and single smartcentre? I have a feeling that most use provider-1

0 Karma

georgen_splunk
Splunk Employee
Splunk Employee

you may want to check for errors in the connection log written to: $SPLUNK_home/var/log/splunk/splunk_ta_checkpoint-opseclea_modinput.log

alternatively, you can run the lea_loggrabber client in debug mode to view the debug details in stdout. Using your schq stanza as a reference.

/opt/splunk/etc/apps/Splunk_TA_checkpoint-opseclea/bin/../bin/lea_loggrabber --data non_audit --debug_level 3 --appname Splunk_TA_checkpoint-opseclea --lea_server_ip 10.10.10.38 --lea_server_auth_port 18184 --lea_server_auth_type sslca --opsec_sslca_file /opt/splunk/etc/apps/Splunk_TA_checkpoint-opseclea/certs/schq_2654242918.p12 --opsec_sic_name CN=SplunkLEA,O=schq.domain.com.fjj4jw --opsec_entity_sic_name CN=cp_mgmt,O=schq.domain.com.fjj4jw --last_record_location 0:0 --no_online --resolve
0 Karma

georgen_splunk
Splunk Employee
Splunk Employee

I have also filed a bug for the Invalid management_server_ip in bug ID ADDON-14094 (TA version 4.1.0) please contact support for more info.

0 Karma

zeebo101
Explorer

Hi, Georgen,

I will check those logs as you said and put the findings in this post. How can I get more info from support? Who / how should i contact them?

Thanks

0 Karma

georgen_splunk
Splunk Employee
Splunk Employee

cool!! just place ATTN: George in the subject line of your support request. Our teams will route the case over to me.

0 Karma

zeebo101
Explorer

Ok so from the logs i can see that it seems to complain about the CPDIR not being set, and access to the registry. The CPDIR variable is set however. Could this be an access issue? Like the splunk_TA needs to run as expert or something?

Im limited with the characters i can paste here so I will try to send it via support.. however some parts i think might be useful:

log_level=2 file:lea_loggrabber.cpp func_name:main_worker code_line_no:1220 :Didn't find file, start read normal file: filename=fw.log, fileid=1        
log_level=3 file:lea_loggrabber.cpp func_name:read_fw1_logfile code_line_no:1406 :Start reading fw.log 1        
log_level=3 file:lea_loggrabber.cpp func_name:getSplunkLeaConfigArgs code_line_no:517 :lea arg: -v      
log_level=3 file:lea_loggrabber.cpp func_name:getSplunkLeaConfigArgs code_line_no:517 :lea arg: opsec_sic_name      
log_level=3 file:lea_loggrabber.cpp func_name:getSplunkLeaConfigArgs code_line_no:517 :lea arg: CN=SplunkLEA,O=schq.domain.com.fjj4jw       
log_level=3 file:lea_loggrabber.cpp func_name:getSplunkLeaConfigArgs code_line_no:517 :lea arg: -v      
log_level=3 file:lea_loggrabber.cpp func_name:getSplunkLeaConfigArgs code_line_no:517 :lea arg: opsec_sslca_file        
log_level=3 file:lea_loggrabber.cpp func_name:getSplunkLeaConfigArgs code_line_no:517 :lea arg: /opt/splunk/etc/apps/Splunk_TA_checkpoint-opseclea/certs/schq_2654242918.p12        
log_level=3 file:lea_loggrabber.cpp func_name:getSplunkLeaConfigArgs code_line_no:517 :lea arg: -v      
log_level=3 file:lea_loggrabber.cpp func_name:getSplunkLeaConfigArgs code_line_no:517 :lea arg: lea_server      
log_level=3 file:lea_loggrabber.cpp func_name:getSplunkLeaConfigArgs code_line_no:517 :lea arg: ip      
log_level=3 file:lea_loggrabber.cpp func_name:getSplunkLeaConfigArgs code_line_no:517 :lea arg: 10.10.10.38     
log_level=3 file:lea_loggrabber.cpp func_name:getSplunkLeaConfigArgs code_line_no:517 :lea arg: -v      
log_level=3 file:lea_loggrabber.cpp func_name:getSplunkLeaConfigArgs code_line_no:517 :lea arg: lea_server      
log_level=3 file:lea_loggrabber.cpp func_name:getSplunkLeaConfigArgs code_line_no:517 :lea arg: auth_port       
log_level=3 file:lea_loggrabber.cpp func_name:getSplunkLeaConfigArgs code_line_no:517 :lea arg: 18184       
log_level=3 file:lea_loggrabber.cpp func_name:getSplunkLeaConfigArgs code_line_no:517 :lea arg: -v      
log_level=3 file:lea_loggrabber.cpp func_name:getSplunkLeaConfigArgs code_line_no:517 :lea arg: lea_server      
log_level=3 file:lea_loggrabber.cpp func_name:getSplunkLeaConfigArgs code_line_no:517 :lea arg: auth_type       
log_level=3 file:lea_loggrabber.cpp func_name:getSplunkLeaConfigArgs code_line_no:517 :lea arg: sslca       
log_level=3 file:lea_loggrabber.cpp func_name:getSplunkLeaConfigArgs code_line_no:517 :lea arg: -v      
log_level=3 file:lea_loggrabber.cpp func_name:getSplunkLeaConfigArgs code_line_no:517 :lea arg: lea_server      
log_level=3 file:lea_loggrabber.cpp func_name:getSplunkLeaConfigArgs code_line_no:517 :lea arg: opsec_entity_sic_name       
log_level=3 file:lea_loggrabber.cpp func_name:getSplunkLeaConfigArgs code_line_no:517 :lea arg: CN=cp_mgmt,O=schq.domain.com.fjj4jw     
[ 16075 4151331648]@localhost.localdomain[14 Mar  9:24:32] Env Configuration:       
(       
    :type (opsec_info)  
    :lea_server (   
        :opsec_entity_sic_name ("CN=cp_mgmt,O=schq.domain.com.fjj4jw")
        :auth_type (sslca)
        :auth_port (18184)
        :ip (10.10.10.38)
    )   
    :opsec_sslca_file ("/opt/splunk/etc/apps/Splunk_TA_checkpoint-opseclea/certs/schq_2654242918.p12")  
    :opsec_sic_name ("CN=SplunkLEA,O=schq.domain.com.fjj4jw")   
)       

[ 16075 4151331648]@localhost.localdomain[14 Mar  9:24:32] Could not find info for ...opsec_shared_local_path...        
[ 16075 4151331648]@localhost.localdomain[14 Mar  9:24:32] Could not find info for ...opsec_sic_policy_file...      
[ 16075 4151331648]@localhost.localdomain[14 Mar  9:24:32] Could not find info for ...opsec_mt...       
[ 16075 4151331648]@localhost.localdomain[14 Mar  9:24:32] opsec_init: multithread safety is not initialized        
[ 16075 4151331648]@localhost.localdomain[14 Mar  9:25:32] cpprng_opsec_initialize: dev_urandom_poll returned 0     
[ 16075 4151331648]@localhost.localdomain[14 Mar  9:25:32] opsec_file_is_intialized: seed is initialized        
[ 16075 4151331648]@localhost.localdomain[14 Mar  9:25:32] cpprng_opsec_initialize: seed init for opsec succeeded       
[ 16075 4151331648]@localhost.localdomain[14 Mar  9:25:32] PM_policy_create: version 5301.      
[ 16075 4151331648]@localhost.localdomain[14 Mar  9:25:32] PM_policy_add_name_to_group: finished successfully.      
[ 16075 4151331648]@localhost.localdomain[14 Mar  9:25:32] PM_policy_set_local_names: () names. finished successfully.      
[ 16075 4151331648]@localhost.localdomain[14 Mar  9:25:32] PM_policy_create: finished successfully.     
[ 16075 4151331648]@localhost.localdomain[14 Mar  9:25:32] PM_policy_add_name_to_group: finished successfully.      
[ 16075 4151331648]@localhost.localdomain[14 Mar  9:25:32] PM_policy_set_local_names: (local_sic_name) names. finished successfully.        
[ 16075 4151331648]@localhost.localdomain[14 Mar  9:25:32] PM_policy_add_name_to_group: finished successfully.      
[ 16075 4151331648]@localhost.localdomain[14 Mar  9:25:32] PM_policy_set_local_names: (127.0.0.1) names. finished successfully.     
[ 16075 4151331648]@localhost.localdomain[14 Mar  9:25:32] PM_policy_add_name_to_group: finished successfully.      
[ 16075 4151331648]@localhost.localdomain[14 Mar  9:25:32] PM_policy_set_local_names: ("CN=SplunkLEA,O=schq.domain.com.fjj4jw") names. finished successfully.       
[ 16075 4151331648]@localhost.localdomain[14 Mar  9:25:32] PM_apply_default_dn: ca_dn = [O=schq.domain.com.fjj4jw].     
[ 16075 4151331648]@localhost.localdomain[14 Mar  9:25:32] PM_apply_default_dn: calling PM_policy_DN_conversion ..      
[ 16075 4151331648]@localhost.localdomain[14 Mar  9:25:32] PM_apply_default_dn: finished successfully.      
[ 16075 4151331648]@localhost.localdomain[14 Mar  9:25:32] fwPubKeyfromPKCS8: decoding RSA key      
[ 16075 4151331648]@localhost.localdomain[14 Mar  9:25:32] ckpSSLctx_New: prefs = 12        
[ 16075 4151331648]@localhost.localdomain[14 Mar  9:25:32] CkpRegDir: Environment variable CPDIR is not set.        
[ 16075 4151331648]@localhost.localdomain[14 Mar  9:25:32] GenerateGlobalEntry: Unable to get registry path     
[ 16075 4151331648]@localhost.localdomain[14 Mar  9:25:32] cpcrypto_get_registry_value: could not find key 'Get_Disable_RC4' in registry path 'SOFTWARE\CheckPoint\FW1'.        
[ 16075 4151331648]@localhost.localdomain[14 Mar  9:25:32] ckpSSLctx_New: prefs = 12        
[ 16075 4151331648]@localhost.localdomain[14 Mar  9:25:32] CkpRegDir: Environment variable CPDIR is not set.        
[ 16075 4151331648]@localhost.localdomain[14 Mar  9:25:32] GenerateGlobalEntry: Unable to get registry path     
[ 16075 4151331648]@localhost.localdomain[14 Mar  9:25:32] cpcrypto_get_registry_value: could not find key 'Get_Disable_RC4' in registry path 'SOFTWARE\CheckPoint\FW1'.        
[ 16075 4151331648]@localhost.localdomain[14 Mar  9:25:32] opsec_init_sslca: calling sic_set_auth_handler_save_opaque, server_opaque - defs = 0xf6e074c8, client_opaque - defs = 0xf6e074c8     
[ 16075 4151331648]@localhost.localdomain[14 Mar  9:25:32] ckpSSLctx_New: prefs = 32        
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...