I've configured the app with the proper values including the management server IP address but when starting Splunk, the conf file check shows the management server IP is, for some reason, invalid.
Invalid key in stanza [CHECKPOINT_MGR] in /opt/splunk/etc/apps/Splunk_TA_checkpoint-opseclea/local/opseclea_connection.conf, line 9: management_server_ip (value: 192.168.0.10).
Below is the config file we are using.
[root@splunk local]# more opseclea_connection.conf
[CHECKPOINT_MGR]
cert_name = CHECKPOINT_MGR_4189510259.p12
fw_version = R77
lea_app_name = SplunkLEA
lea_server_auth_port = 18184
lea_server_auth_type = sslca
lea_server_ip = 192.168.0.10
lea_server_type = primary
management_server_ip = 192.168.0.10
opsec_entity_sic_name = CN=cp_mgmt,O=CHECKPOINT_MGR.wrbdb6
opsec_sic_name = CN=SplunkLEA,O=CHECKPOINT_MGR.wrbdb6
It is telling you that line #9 ( management_server_ip = 192.168.0.10
) is malformed. Usually this means that you have spelled the key wrong (case matters) or that the line is garbage/unnecessary/deprecated. That is not listed in the docs so REMOVE IT:
https://docs.splunk.com/Documentation/AddOns/released/OPSEC-LEA/Configureinputs
I'm getting the same error, though everything seems to work as expected. The GUI actually populates the config file with the management_server_ip value that Splunk doesn't like.
It is telling you that line #9 ( management_server_ip = 192.168.0.10
) is malformed. Usually this means that you have spelled the key wrong (case matters) or that the line is garbage/unnecessary/deprecated. That is not listed in the docs so REMOVE IT:
https://docs.splunk.com/Documentation/AddOns/released/OPSEC-LEA/Configureinputs
So it looks like the error was related to it not existing however the app itself requires that value when you configure the connection using the GUI. Might need an update to not require it/remove it?
I have NEVER done either of these things that you are doing:
1: put anything on the same line as the stanza header (i.e. the first line should be [CHECKPOINT_MGR]
and the second line should be cert_name = CHECKPOINT_MGR_4189510259.p12
).
2: Split my KVP across lines (e.g the last 2 lines should actually be 1 line that reads opsec_sic_name =
).
CN=SplunkLEA,O=CHECKPOINT_MGR.wrbdb6
Apologies for the formatting issues. I've fixed the lines to read how they are in the actual file.