All Apps and Add-ons

OPSEC LEA lea-loggrabber is giving a Segmentmention Error

rbell54
Engager

Content: I'm running RHEL 7.2, Splunk 6.6.1 and OPSEC LEA 4.2.0 and configure the OPSEC LEA app. I pull the cert but when i search for data it's not showing nothing. So I trouble shot it by running the lea-loggrabber it's crashing. Is the add app available to run on RHEL 7.2? Why is it's failing? I put the app in debug more and ran the lea-loggrabber and here's the output:

[ 27363 4151757632]server[3 Aug 14:15:04] Env Configuration:
(
        :type (opsec_info)
        :lea_server (
                :opsec_entity_sic_name ()
                :auth_type (sslca)
                :auth_port (18184)
                :ip ()
        )
        :opsec_sslca_file ()
        :opsec_sic_name ()
)

[ 27363 4151757632]server[3 Aug 14:15:04] Could not find info for ...opsec_shared_local_path...
[ 27363 4151757632]server[3 Aug 14:15:04] Could not find info for ...opsec_sic_policy_file...
[ 27363 4151757632]server[3 Aug 14:15:04] Could not find info for ...opsec_mt...
[ 27363 4151757632]server[3 Aug 14:15:04] opsec_init: multithread safety is not initialized
[ 27363 4151757632]server[3 Aug 14:15:04] cpprng_opsec_initialize: path is not initialized - will initialize
[ 27363 4151757632]server[3 Aug 14:15:04] cpprng_opsec_initialize: full file name is ops_prng
[ 27363 4151757632]server[3 Aug 14:15:04] cpprng_opsec_initialize: dev_urandom_poll returned 0
[ 27363 4151757632]server[3 Aug 14:15:04] opsec_file_is_intialized: seed is initialized
[ 27363 4151757632]server[3 Aug 14:15:04] cpprng_opsec_initialize: seed init for opsec succeeded
[ 27363 4151757632]server[3 Aug 14:15:04] opsec_init_sic_id_internal: own sic name not defined.
[ 27363 4151757632]server[3 Aug 14:15:04] PM_policy_create: version 5301.
[ 27363 4151757632]server[3 Aug 14:15:04] PM_policy_add_name_to_group: finished successfully.
[ 27363 4151757632]server[3 Aug 14:15:04] PM_policy_set_local_names: () names. finished successfully.
[ 27363 4151757632]server[3 Aug 14:15:04] PM_policy_create: finished successfully.
[ 27363 4151757632]server[3 Aug 14:15:04] PM_policy_add_name_to_group: finished successfully.
[ 27363 4151757632]server[3 Aug 14:15:04] PM_policy_set_local_names: (local_sic_name) names. finished successfully.
[ 27363 4151757632]server[3 Aug 14:15:04] PM_policy_add_name_to_group: finished successfully.
[ 27363 4151757632]server[3 Aug 14:15:04] PM_policy_set_local_names: (127.0.0.1) names. finished successfully.

Segmentation fault (core dumped)

Any Idea what's going on?

mlogendra_splun
Splunk Employee
Splunk Employee

When the checkpoint add-on is trying to connect to the checkpoint server, it will try to resolve itself. When it is unable to do so, it will exit with a "segmentation fault" message.

Add a host entry with the hostname of Splunk server and its IP in /etc/hosts and the segmentation fault should go away.

0 Karma

aalanisr26
Path Finder

I'm experiencing the exact same behavior, did you find a solution to this?

0 Karma

rbell54
Engager

No I work with support and they we eventually downgraded the OPSEC LEA and now it's working. I did not revisit it but eventually like to go on the newer version.

aalanisr26
Path Finder

did you downgrade to version 3.x?

or you are still using version 4.x?
Part of the functionality we want was enabled after 4.0, but if they told you to go back to three it is not an option for us.

0 Karma
Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...