All Apps and Add-ons

Splunk Check Point LEA OPSEC error : Fatal error: glibc detected an invalid stdio handle

arrowecssupport
Communicator
    ./pull-cert.sh: line 7:  4740 Aborted                 (core dumped) $cmd
    root@LabSplunk:/opt/splunk/etc/apps/Splunk_TA_checkpoint-opseclea/bin# ./pull-cert.sh 192.168.0.1 SplunkLEA passwd labfirewall.p12

    Fatal error: glibc detected an invalid stdio handle
    ./pull-cert.sh: line 7:  4771 Aborted                 (core dumped) 

$cmd
0 Karma
1 Solution

selim
Path Finder

I had the exact same issue and it turns out that OPSEC side started to use sha256 and updated its SDK. I downloaded http://supportcontent.checkpoint.com/file_download?id=50832 and replaced $SPLUNK_HOME/etc/apps/Splunk_TA_checkpoint-opseclea/bin/opsec-tools binaries with these new ones. That seems to do the trick.

View solution in original post

junedec21
New Member

Any resolution steps ?

0 Karma

jfeitosa_real
Path Finder

In my case, I left OPSEC LEA and used the Checkpoint Log Exporter to send via syslog. It comes very complete also in OPSEC.

Thank you.

James \m/

0 Karma

jfeitosa_real
Path Finder

I have the same problem, I downloaded the SDK at http://supportcontent.checkpoint.com/file_download?id=50832 and replaced the $ SPLUNK_HOME / etc / apps / Splunk_TA_checkpoint-opseclea / bin / opsec-tools binaries.
Still the error 'REST ERROR [400]: Bad Request - Failed to fetch the certificate from server' appears.

Any idea how to solve it?

Thank You in Advance

James \m/

0 Karma

nedokpayi
Splunk Employee
Splunk Employee

Did you chmod +x the new opsec_pull_cert ?

0 Karma

mreynov_splunk
Splunk Employee
Splunk Employee

This is a known issue in the addon which stems from Checkpoint OPSEC SDK only working with 32-bit OS flavors: http://docs.splunk.com/Documentation/AddOns/released/OPSEC-LEA/Releasenotes

OPSEC SDK is no longer maintained and Checkpoint recommends Log Exporter instead (which is based on syslog integration and thus avoids OPSEC all together): https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

selim
Path Finder

I had the exact same issue and it turns out that OPSEC side started to use sha256 and updated its SDK. I downloaded http://supportcontent.checkpoint.com/file_download?id=50832 and replaced $SPLUNK_HOME/etc/apps/Splunk_TA_checkpoint-opseclea/bin/opsec-tools binaries with these new ones. That seems to do the trick.

dgrotenb
Explorer

This method worked and allows patching to the latest glibc.
I recommend the solution provided by selim.

0 Karma

mlogendra_splun
Splunk Employee
Splunk Employee

This worked for me. Thank you

0 Karma

selim
Path Finder

Quick update: with this approach I was able to bypass opsec_pull_cert issue; however, we failed to collect any logs and received following errors:

ERROR: Session end reason: SIC ERROR 147 - SIC Error for lea: Authentication error

This may be an issue with either entity_sic_name and/or password. Password worked before and we double checked it. We also checked with checkpoint admins and tried pretty much all possible combinations for various opsec_entity_sic_name entries within the opseclea_connection.conf file. So far no luck 😞

0 Karma

dgrotenb
Explorer

Downgrading glibc to 2.17-196 worked.
There appears to be an issue with the Checkpoint App and glibc version 2.17-222.

yum downgrade glibc glibc-common

kalaiarasu
Explorer

Hi dgrotenb, what is the command to downgrade in Centos 7, i'm getting this:

yum downgrade glibc glibc-common
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
* base: centos.mirror.myduniahost.com
* extras: centos.mirror.myduniahost.com
* updates: centos.mirror.myduniahost.com
Nothing to do

dgrotenb
Explorer

did you run "yum clean all"

Also you may have needed to have a previous version installed for this to work. Worse case you can manually download the 2.17-196 versions use rpm -ivh --force on those rpms to force install them. Not recommended, but an option if nothing else works.

0 Karma

dgrotenb
Explorer

Seeing this error too.

0 Karma

arrowecssupport
Communicator

Any idea why i'm getting this error?

0 Karma

socespap
Explorer

Hi,

I have the same problem, I have splunk version 7.1.3 and Add-On 4.3.1 and the problem persists. Any idea how to circumvent this issue?

via CLI the error is
[root@splunk bin]# ./pull-cert.sh --help
Fatal error: glibc detected an invalid stdio handle
./pull-cert.sh: line 7: 15906 Aborted $cmd
[root@splunk bin]#

Also verified that pam and glibc are running on the last versions
[root@splunk ~]# yum install glibc.i686
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
* base: centos.mirror.ptisp.pt
* extras: centos.mirror.ptisp.pt
* updates: centos.mirror.ptisp.pt
Package glibc-2.17-222.el7.i686 already installed and latest version
Nothing to do
[root@splunk ~]# yum install pam.i686
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
* base: centos.mirror.ptisp.pt
* extras: centos.mirror.ptisp.pt
* updates: centos.mirror.ptisp.pt
Package pam-1.1.8-22.el7.i686 already installed and latest version
Nothing to do
[root@splunk ~]#

0 Karma

dgrotenb
Explorer

I am seeing this issue too.

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...