- Apps and Add-ons
- :
- All Apps and Add-ons
- :
- Splunk Check Point LEA OPSEC error : Fatal error: ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
./pull-cert.sh: line 7: 4740 Aborted (core dumped) $cmd
root@LabSplunk:/opt/splunk/etc/apps/Splunk_TA_checkpoint-opseclea/bin# ./pull-cert.sh 192.168.0.1 SplunkLEA passwd labfirewall.p12
Fatal error: glibc detected an invalid stdio handle
./pull-cert.sh: line 7: 4771 Aborted (core dumped)
$cmd
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I had the exact same issue and it turns out that OPSEC side started to use sha256 and updated its SDK. I downloaded http://supportcontent.checkpoint.com/file_download?id=50832 and replaced $SPLUNK_HOME/etc/apps/Splunk_TA_checkpoint-opseclea/bin/opsec-tools binaries with these new ones. That seems to do the trick.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Any resolution steps ?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
In my case, I left OPSEC LEA and used the Checkpoint Log Exporter to send via syslog. It comes very complete also in OPSEC.
Thank you.
James \m/
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have the same problem, I downloaded the SDK at http://supportcontent.checkpoint.com/file_download?id=50832 and replaced the $ SPLUNK_HOME / etc / apps / Splunk_TA_checkpoint-opseclea / bin / opsec-tools binaries.
Still the error 'REST ERROR [400]: Bad Request - Failed to fetch the certificate from server' appears.
Any idea how to solve it?
Thank You in Advance
James \m/
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Did you chmod +x the new opsec_pull_cert ?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is a known issue in the addon which stems from Checkpoint OPSEC SDK only working with 32-bit OS flavors: http://docs.splunk.com/Documentation/AddOns/released/OPSEC-LEA/Releasenotes
OPSEC SDK is no longer maintained and Checkpoint recommends Log Exporter instead (which is based on syslog integration and thus avoids OPSEC all together): https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I had the exact same issue and it turns out that OPSEC side started to use sha256 and updated its SDK. I downloaded http://supportcontent.checkpoint.com/file_download?id=50832 and replaced $SPLUNK_HOME/etc/apps/Splunk_TA_checkpoint-opseclea/bin/opsec-tools binaries with these new ones. That seems to do the trick.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This method worked and allows patching to the latest glibc.
I recommend the solution provided by selim.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This worked for me. Thank you
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Quick update: with this approach I was able to bypass opsec_pull_cert issue; however, we failed to collect any logs and received following errors:
ERROR: Session end reason: SIC ERROR 147 - SIC Error for lea: Authentication error
This may be an issue with either entity_sic_name and/or password. Password worked before and we double checked it. We also checked with checkpoint admins and tried pretty much all possible combinations for various opsec_entity_sic_name entries within the opseclea_connection.conf file. So far no luck 😞
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Downgrading glibc to 2.17-196 worked.
There appears to be an issue with the Checkpoint App and glibc version 2.17-222.
yum downgrade glibc glibc-common
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi dgrotenb, what is the command to downgrade in Centos 7, i'm getting this:
yum downgrade glibc glibc-common
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
* base: centos.mirror.myduniahost.com
* extras: centos.mirror.myduniahost.com
* updates: centos.mirror.myduniahost.com
Nothing to do
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
did you run "yum clean all"
Also you may have needed to have a previous version installed for this to work. Worse case you can manually download the 2.17-196 versions use rpm -ivh --force on those rpms to force install them. Not recommended, but an option if nothing else works.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Seeing this error too.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Any idea why i'm getting this error?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I have the same problem, I have splunk version 7.1.3 and Add-On 4.3.1 and the problem persists. Any idea how to circumvent this issue?
via CLI the error is
[root@splunk bin]# ./pull-cert.sh --help
Fatal error: glibc detected an invalid stdio handle
./pull-cert.sh: line 7: 15906 Aborted $cmd
[root@splunk bin]#
Also verified that pam and glibc are running on the last versions
[root@splunk ~]# yum install glibc.i686
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
* base: centos.mirror.ptisp.pt
* extras: centos.mirror.ptisp.pt
* updates: centos.mirror.ptisp.pt
Package glibc-2.17-222.el7.i686 already installed and latest version
Nothing to do
[root@splunk ~]# yum install pam.i686
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
* base: centos.mirror.ptisp.pt
* extras: centos.mirror.ptisp.pt
* updates: centos.mirror.ptisp.pt
Package pam-1.1.8-22.el7.i686 already installed and latest version
Nothing to do
[root@splunk ~]#
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am seeing this issue too.
Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
