Hello everyone,
I am using Splunk add-on for Check Point OPSEC LEA on linux HF to collect the Checkpoint firewall logs. I have established the connection and configured input (firewall events and firewall audit logs). There is no internal error or issues I faced during establishing the connection and configuring inputs but yet I am not receiving any logs.
I checked splunk_ta_checkpoint-opseclea_modinput.log and splunk_ta_checkpoint-opseclea_ucc_lib.log to look for any errors. There is also network connectivity between the firewall device and my HF.
If anyone has faced such issue, kindly help me if I am missing on something.
Thank you!
Is this a standalone or distributed Check Point environment? (eg, is there a dedicated management server, or does the management server and the firewall exist on the same server/appliance)
Do you have an explicit firewall rule to allow the Splunk forwarder to communicate to your management server on the FW1_lea service? If you were able to pull the certificate successfully that would confirm that FW1_ica_pull is allowed at least. If you make any modifications to these rules you'll need to either install database to the management server, install policy to the firewall, or both (depending on the communication path and type of Check Point environment).
I am able to pull the certificate successfully. The management server IP and the log server IP is different. Also, I have an explicit firewall rule to allow the Splunk forwarder to communicate to the management server on the FW1_lea service.
Hi, I am getting the below error now.
2019-02-07 06:56:53,772 +0000 log_level=INFO, pid=8708, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=75 | [input_name="fw events" connection="fw_mgmt" data="fw"][ 8736 156715136]@xxxxxxxx[7 Feb 7:56:53] rand_add_seedfile: Failed to create mutex.: Permission denied
2019-02-07 06:56:53,785 +0000 log_level=INFO, pid=8708, tid=Thread-11, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=75 | [input_name="opsec_firewall" connection="fw_mgmt" data="fw"][ 8739 161634432]@xxxxxxxx[7 Feb 7:56:53] rand_add_external_source: Failed to create mutex.: Permission denied
2019-02-07 06:56:53,785 +0000 log_level=INFO, pid=8708, tid=Thread-11, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=75 | [input_name="opsec_firewall" connection="fw_mgmt" data="fw"][ 8739 161634432]@xxxxxxxx[7 Feb 7:56:53] rand_add_seedfile: Failed to create mutex.: Permission denied
2019-02-07 06:56:55,569 +0000 log_level=INFO, pid=8708, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=75 | [input_name="fw events" connection="fw_mgmt" data="fw"][ 8736 156715136]@xxxxxxxx[7 Feb 7:56:55] file_open_and_init: failed to create file: Permission denied
2019-02-07 06:56:55,583 +0000 log_level=INFO, pid=8708, tid=Thread-11, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=75 | [input_name="opsec_firewall" connection="fw_mgmt" data="fw"][ 8739 161634432]@xxxxxxxx[7 Feb 7:56:55] file_open_and_init: failed to create file: Permission denied
2019-02-07 06:57:46,616 +0000 log_level=INFO, pid=8822, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=75 | [input_name="fw events" connection="fw_mgmt" data="fw"][ 8849 143599744]@xxxxxxxx[7 Feb 7:57:46] file_open_and_init: failed to create file: Permission denied
2019-02-07 06:57:46,618 +0000 log_level=INFO, pid=8822, tid=Thread-11, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=75 | [input_name="opsec_firewall" connection="fw_mgmt" data="fw"][ 8853 140867712]@xxxxxxxx[7 Feb 7:57:46] file_open_and_init: failed to create file: Permission denied
2019-02-07 06:57:47,952 +0000 log_level=INFO, pid=8822, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=75 | [input_name="fw events" connection="fw_mgmt" data="fw"][ 8849 143599744]@xxxxxxxx[7 Feb 7:57:47] rand_add_external_source: Failed to create mutex.: Permission denied
2019-02-07 06:57:47,952 +0000 log_level=INFO, pid=8822, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=75 | [input_name="fw events" connection="fw_mgmt" data="fw"][ 8849 143599744]@xxxxxxxx[7 Feb 7:57:47] rand_add_seedfile: Failed to create mutex.: Permission denied
2019-02-07 06:57:47,972 +0000 log_level=INFO, pid=8822, tid=Thread-11, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=75 | [input_name="opsec_firewall" connection="fw_mgmt" data="fw"][ 8853 140867712]@xxxxxxxx[7 Feb 7:57:47] rand_add_external_source: Failed to create mutex.: Permission denied
2019-02-07 06:57:47,973 +0000 log_level=INFO, pid=8822, tid=Thread-11, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=75 | [input_name="opsec_firewall" connection="fw_mgmt" data="fw"][ 8853 140867712]@xxxxxxxx[7 Feb 7:57:47] rand_add_seedfile: Failed to create mutex.: Permission denied
2019-02-07 06:57:49,890 +0000 log_level=INFO, pid=8822, tid=Thread-11, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=75 | [input_name="opsec_firewall" connection="fw_mgmt" data="fw"][ 8853 140867712]@xxxxxxxx[7 Feb 7:57:49] file_open_and_init: failed to create file: Permission denied
2019-02-07 06:57:49,971 +0000 log_level=INFO, pid=8822, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=75 | [input_name="fw events" connection="fw_mgmt" data="fw"][ 8849 143599744]@xxxxxxxx[7 Feb 7:57:49] file_open_and_init: failed to create file: Permission denied
Looks like the 'user' running the process is not having required permissions/privileges. could you check that? Also, will this help? - https://www.giac.org/paper/gsna/154/auditing-check-point-secureplat-formng-apaplication-inteligence-...
Hi @lakshman239,
I checked all the permissions of the user running the process. Also, the same user with same privileges is running checkpoint in some other environment. I am not facing any issue there. Can you more specific on what process that could be that needs any special permission?