All Apps and Add-ons

Why Splunk Add-on for Check Point OPSEC LEA is not collecting any firewall logs?

MousumiChowdhur
Contributor

Hello everyone,

I am using Splunk add-on for Check Point OPSEC LEA on linux HF to collect the Checkpoint firewall logs. I have established the connection and configured input (firewall events and firewall audit logs). There is no internal error or issues I faced during establishing the connection and configuring inputs but yet I am not receiving any logs.
I checked splunk_ta_checkpoint-opseclea_modinput.log and splunk_ta_checkpoint-opseclea_ucc_lib.log to look for any errors. There is also network connectivity between the firewall device and my HF.

If anyone has faced such issue, kindly help me if I am missing on something.

Thank you!

0 Karma

tkopchak
Path Finder

Is this a standalone or distributed Check Point environment? (eg, is there a dedicated management server, or does the management server and the firewall exist on the same server/appliance)

Do you have an explicit firewall rule to allow the Splunk forwarder to communicate to your management server on the FW1_lea service? If you were able to pull the certificate successfully that would confirm that FW1_ica_pull is allowed at least. If you make any modifications to these rules you'll need to either install database to the management server, install policy to the firewall, or both (depending on the communication path and type of Check Point environment).

0 Karma

MousumiChowdhur
Contributor

I am able to pull the certificate successfully. The management server IP and the log server IP is different. Also, I have an explicit firewall rule to allow the Splunk forwarder to communicate to the management server on the FW1_lea service.

0 Karma

MousumiChowdhur
Contributor

Hi, I am getting the below error now.

2019-02-07 06:56:53,772 +0000 log_level=INFO, pid=8708, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=75 | [input_name="fw events" connection="fw_mgmt" data="fw"][ 8736 156715136]@xxxxxxxx[7 Feb  7:56:53] rand_add_seedfile: Failed to create mutex.: Permission denied
    2019-02-07 06:56:53,785 +0000 log_level=INFO, pid=8708, tid=Thread-11, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=75 | [input_name="opsec_firewall" connection="fw_mgmt" data="fw"][ 8739 161634432]@xxxxxxxx[7 Feb  7:56:53] rand_add_external_source: Failed to create mutex.: Permission denied
    2019-02-07 06:56:53,785 +0000 log_level=INFO, pid=8708, tid=Thread-11, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=75 | [input_name="opsec_firewall" connection="fw_mgmt" data="fw"][ 8739 161634432]@xxxxxxxx[7 Feb  7:56:53] rand_add_seedfile: Failed to create mutex.: Permission denied
    2019-02-07 06:56:55,569 +0000 log_level=INFO, pid=8708, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=75 | [input_name="fw events" connection="fw_mgmt" data="fw"][ 8736 156715136]@xxxxxxxx[7 Feb  7:56:55] file_open_and_init: failed to create file: Permission denied
    2019-02-07 06:56:55,583 +0000 log_level=INFO, pid=8708, tid=Thread-11, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=75 | [input_name="opsec_firewall" connection="fw_mgmt" data="fw"][ 8739 161634432]@xxxxxxxx[7 Feb  7:56:55] file_open_and_init: failed to create file: Permission denied
    2019-02-07 06:57:46,616 +0000 log_level=INFO, pid=8822, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=75 | [input_name="fw events" connection="fw_mgmt" data="fw"][ 8849 143599744]@xxxxxxxx[7 Feb  7:57:46] file_open_and_init: failed to create file: Permission denied
    2019-02-07 06:57:46,618 +0000 log_level=INFO, pid=8822, tid=Thread-11, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=75 | [input_name="opsec_firewall" connection="fw_mgmt" data="fw"][ 8853 140867712]@xxxxxxxx[7 Feb  7:57:46] file_open_and_init: failed to create file: Permission denied
    2019-02-07 06:57:47,952 +0000 log_level=INFO, pid=8822, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=75 | [input_name="fw events" connection="fw_mgmt" data="fw"][ 8849 143599744]@xxxxxxxx[7 Feb  7:57:47] rand_add_external_source: Failed to create mutex.: Permission denied
    2019-02-07 06:57:47,952 +0000 log_level=INFO, pid=8822, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=75 | [input_name="fw events" connection="fw_mgmt" data="fw"][ 8849 143599744]@xxxxxxxx[7 Feb  7:57:47] rand_add_seedfile: Failed to create mutex.: Permission denied
    2019-02-07 06:57:47,972 +0000 log_level=INFO, pid=8822, tid=Thread-11, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=75 | [input_name="opsec_firewall" connection="fw_mgmt" data="fw"][ 8853 140867712]@xxxxxxxx[7 Feb  7:57:47] rand_add_external_source: Failed to create mutex.: Permission denied
    2019-02-07 06:57:47,973 +0000 log_level=INFO, pid=8822, tid=Thread-11, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=75 | [input_name="opsec_firewall" connection="fw_mgmt" data="fw"][ 8853 140867712]@xxxxxxxx[7 Feb  7:57:47] rand_add_seedfile: Failed to create mutex.: Permission denied
    2019-02-07 06:57:49,890 +0000 log_level=INFO, pid=8822, tid=Thread-11, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=75 | [input_name="opsec_firewall" connection="fw_mgmt" data="fw"][ 8853 140867712]@xxxxxxxx[7 Feb  7:57:49] file_open_and_init: failed to create file: Permission denied
    2019-02-07 06:57:49,971 +0000 log_level=INFO, pid=8822, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=75 | [input_name="fw events" connection="fw_mgmt" data="fw"][ 8849 143599744]@xxxxxxxx[7 Feb  7:57:49] file_open_and_init: failed to create file: Permission denied
0 Karma

lakshman239
SplunkTrust
SplunkTrust

Looks like the 'user' running the process is not having required permissions/privileges. could you check that? Also, will this help? - https://www.giac.org/paper/gsna/154/auditing-check-point-secureplat-formng-apaplication-inteligence-...

0 Karma

MousumiChowdhur
Contributor

Hi @lakshman239,

I checked all the permissions of the user running the process. Also, the same user with same privileges is running checkpoint in some other environment. I am not facing any issue there. Can you more specific on what process that could be that needs any special permission?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...