Hi I have just installed the "new" Splunk App for CheckPoint OPSEC LEA but i am running into some errors ... or at least what i think is an error.
2-11-2013 15:02:12.598 +0100 ERROR ExecProcessor - message from "/opt/splunk/etc/apps/splunk_opseclea/bin/lea-loggrabber.sh --configentity Checkpoint_management_Server" Could not look up HOME variable. Auth tokens cannot be cached.
02-11-2013 15:02:12.998 +0100 ERROR ExecProcessor - message from "/opt/splunk/etc/apps/splunk_opseclea/bin/lea-loggrabber.sh --configentity Checkpoint_management_Server" Could not look up HOME variable. Auth tokens cannot be cached.
02-11-2013 15:02:13.214 +0100 ERROR ExecProcessor - message from "/opt/splunk/etc/apps/splunk_opseclea/bin/lea-loggrabber.sh --configentity Checkpoint_management_Server" splunkd request failed, 404:
02-11-2013 15:02:13.214 +0100 ERROR ExecProcessor - message from "/opt/splunk/etc/apps/splunk_opseclea/bin/lea-loggrabber.sh --configentity Checkpoint_management_Server" $SPLUNK_HOME/bin/splunk _internal call /servicesNS/nobody/splunk_opseclea/opsec/log_status/1@Checkpoint_management_Server
02-11-2013 15:02:13.214 +0100 ERROR ExecProcessor - message from "/opt/splunk/etc/apps/splunk_opseclea/bin/lea-loggrabber.sh --configentity Checkpoint_management_Server" QUERYING: 'https://127.0.0.1:8089/servicesNS/nobody/splunk_opseclea/opsec/log_status/1@Checkpoint_management_Se...'
02-11-2013 15:02:13.214 +0100 ERROR ExecProcessor - message from "/opt/splunk/etc/apps/splunk_opseclea/bin/lea-loggrabber.sh --configentity Checkpoint_management_Server" FAILED: 'HTTP/1.1 404 Not Found'
02-11-2013 15:02:13.214 +0100 ERROR ExecProcessor - message from "/opt/splunk/etc/apps/splunk_opseclea/bin/lea-loggrabber.sh --configentity Checkpoint_management_Server" Content:
02-11-2013 15:02:13.214 +0100 ERROR ExecProcessor - message from "/opt/splunk/etc/apps/splunk_opseclea/bin/lea-loggrabber.sh --configentity Checkpoint_management_Server" <?xml version="1.0" encoding="UTF-8"?>
02-11-2013 15:02:13.214 +0100 ERROR ExecProcessor - message from "/opt/splunk/etc/apps/splunk_opseclea/bin/lea-loggrabber.sh --configentity Checkpoint_management_Server"
02-11-2013 15:02:13.214 +0100 ERROR ExecProcessor - message from "/opt/splunk/etc/apps/splunk_opseclea/bin/lea-loggrabber.sh --configentity Checkpoint_management_Server"
02-11-2013 15:02:13.214 +0100 ERROR ExecProcessor - message from "/opt/splunk/etc/apps/splunk_opseclea/bin/lea-loggrabber.sh --configentity Checkpoint_management_Server"
02-11-2013 15:02:13.214 +0100 ERROR ExecProcessor - message from "/opt/splunk/etc/apps/splunk_opseclea/bin/lea-loggrabber.sh --configentity Checkpoint_management_Server"
02-11-2013 15:02:13.214 +0100 ERROR ExecProcessor - message from "/opt/splunk/etc/apps/splunk_opseclea/bin/lea-loggrabber.sh --configentity Checkpoint_management_Server"
2-11-2013 15:12:46.121 +0100 ERROR ExecProcessor - message from "/opt/splunk/etc/apps/splunk_opseclea/bin/lea-loggrabber.sh --configentity Checkpoint_management_Server" Could not look up HOME variable. Auth tokens cannot be cached.
Anyone who can point me in the right direction ? 🙂
Cause of this problem is probably different from user to user.
I had the same issue and the cause was a bad configuration on my check point server (configured opsec_ssl instead of sslca connection type)
To troubleshoot :
1) View $SPLUNK_HOME/etc/apps/splunk_opseclea/local/opesec-entity-health.conf. If is_connected value is 0, then something is wrong with your connection to the checkpoint. You can try to telnet to port 18184 to your Check Point management server.
2) Try to run lea-loggrabber manually. The documentation is not explicit about this but I found a way :
2.1) Make sure $SPLUNK_HOME env variable is set correctly
2.2) Run $SPLUNK_HOME/bin/splunk login
2.3) Copy (in your clipboard) the key (only letters & digits) which is generated in $HOME/.splunk/ directory
2.4) Type "yes [paste the key] | $SPLUNK_HOME/etc/apps/splunk_opseclea/bin/lea-loggrabber.sh"
3) You can also browse the app runtime variables using the REST API :
https://serverip:8089/servicesNS/nobody/splunk_opseclea/opsec/log_status
Cause of this problem is probably different from user to user.
I had the same issue and the cause was a bad configuration on my check point server (configured opsec_ssl instead of sslca connection type)
To troubleshoot :
1) View $SPLUNK_HOME/etc/apps/splunk_opseclea/local/opesec-entity-health.conf. If is_connected value is 0, then something is wrong with your connection to the checkpoint. You can try to telnet to port 18184 to your Check Point management server.
2) Try to run lea-loggrabber manually. The documentation is not explicit about this but I found a way :
2.1) Make sure $SPLUNK_HOME env variable is set correctly
2.2) Run $SPLUNK_HOME/bin/splunk login
2.3) Copy (in your clipboard) the key (only letters & digits) which is generated in $HOME/.splunk/ directory
2.4) Type "yes [paste the key] | $SPLUNK_HOME/etc/apps/splunk_opseclea/bin/lea-loggrabber.sh"
3) You can also browse the app runtime variables using the REST API :
https://serverip:8089/servicesNS/nobody/splunk_opseclea/opsec/log_status