- Splunk Answers
- :
- Splunk Administration
- :
- Deployment Architecture
- :
- Splunk App for Check Point OPSEC LEA - Could not l...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi I have just installed the "new" Splunk App for CheckPoint OPSEC LEA but i am running into some errors ... or at least what i think is an error.
2-11-2013 15:02:12.598 +0100 ERROR ExecProcessor - message from "/opt/splunk/etc/apps/splunk_opseclea/bin/lea-loggrabber.sh --configentity Checkpoint_management_Server" Could not look up HOME variable. Auth tokens cannot be cached.
02-11-2013 15:02:12.998 +0100 ERROR ExecProcessor - message from "/opt/splunk/etc/apps/splunk_opseclea/bin/lea-loggrabber.sh --configentity Checkpoint_management_Server" Could not look up HOME variable. Auth tokens cannot be cached.
02-11-2013 15:02:13.214 +0100 ERROR ExecProcessor - message from "/opt/splunk/etc/apps/splunk_opseclea/bin/lea-loggrabber.sh --configentity Checkpoint_management_Server" splunkd request failed, 404:
02-11-2013 15:02:13.214 +0100 ERROR ExecProcessor - message from "/opt/splunk/etc/apps/splunk_opseclea/bin/lea-loggrabber.sh --configentity Checkpoint_management_Server" $SPLUNK_HOME/bin/splunk _internal call /servicesNS/nobody/splunk_opseclea/opsec/log_status/1@Checkpoint_management_Server
02-11-2013 15:02:13.214 +0100 ERROR ExecProcessor - message from "/opt/splunk/etc/apps/splunk_opseclea/bin/lea-loggrabber.sh --configentity Checkpoint_management_Server" QUERYING: 'https://127.0.0.1:8089/servicesNS/nobody/splunk_opseclea/opsec/log_status/1@Checkpoint_management_Se...'
02-11-2013 15:02:13.214 +0100 ERROR ExecProcessor - message from "/opt/splunk/etc/apps/splunk_opseclea/bin/lea-loggrabber.sh --configentity Checkpoint_management_Server" FAILED: 'HTTP/1.1 404 Not Found'
02-11-2013 15:02:13.214 +0100 ERROR ExecProcessor - message from "/opt/splunk/etc/apps/splunk_opseclea/bin/lea-loggrabber.sh --configentity Checkpoint_management_Server" Content:
02-11-2013 15:02:13.214 +0100 ERROR ExecProcessor - message from "/opt/splunk/etc/apps/splunk_opseclea/bin/lea-loggrabber.sh --configentity Checkpoint_management_Server" <?xml version="1.0" encoding="UTF-8"?>
02-11-2013 15:02:13.214 +0100 ERROR ExecProcessor - message from "/opt/splunk/etc/apps/splunk_opseclea/bin/lea-loggrabber.sh --configentity Checkpoint_management_Server"
02-11-2013 15:02:13.214 +0100 ERROR ExecProcessor - message from "/opt/splunk/etc/apps/splunk_opseclea/bin/lea-loggrabber.sh --configentity Checkpoint_management_Server"
02-11-2013 15:02:13.214 +0100 ERROR ExecProcessor - message from "/opt/splunk/etc/apps/splunk_opseclea/bin/lea-loggrabber.sh --configentity Checkpoint_management_Server"
02-11-2013 15:02:13.214 +0100 ERROR ExecProcessor - message from "/opt/splunk/etc/apps/splunk_opseclea/bin/lea-loggrabber.sh --configentity Checkpoint_management_Server"
02-11-2013 15:02:13.214 +0100 ERROR ExecProcessor - message from "/opt/splunk/etc/apps/splunk_opseclea/bin/lea-loggrabber.sh --configentity Checkpoint_management_Server"
2-11-2013 15:12:46.121 +0100 ERROR ExecProcessor - message from "/opt/splunk/etc/apps/splunk_opseclea/bin/lea-loggrabber.sh --configentity Checkpoint_management_Server" Could not look up HOME variable. Auth tokens cannot be cached.
Anyone who can point me in the right direction ? 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Cause of this problem is probably different from user to user.
I had the same issue and the cause was a bad configuration on my check point server (configured opsec_ssl instead of sslca connection type)
To troubleshoot :
1) View $SPLUNK_HOME/etc/apps/splunk_opseclea/local/opesec-entity-health.conf. If is_connected value is 0, then something is wrong with your connection to the checkpoint. You can try to telnet to port 18184 to your Check Point management server.
2) Try to run lea-loggrabber manually. The documentation is not explicit about this but I found a way :
2.1) Make sure $SPLUNK_HOME env variable is set correctly
2.2) Run $SPLUNK_HOME/bin/splunk login
2.3) Copy (in your clipboard) the key (only letters & digits) which is generated in $HOME/.splunk/ directory
2.4) Type "yes [paste the key] | $SPLUNK_HOME/etc/apps/splunk_opseclea/bin/lea-loggrabber.sh"
3) You can also browse the app runtime variables using the REST API :
https://serverip:8089/servicesNS/nobody/splunk_opseclea/opsec/log_status
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Cause of this problem is probably different from user to user.
I had the same issue and the cause was a bad configuration on my check point server (configured opsec_ssl instead of sslca connection type)
To troubleshoot :
1) View $SPLUNK_HOME/etc/apps/splunk_opseclea/local/opesec-entity-health.conf. If is_connected value is 0, then something is wrong with your connection to the checkpoint. You can try to telnet to port 18184 to your Check Point management server.
2) Try to run lea-loggrabber manually. The documentation is not explicit about this but I found a way :
2.1) Make sure $SPLUNK_HOME env variable is set correctly
2.2) Run $SPLUNK_HOME/bin/splunk login
2.3) Copy (in your clipboard) the key (only letters & digits) which is generated in $HOME/.splunk/ directory
2.4) Type "yes [paste the key] | $SPLUNK_HOME/etc/apps/splunk_opseclea/bin/lea-loggrabber.sh"
3) You can also browse the app runtime variables using the REST API :
https://serverip:8089/servicesNS/nobody/splunk_opseclea/opsec/log_status
Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!
They're back! Join the SplunkTrust and MVP at .conf24
Enterprise Security Content Update (ESCU) | New Releases
