All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Configure the Splunk Add-on for Check Point OPSEC LEA

lnhquang1993
New Member
‎12-15-2017 08:37 PM

Hi everyone,
I'm need to Configure the Splunk Add-on for Check Point OPSEC LEA but i has faced some problems. I can't add new connection.
alt text

192.168.20.1 is IP of Checkpoint FW
192.168.20.30 is IP of Splunk

I has pull the certifiacte success from Checkpoint but i can't select it on SIC Certificate. I can't Reuse Existing SIC Certificate option.

And in Checkpoint SmartConsole. I can't see where to check SIC status.

Please help,
Quang

Preview file
1 KB
0 Karma
Reply

Enedis
New Member
‎07-03-2019 07:42 AM

Hi,

The OPSEC App Name does not contain specials characters.
Try : splunklea.

Alex

0 Karma
Reply

ektasiwani
Communicator
‎07-26-2018 12:17 AM

Hi,

I was facing the same issue. I solved this by giving proper permission to "$SPLUK_HOME/etc/apps/Splunk_TA_checkpoint-opseclea/" folder. Make sure your application folder is having proper permission and should have "$SPLUK_HOME/etc/apps/Splunk_TA_checkpoint-opseclea/local/" folder.

0 Karma
Reply

evinasco
Communicator
‎08-15-2018 09:47 AM

what kind of permissions does it need? 777? in linux

0 Karma
Reply

ektasiwani
Communicator
‎08-15-2018 09:59 AM

Yes. You need to give 777 permission.

If giving permission will not solve your issue please follow steps mentioned in below link.

https://answers.splunk.com/answers/614787/splunk-check-point-lea-opsec-error-fatal-error-gli.html

0 Karma
Reply

evinasco
Communicator
‎08-15-2018 01:36 PM

hi thanks, but i know have the next issue jejeje .. when i create a input

ERROR: Session end reason: SIC ERROR 119 - SIC Error for lea: Client could not choose an authentication method for service lea

do you know what is going on ?

0 Karma
Reply

ektasiwani
Communicator
‎08-15-2018 09:02 PM

Hi,

This issue is because OPSEC side started to use sha256 and updated its SDK.
Download file from http://supportcontent.checkpoint.com/file_download?id=50832 and replace $SPLUNK_HOME/etc/apps/Splunk_TA_checkpoint-opseclea/bin/opsec-tools binaries with these new ones.

This solution is mentioned in the link which I shared in my comment:
https://answers.splunk.com/answers/614787/splunk-check-point-lea-opsec-error-fatal-error-gli.html

Check out below link by checkpoint:
https://supportcenter.checkpoint.com/supportcenter/portal?action=portlets.SearchResultMainAction&eve...

0 Karma
Reply

lmaclean
Path Finder
‎12-17-2017 05:13 PM

Hi,

Looking at the doco Mgt Server IP isn't that of the Splunk server but of the Check Point Mgt Server, if it is a standalone environment (#6.2 on doco page).

I would suggest confirming all of the steps in the doco setup, then if it still isn't working provide here:

  1. Which step you believe it failed upon
  2. The stderr lines within the splunkd.log referenced in the error message
  3. Check the ../certs/ folder within the app - and the permissions for the folder/files
  4. Output from the web_service.log reference the troubleshoot section of the linked doco page
0 Karma
Reply

lnhquang1993
New Member
‎12-17-2017 06:41 PM

Hi lmaclean,
Thanks for your help. And yes i recognize my fault. It a standalone enviroment so both Log Server IP and Mgt Server IP is the same - 192.168.20.1 right ? But i still get error :
External handler failed with code '1' and output: 'REST ERROR[400]: Bad Request - The referred entity does not exist in the Certificate Authority. Make sure you have provided the right application name and one-time password'. See splunkd.log for stderr output.

I pretty sure that i has type the right application name and one-time password.
Here is the application that i create on CP :
name = splunk-lea OTP = 123
and i use it to pull-cert from CP to Splunk :
./pull-cert.sh 192.168.20.1 splunk-lea 123 splunk.pl2
and out show that Certifiacte success written to ../certs/splunk.pl2.

so the application name and OTP can't be wrong right ?

0 Karma
Reply

kalaiarasu
Explorer
‎05-20-2018 06:51 PM

Hi,

Have you resolved the issue ? currently i'm facing the same issue.

0 Karma
Reply

lmaclean
Path Finder
‎12-17-2017 07:03 PM

Might be worth looking at the opseclea_connection.conf file in the ../local/ folder and seeing if the settings match what you have configured in Check Point.

Also remember they are case sensitive; password cannot contain certain special characters; reapply the password in Check Point after each failed attempt incase after the first failed try it blocks it out; and that all the other settings in the file match your environment as well.

https://docs.splunk.com/Documentation/AddOns/released/OPSEC-LEA/Configureinputs

Edit: Oh and on the end of the cert script it is a number one (1) right not an l (L) that you are running??

0 Karma
Reply
Get Updates on the Splunk Community!

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...