Hello everyone:
I installed the Splunk Add-on for Check Point OPSEC LEA (https://splunkbase.splunk.com/app/3197/)
I followed all the installation steps, but it gives me the following connection error:
2016-12-20 15:03:18,130 +0000 log_level=ERROR, pid=23280, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=62 | [input_name="CheckPoint" connection="CheckPoint_mgmt" data="fw"]log_level=0 file:lea_loggrabber.cpp func_name:check_session_end_reason code_line_no:2159 :Session end reason: SIC ERROR 119 - SIC Error for lea: Client could not choose an authentication method for service lea
My opseclea_inputs.conf is
[CheckPoint]
connection = CheckPoint_mgmt
data = fw
host = xxx.xxx.xxx.xxx
index = checkpoint_test
interval = 30
mode = offline
noresolve = 1
disabled = 1
And the opseclea_connection.conf is
[CheckPoint_mgmt]
cert_name = CheckPoint_mgmt_20361674.p12
fw_version = R77
lea_app_name = SplunkLEA
lea_object_name =
lea_server_auth_port = 18184
lea_server_auth_type = sslca
lea_server_ip = xxx.xxx.xxx.xxx
lea_server_type = primary
management_server_ip = xxx.xxx.xxx.xxx
opsec_entity_sic_name = CN=cp_mgmt,O=fwmgmt..nnc98w
opsec_sic_name = CN=SplunkLEA,O=fwmgmt..nnc98w
disabled = 0
Where's the problem??
Regards
The config looks right, so this is probably an issue with the OPSEC app configuration.
Check for some ideas here http://docs.splunk.com/Documentation/AddOns/released/OPSEC-LEA/Troubleshoot (specifically the checkpoint URL: http://dl3.checkpoint.com/paid/20/How-To-Troubleshoot-SIC-related-Issues.pdf?HashKey=1463490738_979d...)
Mreynov, thanks for your answer
We saw this in the firewall configuration:
[Expert@fwmgmt:0]# cat /var/opt/CPsuite-R77/fw1/conf/fwopsec.conf | grep lea_server
lea_server auth_port 18184
lea_server auth_type ssl_opsec
It is possible to configure this authentication type in the connection?
Or whe need change this in de CheckPoint configuration?
Regards
Horacio
This is definitely on the checkpoint side, but I am not sure if this is a general setting or specific to the OPSEC app/object
Hi mreynov!
When I change the parameter:
lea_server_auth_type = ssl_opsec (in opseclea_connection.conf)
Now give me this error message:
SIC ERROR 302 - SIC Error for ssl_opsec: peer name wasn't found in authentication files
Regards
Horacio