Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Check Point opsec lea upgrade v3.1 to v4.1

sassens1
Path Finder
‎10-18-2016 01:08 AM

Hello,

I'm actually using the TA version 3.1 with one CMA. The TA is installed on a forwarder node.
I'd like to upgrade to version4.1 but it is stated in the installation doc:
"You cannot upgrade from a previous version of the add-on. You must remove the previous version of the add-on before installing the new version."
So per my understanding I cannot upgrade without stopping indexing logs during the process, correct?
Perhaps I can install the new version on another forwarder, establish the SIC with the CMA and failover to this new node?

Tags (2)
Reply

mreynov_splunk
Splunk Employee
Splunk Employee
‎10-21-2016 10:58 AM

Here is the migration guide from 3.1 to 4 for reference:

http://docs.splunk.com/Documentation/AddOns/released/OPSEC-LEA/Releasehistory#Migration_guide

Ensure appropriate starttime is set for a smoother transition!

Reply

hunters_splunk
Splunk Employee
Splunk Employee
‎10-18-2016 01:52 AM

Hi sassens1,

Yes, you are basically right. OPSEC LEA Add-on 4.x is installed in a different folder (Splunk_TA_checkpoint-opseclea) than version 3.x, so installing 4.x is tantamount to installing a new add-on. Also, the internal data processing logic has changed in 4.X.
So, you need to either uninstall or disable the older version of OPSEC LEA Add-on and install the new 4.X version. If you keep the older version running, there will be duplicate input data.

Hope it helps. Thanks!
Hunter

Reply

sassens1
Path Finder
‎10-18-2016 03:07 AM

Hi,

thanks for your answer. So if I have both version running at the same time I'll have duplicate log indexing. OK so perhaps that's a better solution than just disabling/uninstalling v3 and enabling v4. It will last only the time to switch from v3 to v4 a couple of minutes I suppose.
I'd like to ensure a smooth migration without loosing logs.
What do you think?

0 Karma
Reply

mreynov_splunk
Splunk Employee
Splunk Employee
‎10-21-2016 10:57 AM

Here is the migration guide from 3.1 to 4 for reference:

http://docs.splunk.com/Documentation/AddOns/released/OPSEC-LEA/Releasehistory#Migration_guide

Ensure appropriate starttime is set for a smoother transition!

0 Karma
Reply
Get Updates on the Splunk Community!

Archived Metrics Now Available for APAC and EMEA realms

We’re excited to announce the launch of Archived Metrics in Splunk Infrastructure Monitoring for our customers ...

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Dashboard Challenge and Watch the .conf24 Global Broadcast!

The Splunk Community Dashboard Challenge is still happening, and it's not too late to enter for the week of ...