Solved: LEA Loggrabber CDATA ExecProcessor error

krugger · ‎05-02-2013

Hi,

I have the lea-loggrabber.sh script correctly pulling data via OPSEC from multiple firewalls. However my logs are being flooded with error messages like below:

05-02-2013 16:00:38.477 +0100 ERROR ExecProcessor - message from "/opt/splunk/etc/apps/Splunk_TA_opseclea_linux22/bin/lea-loggrabber.sh --configentity Firewall03" sh: ![CDATA[1366363524@Firewall03: No such file or directory

How can I correct this?

krugger · ‎08-29-2013

This issue keeps spamming my splunkd.log. Had to start discarding stderr by changing the inputs.conf to:

[script:///opt/splunk/etc/apps/Splunk_TA_opseclea_linux22/bin/lea-loggrabber.my --configentity Firewall03 2>/dev/null]
disabled = 0
interval = 600
passAuth = admin
sourcetype = opsec
index = checkpoint

View solution in original post

krugger · ‎08-29-2013

This issue keeps spamming my splunkd.log. Had to start discarding stderr by changing the inputs.conf to:

[script:///opt/splunk/etc/apps/Splunk_TA_opseclea_linux22/bin/lea-loggrabber.my --configentity Firewall03 2>/dev/null]
disabled = 0
interval = 600
passAuth = admin
sourcetype = opsec
index = checkpoint

krugger · ‎05-30-2013

This happens because of the shell thinks the ![CDATA is a command to be executed. It can be replicated with:

sh /opt/splunk/etc/apps/Splunk_TA_opseclea_linux22/bin/lea-loggrabber.my --configentity Firewall01 > banana

I had to comment out the part that reads the token:

read auth_key
SPLUNK_TOK=$auth_key
export SPLUNK_TOK

wmccracken · ‎05-28-2013

I too am getting these errors. Any idea on how to fix this?

LEA Loggrabber CDATA ExecProcessor error

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases