Hi splunkers,
I got problem to get logs from a Smart Event server.
The infrastructure I try to connect is :
FW1 and FW2 sends logs to SmartEvent directly. They are managed with a Smart Console. Smart Event and Smart Console are different server. This infrastructure is single domain.
When I connect directly to the smart console, Everything is OK, I get the console logs.
When connecting to the SmartEvent, no connexion!
This is the config file (splunk/etc/apps/Splunk_TA_checkpoint-opseclea/local/opseclea_connection.conf) of the LEA connector is :
[Connector_SSL_SmartEvent]
cert_name = Connector_SSL_SmartEvent_1874929942.p12
fw_version = R80
lea_app_name = Splunk_LEA2
lea_object_name = SmartEvent
lea_server_auth_port = 18184
lea_server_auth_type = sslca
lea_server_ip = 192.168.130.6
lea_server_type = dedicated
management_server_ip = 192.168.130.4
opsec_entity_sic_name = CN=SmartEvent,O=SmartConsole.jmsp.prod.sq5ad5
opsec_sic_name = CN=Splunk_LEA2,O=SmartConsole.jmsp.prod.sq5ad5
When I try to connect to the smart event, I got the folowing opsec logs (index=_internal source=ta_checkpoint-opseclea😞
2019-07-25 08:55:15,080 +0000 log_level=INFO, pid=25947, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=75 | [input_name="VPN-SSL_SmartEvent" connection="Connector_SSL_SmartEvent" data="non_audit"][ 173840512][25 Jul 10:55:15] get_pkxld_path: cpshared_filename failed
2019-07-25 08:55:13,821 +0000 log_level=INFO, pid=25947, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=75 | [input_name="VPN-SSL_SmartEvent" connection="Connector_SSL_SmartEvent" data="non_audit"]log_level=2 file:lea_loggrabber.cpp func_name:get_fw1_logfiles code_line_no:2553 :INFO: Successfully create session
2019-07-25 08:55:13,821 +0000 log_level=INFO, pid=25947, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=75 | [input_name="VPN-SSL_SmartEvent" connection="Connector_SSL_SmartEvent" data="non_audit"]log_level=2 file:lea_loggrabber.cpp func_name:get_fw1_logfiles code_line_no:2535 :INFO: Successfully initialize client/server-pair
2019-07-25 08:55:13,820 +0000 log_level=INFO, pid=25947, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=75 | [input_name="VPN-SSL_SmartEvent" connection="Connector_SSL_SmartEvent" data="non_audit"]log_level=2 file:lea_loggrabber.cpp func_name:get_fw1_logfiles code_line_no:2506 :INFO: Successfully create opsec environment
2019-07-25 08:55:13,808 +0000 log_level=INFO, pid=25947, tid=Thread-5, file=ta_opseclea_data_collector.py, func_name=start_lea_loggrabber, code_line_no=337 | [input_name="VPN-SSL_SmartEvent" connection="Connector_SSL_SmartEvent" data="non_audit"] Starting /data/splunk/etc/apps/Splunk_TA_checkpoint-opseclea/bin/../bin/lea_loggrabber --data non_audit --debug_level 2 --appname Splunk_TA_checkpoint-opseclea --lea_server_ip 10.251.130.6 --lea_server_auth_port 18184 --lea_server_auth_type sslca --opsec_sslca_file /data/splunk/etc/apps/Splunk_TA_checkpoint-opseclea/certs/Connector_SSL_SmartEvent_1874929942.p12 --opsec_sic_name CN=Splunk_LEA2,O=SmartConsole.jmsp.prod.sq5ad5 --opsec_entity_sic_name CN=SmartEvent,O=SmartConsole.jmsp.prod.sq5ad5 --online --no_resolve
Does somebody successfully get logs from smart event ?
Thank's a lot.
Olivier.
... View more