topic Re: How to install the Splunk Add-on for Checkpoint OPSEC LEA in a search head clustering environment? in All Apps and Add-ons

How to install the Splunk Add-on for Checkpoint OPSEC LEA in a search head clustering environment?

horsefez — Wed, 20 Jul 2016 09:07:32 GMT

Hi fellow splunkers,

I have a question on the installation process of the Splunk Add-on for Checkpoint OPSEC LEA.
I have read the following document:
http://docs.splunk.com/Documentation/AddOns/released/OPSEC-LEA/Install

The following section concerns me:

Distributed deployment feature  Supported
Search Head Clusters               No
Indexer Clusters                   Yes
Deployment Server                 No

Should this tell me installation over a deployer for the search head cluster is not possible?
If yes, should I then manually install this app on every search head in the cluster?

Best regards,
pyro_wood

Re: How to install the Splunk Add-on for Checkpoint OPSEC LEA in a search head clustering environment?

javiergn — Wed, 20 Jul 2016 09:14:35 GMT

I ended up installing the OPSEC add-on in a Heavy Forwarder running one of the supported Linux flavours.
If I were you I would either try that or use a Standalone Search Head.

Re: How to install the Splunk Add-on for Checkpoint OPSEC LEA in a search head clustering environment?

horsefez — Wed, 20 Jul 2016 10:16:06 GMT

Thanks for your quick reply javiergn,
so you never installed this Add-on on a Search-Head?

What is the value I would get installing it on the SH?

Re: How to install the Splunk Add-on for Checkpoint OPSEC LEA in a search head clustering environment?

javiergn — Wed, 20 Jul 2016 10:34:09 GMT

You can install it on a Search Head, provided is not part of a cluster.
But I always try to isolate collection layer to Forwarders only (Heavy or Universal) whereas Search Heads are just for searching purposes.

If the OPSEC app causes any impact on your search head or you need to restart it for whatever reason, you are bringing your search head down. Whereas if you have it on a HF, it's just the HF what is impacted.

Re: How to install the Splunk Add-on for Checkpoint OPSEC LEA in a search head clustering environment?

horsefez — Wed, 20 Jul 2016 10:56:02 GMT

Well... your approach on this actually makes a lot of sense. I will try to set it up on a HF.

Thank you!

Re: How to install the Splunk Add-on for Checkpoint OPSEC LEA in a search head clustering environment?

hassanali — Tue, 29 Sep 2020 11:59:04 GMT

Hi javiergn, I am also trying to install the latest version of OPSEC on a HF but I am not seeing any events being forwarded to the Indexer.
I am assuming you had to add an outputs.conf (standard configuration, forward events to a port and on the indexer listen in on the port).
1) Are there any other changes you had to make to the ?
opseclea_connection.conf
opseclea_inputs.conf
2) Did you make any changes on the indexer? (i am assuming you have the app installed on the indexer)

Thanks !

Re: How to install the Splunk Add-on for Checkpoint OPSEC LEA in a search head clustering environment?

javiergn — Tue, 06 Dec 2016 09:13:35 GMT

1)
Did you configure the OPSEC LEA object in your CheckPoint manager?
You then need to establish a session with a one-time password between your manager and your HF.

It's all here: http://docs.splunk.com/Documentation/AddOns/released/OPSEC-LEA/Setup

2)
No I did not make any changes on the indexer as the parsing provided by the app was good enough.

If you can't see any logs flowing take a look at the troubleshooting section first: http://docs.splunk.com/Documentation/AddOns/released/OPSEC-LEA/Troubleshoot

If that doesn't help, raise a new question with the specific details of your problem as you will get a much wider audience that way. Please keep in mind this post was referred to version 3 and not 4 of the OPSEC LEA app.

Thanks,
J