topic Re: OPSEC-lea with Provider-1 in Getting Data In

OPSEC-lea with Provider-1

afaraino — Tue, 12 Apr 2011 23:59:12 GMT

Hello everyone, Does someone make the OPSEC-LEA app work with Provider-1? The main difference here is that the logs are sent directly to the CLM, not to the CMA.

Thanks for your help.

Best Regards, Alex

Re: OPSEC-lea with Provider-1

afaraino — Wed, 13 Apr 2011 22:15:24 GMT

Found the answer myself. I could help so I'm posting it there : Here is how it works :

SIC is established with the CMA
"fw putkey ..." is done on the CLM. Furthermore, I replaced the port 18184 by "fw".

The command became :

opsec_putkey -ssl -port fw <Source IP address of CLM>

Finnally, here is my lea.conf :

opsec_sic_name "CN=SplunkLEA,O=cma-xxxx"
opsec_sslca_file /opt/splunk/etc/apps/lea-loggrabber-splunk/bin/opsec.p12 
lea_server ip <Source IP address of CLM>
lea_server auth_port 18184
lea_server auth_type ssl_opsec
lea_server opsec_entity_sic_name "CN=clm-xxxx"

Re: OPSEC-lea with Provider-1

araitz — Tue, 09 Apr 2013 23:26:37 GMT

Note that this applies to versions of the Splunk/OPSEC LEA integration prior to version 2.0.0.

Re: OPSEC-lea with Provider-1

EricPartington — Mon, 22 Apr 2013 19:57:08 GMT

has anyone been able to get the 2.0 version of SPLUNK OPSEC LEA working with this same Checkpoint architecture ?