topic Re: OPSEC LEA Linux App - does not connect in Getting Data In

OPSEC LEA Linux App - does not connect

coonsmatthew — Tue, 02 Jul 2013 14:18:20 GMT

I am using Splunk 5.03 installed on Ubuntu. I installed the OPSEC LEA App for Checkpoint log analysis. I was able to establish a connection with our Checkpoint firewall, but now the connection is showing "Never Connected" under the "last connection" field.

I used nc to verify that port 18184 is accessible from my workstation, and was able to initiate a 3 way handshake with the checkpoint server.

I am using wireshark to analyse traffic going to port 18184 and I don't see that the Splunk App is even trying to connect to the checkpoint server.

I tried restarting the splunk server, but I still don't see any connection to the checkpoint server.

What am I missing?

Thanks.

Re: OPSEC LEA Linux App - does not connect

coonsmatthew — Mon, 28 Sep 2020 14:13:44 GMT

Also, I was able to pull up the splunkd.log file and it shows this error many times over.

07-02-2013 07:46:14.868 -0700 ERROR ExecProcessor - message from "/opt/splunk/etc/apps/Splunk_TA_opseclea_linux22/bin/lea-loggrabber.sh --configentity CC" ERROR: failed to create session (Argument is NULL or lacks some data)

Re: OPSEC LEA Linux App - does not connect

coonsmatthew — Mon, 28 Sep 2020 14:13:50 GMT

I'm actually getting SEQ/ACK packets between the checkpoint application and the Splunk server now. I'm not getting the "failed to create session error any more, now I'm getting this error in the splunkd.log file

07-02-2013 09:00:12.632 -0700 ERROR ExecProcessor - message from "/opt/splunk/etc/apps/Splunk_TA_opseclea_linux22/bin/lea-loggrabber.sh --configentity Owens_cc" WARNING: Illegal entry in configuration file: SHOW_FIELDNAMES="yes"

Re: OPSEC LEA Linux App - does not connect

Chubbybunny — Tue, 02 Jul 2013 16:09:13 GMT

bug ID and workaround posted by Chubbybunny

http://splunk-base.splunk.com/answers/89683/warning-illegal-entry-in-configuration-file-show_fieldnamesyes-when-using-202-of-check-point-ospec-lea-application

Re: OPSEC LEA Linux App - does not connect

coonsmatthew — Mon, 28 Sep 2020 14:13:55 GMT

Even though I am seeing packets being sent to checkpoint from Splunk and vice versa, the app is still showing "never connected." There does not seem to be any data being indexed as well...if I "follow TCP Stream" in wireshark, I get this output: Y......EY.......local_sic_name.....local_sic_name.....local_sic_name.........cp_local.

Re: OPSEC LEA Linux App - does not connect

Chubbybunny — Tue, 02 Jul 2013 16:28:05 GMT

would it all be possible to run the APP in debug mode?

http://splunk-base.splunk.com/answers/89743/what-is-the-easiest-way-to-debug-the-check-point-opsec-lea-app

Re: OPSEC LEA Linux App - does not connect

coonsmatthew — Tue, 02 Jul 2013 16:43:41 GMT

I ran in debug mode, I keep on getting these errors:

Re: OPSEC LEA Linux App - does not connect

coonsmatthew — Mon, 28 Sep 2020 14:13:58 GMT

[ 5835 3075970752]@ubuntu[2 Jul 9:30:39] opsec_auth_client_connected: connect failed (119)
[ 5835 3075970752]@ubuntu[2 Jul 9:30:39] opsec_auth_client_connected: SIC Error for lea: Client could not choose an authentication method for service lea
[ 5835 3075970752]@ubuntu[2 Jul 9:30:39] opsec_auth_client_connected:conn=(nil) opaque=0x87fe120 err=0 comm=0x87eb440
[ 5835 3075970752]@ubuntu[2 Jul 9:30:39] comm failed to connect 0x87eb440
[ 5835 3075970752]@ubuntu[2 Jul 9:30:39] OPSEC_SET_ERRNO: err = 8 Comm is not connected/Unable to connect (pre = 0)

Re: OPSEC LEA Linux App - does not connect

Chubbybunny — Tue, 02 Jul 2013 16:59:39 GMT

'err=8' seems to indicate a problem communicating with the LEA Server for some reason per:

https://forums.checkpoint.com/forums/thread.jspa?threadID=13321

use NETCAT to test the lea server on ports 18184/tcp | pullcert 18210/tcp for an open connection
if any, restart the mgmt server???

Re: OPSEC LEA Linux App - does not connect

coonsmatthew — Tue, 02 Jul 2013 17:24:52 GMT

Yep, I bet we need to restart the checkpoint server...it's gonna be a while before that happens though. I will check back here if that does not fix the issue.