topic Re: Checkpoint OPSEC LEA client script in Getting Data In

Checkpoint OPSEC LEA client script

nickstone — Mon, 28 Sep 2020 13:41:11 GMT

Ok, its late and its been a fight up until this point so please forgive me for missing something basic.

I have been following the instructions to integration Check Points OPSEC LEA logs into Splunk via the standard Splunk documentation. When I get to the Configuring LEA Client portion, the following error is generated on this script:

./opsec_pull_cert -h 1.1.1.1 -n SplunkLEA -p lameplaintextpw -o newcert.p12

``(obviously not the real IP or password 😛 )

-su: ./opsec_pull_cert: No such file or directory

and a similar error when I run through the connection wizard on the GUI:

/opt/splunk/etc/apps/Splunk_TA_opseclea_linux22/bin/pull-cert.sh: line 7: ../opsec-tools/opsec_pull_cert: No such file or directory

if I run the same script as sudo, it appears to run without error, however there is no cert generated.

any insight is much appreciated...

Re: Checkpoint OPSEC LEA client script

dariusjs — Mon, 28 Sep 2020 13:41:13 GMT

Hi Nick,

What you seem to be doing is running the script from the location. Find out where that script is installed and then run it.

A nice thing if you install this on centos you get the locate utility which will find the script for you if your index is up today. I am also trying to install this today but am having connectivity issues between the splunk server and my checkpoints for now.

[root@centos-control linux22]# locate opsec_pull_cert
/opt/splunk/etc/apps/lea-loggrabber-splunk/opsec-tools/linux22/opsec_pull_cert
[root@centos-control linux22]# ./opsec_putkey -ssl -port 18184 10.1.1.1
Please enter secret key:
Please enter secret key again:

Failed to initialize authentication with 10.1.1.1

[root@centos-control linux22]#

Re: Checkpoint OPSEC LEA client script

nickstone — Mon, 28 Sep 2020 13:41:16 GMT

Sorry dariusjs,

I forgot to mention, I am already in the same directory as the script.
ie: root@spk01:/opt/splunk/etc/apps/lea-loggrabber-splunk/opsec-tools/linux22#

ls -a:
. .. opsec_pull_cert opsec_putkey

Re: Checkpoint OPSEC LEA client script

nickstone — Sat, 06 Apr 2013 23:58:53 GMT

ok 32-bit forwarder has helped and I am now stuck with Failed to initialize authentication with...

dariusjs, did you get any futher on this?

Re: Checkpoint OPSEC LEA client script

araitz — Tue, 09 Apr 2013 17:59:29 GMT

Do you have your SPLUNK_ENV set? Have you logged in to Splunk?

 $SPLUNK_HOME/bin/splunk login
 $SPLUNK_HOME/bin/splunk cmd ./opsec_pull_cert

See the troubleshooting section of the docs as well:

http://docs.splunk.com/Documentation/OPSEC-LEA/latest/Install/Runlea-loggrabbermanually

Re: Checkpoint OPSEC LEA client script

Jason — Tue, 22 Oct 2013 16:37:55 GMT

You're probably running Ubuntu/Debian 64-bit. The app requires 32-bit libraries, but the Splunk docs only tell you how to get them on Red Hat based systems. Try these to get the libraries below. Then you have to symlink a crusty old library (which thankfully the TA supplies) into /lib just to get the thing to run!

apt-get install libc6:i386 libpam0g:i386
ln -s /opt/splunk/etc/apps/Splunk_TA_opseclea_linux22/bin/libcpc++-libc6.1-2.so.3 /lib/libcpc++-libc6.1-2.so.3

Evidently this has been causing issues for over 12 years, if that makes you feel any better. Thanks for the crap binary, checkpoint. https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk3960

Re: Checkpoint OPSEC LEA client script

rebecque — Fri, 15 Nov 2013 12:51:07 GMT

For RedHat the package names would be glibc.i686 and pam.i686

Re: Checkpoint OPSEC LEA client script

ejahnke — Tue, 20 Feb 2018 10:23:26 GMT

As of today this answer was still needed, thanks.