topic Re: SIC Certificate issue in Getting Data In

SIC Certificate issue

Shark2112 — Tue, 29 Sep 2020 11:55:24 GMT

Hey guys.

After i made new connection and pull new certificate from check point, it's not in list of existing certificates, but file at /etc/apps/Splunk_TA_checkpoint-opseclea/certs/ was added.

Any ideas?

Re: SIC Certificate issue

horsefez — Thu, 24 Nov 2016 14:52:25 GMT

Hi Shark2112,

this is correct.
The cert does not get filed in /opt/splunk/etc/auth/.

You have to reference this certificate file in your opseclea_connection.conf:

    [Checkpoint_OPSECLEA]
    cert_name = Checkpoint_OPSECLEA_12389352.p12
    ...

Regards,
pyro_wood

Re: SIC Certificate issue

Shark2112 — Tue, 29 Sep 2020 11:55:33 GMT

Yes, i have "cert_name = BronkaCP_2937532815.p12" in opseclea_connection.conf, but input dont work and index is empty.

Re: SIC Certificate issue

horsefez — Thu, 24 Nov 2016 15:25:45 GMT

Would you mind posting your configuration files?
Luckily I did configure this OPSEC config two weeks ago, I had problems too.

Re: SIC Certificate issue

Shark2112 — Tue, 29 Sep 2020 11:52:29 GMT

opseclea_connection.conf
[BronkaCP]
cert_name = BronkaCP_2937532815.p12
fw_version = R77
lea_app_name = OPSEC_LEA
lea_server_auth_port = 18184
lea_server_auth_type = sslca
lea_server_ip = 10.161.14.2
lea_server_type = primary
management_server_ip = 10.161.14.2
opsec_entity_sic_name = CN=cp_mgmt,O=GW1.mydomain.ru.r9xrhm
opsec_sic_name = CN=OPSEC_LEA,O=GW1.mydomain.ru.r9xrhm
disabled = 0

opseclea_inputs.conf
[inpcp]
connection = BronkaCP
data = non_audit
index = cp
interval = 30
mode = offline
noresolve = 0
starttime =
disabled = 0
host =

Re: SIC Certificate issue

horsefez — Thu, 24 Nov 2016 15:34:05 GMT

Mine look like this:

[0] $ cat opseclea_connection.conf
[Checkpoint_OPSECLEA]
cert_name = Checkpoint_OPSECLEA_126464732.p12
fw_version = R77
lea_app_name = SplunkLEA
lea_server_auth_port = 18184
lea_server_auth_type = sslca
lea_server_ip = <firewall-ip>
lea_server_type = primary
opsec_entity_sic_name = CN=cp_mgmt,O=<somehostanddomain>.xokrso
opsec_sic_name = CN=SplunkLEA,O=<somehostanddomain>.xokrso


[0] $ cat opseclea_inputs.conf
[checkpoint_audit]
connection = Checkpoint_OPSECLEA
data = audit
index = checkpoint_firewall
interval = 60
mode = online
noresolve = 0


[0] $ cat opseclea_settings.conf
[logging]
level = INFO
disabled = 0

Re: SIC Certificate issue

Shark2112 — Thu, 24 Nov 2016 15:38:16 GMT

seems the same, did you use opsec_putkey? i'm yes but it's doesn't help

Re: SIC Certificate issue

horsefez — Thu, 24 Nov 2016 15:38:26 GMT

Difference is the:
"mode = online"

Lets do more troubleshooting.... maybe show me something from splunkd.log.
Are there any ERRORS/WARNINGS?

Re: SIC Certificate issue

Shark2112 — Tue, 29 Sep 2020 11:52:35 GMT

11-24-2016 17:20:45.794 +0300 WARN DateParserVerbose - Failed to parse timestamp. Defaulting to timestamp of previous event (Thu Nov 24 14:35:10 2016). Context: FileClassifier /opt/splunk/var/log/splunk/splunk_ta_checkpoint-opseclea_modinput.log.1
11-24-2016 16:25:00.180 +0300 INFO SpecFiles - Found external scheme definition for stanza "checkpoint_opseclea://" with 1 parameters: description
11-24-2016 16:25:00.283 +0300 INFO ModularInputs - Introspection setup completed for scheme "checkpoint_opseclea".
11-24-2016 16:25:00.836 +0300 INFO SpecFiles - Found external scheme definition for stanza "checkpoint_opseclea://" with 1 parameters: description
11-24-2016 16:25:00.928 +0300 INFO ModularInputs - No stanzas found for scheme "checkpoint_opseclea" in inputs.conf at script (re)start.
11-24-2016 16:25:00.928 +0300 INFO ExecProcessor - New scheduled exec process: python /opt/splunk/etc/apps/Splunk_TA_checkpoint-opseclea/bin/checkpoint_opseclea.py
11-24-2016 16:25:01.273 +0300 INFO WatchedFile - File too small to check seekcrc, probably truncated. Will re-read entire file='/opt/splunk/var/log/splunk/splunk_ta_checkpoint-opseclea_util.log'.
11-24-2016 18:05:27.591 +0300 INFO ModularInputs - No stanzas found for scheme "checkpoint_opseclea" in inputs.conf at script (re)start.
11-24-2016 18:05:27.592 +0300 INFO ExecProcessor - New scheduled exec process: python /opt/splunk/etc/apps/Splunk_TA_checkpoint-opseclea/bin/checkpoint_opseclea.py
11-24-2016 18:05:29.905 +0300 INFO SpecFiles - Found external scheme definition for stanza "checkpoint_opseclea://" with 1 parameters: description

Re: SIC Certificate issue

horsefez — Tue, 29 Sep 2020 11:52:48 GMT

Hi,

4-2016 17:20:45.794 +0300 WARN DateParserVerbose - Failed to parse timestamp. Defaulting to timestamp of previous event (Thu Nov 24 14:35:10 2016). Context: FileClassifier /opt/splunk/var/log/splunk/splunk_ta_checkpoint-opseclea_modinput.log.1

This DateParserVerbose is something I experienced as an identificator for not seeing any data getting indexed from a log source. (but not from checkpoint)

Do you have any configuration in /opt/splunk/etc/system/local/ ?

JUST ASKING:
your opseclea_inputs.conf and the two other files are stored in /opt/splunk/etc/apps/Splunk_TA.../local/ right?

Re: SIC Certificate issue

Shark2112 — Tue, 29 Sep 2020 11:55:58 GMT

Hi!

your opseclea_inputs.conf and the two other files are stored in /opt/splunk/etc/apps/Splunk_TA.../local/ right?
right

i find new errors at logs:
2016-11-25 10:10:57,435 +0000 log_level=ERROR, pid=27069, tid=Thread-115, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=62 | [input_name="cp" connection="BroCP2" data="fw"]log_level=0 file:lea_loggrabber.cpp func_name:check_session_end_reason code_line_no:2159 :Session end reason: SIC ERROR 302 - SIC Error for ssl_opsec: peer name wasn't found in authentication files

2016-11-25 10:10:57,434 +0000 log_level=INFO, pid=27069, tid=Thread-115, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=62 | [input_name="cp" connection="BroCP2" data="fw"][ 32278 4152089408]@srv-splunk.msccbronka.ru[25 Nov 13:10:57] Error opening file ./sslauthkeys.C:: No such file or directory

what is that? and do i need use /opsec_putkey -ssl -port 18184 ???

Re: SIC Certificate issue

horsefez — Fri, 25 Nov 2016 15:59:54 GMT

This really gets strange and odd.

I can tell you about my experience with the OPSEC_LEA app:
As I was implementing it via CLI first, it somehow didn't work. Then I backuped all the configuration I had so far and deleted it from the system. I then used the web frontend to configure the connection and everything was working fine after that.
Me and my colleague never found any real difference between the configuration we did before via CLI and the config that got generated via web.

I'm not a fan of configuring inputs via web, but somehow it only worked after doing it that way.

If you are going to try it out, you should not forget to set a new one-time-password on your checkpoint firewall.

Re: SIC Certificate issue

Shark2112 — Tue, 29 Sep 2020 11:56:33 GMT

Hi,

we note one thing: in manual for Chek Point $FWDIR/conf/fwopsec.conf
lea_server auth_port 18184
lea_server auth_type ssl_opsec

but Splunk after taking certificate in conf file auth type setting sslca.

Can you show your Check Point config?

Re: SIC Certificate issue

Shark2112 — Tue, 29 Sep 2020 11:56:17 GMT

ok, now we can make it work, just set "lea_server auth_type sslopsec" in $FWDIR/conf/fwopsec.conf

can you answer please, do you use opsec_putkey?

Re: SIC Certificate issue

horsefez — Tue, 29 Nov 2016 16:03:44 GMT

Hi Shark,

sadly I can't show you our Checkpoint-Config. I don't have access to it.
Are you any further into solving this?

Re: SIC Certificate issue

horsefez — Tue, 29 Nov 2016 16:18:57 GMT

Hi Shark,

sadly I can't show our Checkpoint Configuration, I don't have any access to it.
Are you any further on resolving this issue?