- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi fellow splunkers,
I have a question on the installation process of the Splunk Add-on for Checkpoint OPSEC LEA.
I have read the following document:
http://docs.splunk.com/Documentation/AddOns/released/OPSEC-LEA/Install
The following section concerns me:
Distributed deployment feature Supported
Search Head Clusters No
Indexer Clusters Yes
Deployment Server No
Should this tell me installation over a deployer for the search head cluster is not possible?
If yes, should I then manually install this app on every search head in the cluster?
Best regards,
pyro_wood
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I ended up installing the OPSEC add-on in a Heavy Forwarder running one of the supported Linux flavours.
If I were you I would either try that or use a Standalone Search Head.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I ended up installing the OPSEC add-on in a Heavy Forwarder running one of the supported Linux flavours.
If I were you I would either try that or use a Standalone Search Head.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi javiergn, I am also trying to install the latest version of OPSEC on a HF but I am not seeing any events being forwarded to the Indexer.
I am assuming you had to add an outputs.conf (standard configuration, forward events to a port and on the indexer listen in on the port).
1) Are there any other changes you had to make to the ?
opseclea_connection.conf
opseclea_inputs.conf
2) Did you make any changes on the indexer? (i am assuming you have the app installed on the indexer)
Thanks !
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
1)
Did you configure the OPSEC LEA object in your CheckPoint manager?
You then need to establish a session with a one-time password between your manager and your HF.
It's all here: http://docs.splunk.com/Documentation/AddOns/released/OPSEC-LEA/Setup
2)
No I did not make any changes on the indexer as the parsing provided by the app was good enough.
If you can't see any logs flowing take a look at the troubleshooting section first: http://docs.splunk.com/Documentation/AddOns/released/OPSEC-LEA/Troubleshoot
If that doesn't help, raise a new question with the specific details of your problem as you will get a much wider audience that way. Please keep in mind this post was referred to version 3 and not 4 of the OPSEC LEA app.
Thanks,
J
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for your quick reply javiergn,
so you never installed this Add-on on a Search-Head?
What is the value I would get installing it on the SH?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can install it on a Search Head, provided is not part of a cluster.
But I always try to isolate collection layer to Forwarders only (Heavy or Universal) whereas Search Heads are just for searching purposes.
If the OPSEC app causes any impact on your search head or you need to restart it for whatever reason, you are bringing your search head down. Whereas if you have it on a HF, it's just the HF what is impacted.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Well... your approach on this actually makes a lot of sense. I will try to set it up on a HF.
Thank you!
