Solved: OPSEC LEA - connection to Smart Event : cpshared_f...

o_calmels · ‎07-25-2019

Hi splunkers,

I got problem to get logs from a Smart Event server.

The infrastructure I try to connect is :
FW1 and FW2 sends logs to SmartEvent directly. They are managed with a Smart Console. Smart Event and Smart Console are different server. This infrastructure is single domain.

When I connect directly to the smart console, Everything is OK, I get the console logs.
When connecting to the SmartEvent, no connexion!

This is the config file (splunk/etc/apps/Splunk_TA_checkpoint-opseclea/local/opseclea_connection.conf) of the LEA connector is :

[Connector_SSL_SmartEvent]
cert_name = Connector_SSL_SmartEvent_1874929942.p12
fw_version = R80
lea_app_name = Splunk_LEA2
lea_object_name = SmartEvent
lea_server_auth_port = 18184
lea_server_auth_type = sslca
lea_server_ip = 192.168.130.6
lea_server_type = dedicated
management_server_ip = 192.168.130.4
opsec_entity_sic_name = CN=SmartEvent,O=SmartConsole.jmsp.prod.sq5ad5
opsec_sic_name = CN=Splunk_LEA2,O=SmartConsole.jmsp.prod.sq5ad5

When I try to connect to the smart event, I got the folowing opsec logs (index=_internal source=ta_checkpoint-opseclea😞

 2019-07-25 08:55:15,080 +0000 log_level=INFO, pid=25947, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=75 | [input_name="VPN-SSL_SmartEvent" connection="Connector_SSL_SmartEvent" data="non_audit"][ 173840512][25 Jul 10:55:15] get_pkxld_path: cpshared_filename failed


    2019-07-25 08:55:13,821 +0000 log_level=INFO, pid=25947, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=75 | [input_name="VPN-SSL_SmartEvent" connection="Connector_SSL_SmartEvent" data="non_audit"]log_level=2 file:lea_loggrabber.cpp func_name:get_fw1_logfiles code_line_no:2553 :INFO: Successfully create session


    2019-07-25 08:55:13,821 +0000 log_level=INFO, pid=25947, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=75 | [input_name="VPN-SSL_SmartEvent" connection="Connector_SSL_SmartEvent" data="non_audit"]log_level=2 file:lea_loggrabber.cpp func_name:get_fw1_logfiles code_line_no:2535 :INFO: Successfully initialize client/server-pair


    2019-07-25 08:55:13,820 +0000 log_level=INFO, pid=25947, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=75 | [input_name="VPN-SSL_SmartEvent" connection="Connector_SSL_SmartEvent" data="non_audit"]log_level=2 file:lea_loggrabber.cpp func_name:get_fw1_logfiles code_line_no:2506 :INFO: Successfully create opsec environment


    2019-07-25 08:55:13,808 +0000 log_level=INFO, pid=25947, tid=Thread-5, file=ta_opseclea_data_collector.py, func_name=start_lea_loggrabber, code_line_no=337 | [input_name="VPN-SSL_SmartEvent" connection="Connector_SSL_SmartEvent" data="non_audit"] Starting /data/splunk/etc/apps/Splunk_TA_checkpoint-opseclea/bin/../bin/lea_loggrabber --data non_audit --debug_level 2 --appname Splunk_TA_checkpoint-opseclea --lea_server_ip 10.251.130.6 --lea_server_auth_port 18184 --lea_server_auth_type sslca --opsec_sslca_file /data/splunk/etc/apps/Splunk_TA_checkpoint-opseclea/certs/Connector_SSL_SmartEvent_1874929942.p12 --opsec_sic_name CN=Splunk_LEA2,O=SmartConsole.jmsp.prod.sq5ad5 --opsec_entity_sic_name CN=SmartEvent,O=SmartConsole.jmsp.prod.sq5ad5 --online --no_resolve

Does somebody successfully get logs from smart event ?

Thank's a lot.
Olivier.

o_calmels · ‎11-19-2019

I, The problem is found!
on a checkpoint architecture with one manager and a smart log, if the logs are sent to the smart log directly, opsec cannot get them.
Log are to be sent to the manager and the smartlog at the same time.
Then, opsec can read logs from de manager.

View solution in original post

o_calmels · ‎11-19-2019

I, The problem is found!
on a checkpoint architecture with one manager and a smart log, if the logs are sent to the smart log directly, opsec cannot get them.
Log are to be sent to the manager and the smartlog at the same time.
Then, opsec can read logs from de manager.

DavidHourani · ‎07-31-2019

Hi @o.calmels,

From the error logs you posted it looks like you have the incorrect Opsec name set. Perhaps double check your OPSEC Application Object SIC Attribute (SIC Name).

Please have a look here for troubleshooting this :
https://docs.splunk.com/Documentation/AddOns/released/OPSEC-LEA/Troubleshoot#SIC_errors

Cheers,
David

georgen_splunk · ‎07-26-2019

try using offline mode to retieve historical data, online mode attempts to retrieve data as it is generated by CPK in RT.
/data/splunk/etc/apps/Splunk_TA_checkpoint-opseclea/bin/../bin/lea_loggrabber --data non_audit --debug_level 2 --appname Splunk_TA_checkpoint-opseclea --lea_server_ip 10.251.130.6 --lea_server_auth_port 18184 --lea_server_auth_type sslca --opsec_sslca_file /data/splunk/etc/apps/Splunk_TA_checkpoint-opseclea/certs/Connector_SSL_SmartEvent_1874929942.p12 --opsec_sic_name CN=Splunk_LEA2,O=SmartConsole.jmsp.prod.sq5ad5 --opsec_entity_sic_name CN=SmartEvent,O=SmartConsole.jmsp.prod.sq5ad5 --last_record_location -1:0 --no_online --no_resolve

HTH

o_calmels · ‎07-28-2019

Hi georgen, unfortunaltly, the offline mode gives same result with "cpshared_filename failed" error.

OPSEC LEA - connection to Smart Event : cpshared_filename failed

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life