All Apps and Add-ons

OPSEC LEA - connection to Smart Event : cpshared_filename failed

Communicator

Hi splunkers,

I got problem to get logs from a Smart Event server.

The infrastructure I try to connect is :
FW1 and FW2 sends logs to SmartEvent directly. They are managed with a Smart Console. Smart Event and Smart Console are different server. This infrastructure is single domain.

When I connect directly to the smart console, Everything is OK, I get the console logs.
When connecting to the SmartEvent, no connexion!

This is the config file (splunk/etc/apps/SplunkTAcheckpoint-opseclea/local/opseclea_connection.conf) of the LEA connector is :

[Connector_SSL_SmartEvent]
cert_name = Connector_SSL_SmartEvent_1874929942.p12
fw_version = R80
lea_app_name = Splunk_LEA2
lea_object_name = SmartEvent
lea_server_auth_port = 18184
lea_server_auth_type = sslca
lea_server_ip = 192.168.130.6
lea_server_type = dedicated
management_server_ip = 192.168.130.4
opsec_entity_sic_name = CN=SmartEvent,O=SmartConsole.jmsp.prod.sq5ad5
opsec_sic_name = CN=Splunk_LEA2,O=SmartConsole.jmsp.prod.sq5ad5

When I try to connect to the smart event, I got the folowing opsec logs (index=internal source=*tacheckpoint-opseclea*):

 2019-07-25 08:55:15,080 +0000 log_level=INFO, pid=25947, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=75 | [input_name="VPN-SSL_SmartEvent" connection="Connector_SSL_SmartEvent" data="non_audit"][ 173840512][25 Jul 10:55:15] get_pkxld_path: cpshared_filename failed


    2019-07-25 08:55:13,821 +0000 log_level=INFO, pid=25947, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=75 | [input_name="VPN-SSL_SmartEvent" connection="Connector_SSL_SmartEvent" data="non_audit"]log_level=2 file:lea_loggrabber.cpp func_name:get_fw1_logfiles code_line_no:2553 :INFO: Successfully create session


    2019-07-25 08:55:13,821 +0000 log_level=INFO, pid=25947, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=75 | [input_name="VPN-SSL_SmartEvent" connection="Connector_SSL_SmartEvent" data="non_audit"]log_level=2 file:lea_loggrabber.cpp func_name:get_fw1_logfiles code_line_no:2535 :INFO: Successfully initialize client/server-pair


    2019-07-25 08:55:13,820 +0000 log_level=INFO, pid=25947, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=75 | [input_name="VPN-SSL_SmartEvent" connection="Connector_SSL_SmartEvent" data="non_audit"]log_level=2 file:lea_loggrabber.cpp func_name:get_fw1_logfiles code_line_no:2506 :INFO: Successfully create opsec environment


    2019-07-25 08:55:13,808 +0000 log_level=INFO, pid=25947, tid=Thread-5, file=ta_opseclea_data_collector.py, func_name=start_lea_loggrabber, code_line_no=337 | [input_name="VPN-SSL_SmartEvent" connection="Connector_SSL_SmartEvent" data="non_audit"] Starting /data/splunk/etc/apps/Splunk_TA_checkpoint-opseclea/bin/../bin/lea_loggrabber --data non_audit --debug_level 2 --appname Splunk_TA_checkpoint-opseclea --lea_server_ip 10.251.130.6 --lea_server_auth_port 18184 --lea_server_auth_type sslca --opsec_sslca_file /data/splunk/etc/apps/Splunk_TA_checkpoint-opseclea/certs/Connector_SSL_SmartEvent_1874929942.p12 --opsec_sic_name CN=Splunk_LEA2,O=SmartConsole.jmsp.prod.sq5ad5 --opsec_entity_sic_name CN=SmartEvent,O=SmartConsole.jmsp.prod.sq5ad5 --online --no_resolve

Does somebody successfully get logs from smart event ?

Thank's a lot.
Olivier.

0 Karma
1 Solution

Communicator

I, The problem is found!
on a checkpoint architecture with one manager and a smart log, if the logs are sent to the smart log directly, opsec cannot get them.
Log are to be sent to the manager and the smartlog at the same time.
Then, opsec can read logs from de manager.

View solution in original post

0 Karma

Communicator

I, The problem is found!
on a checkpoint architecture with one manager and a smart log, if the logs are sent to the smart log directly, opsec cannot get them.
Log are to be sent to the manager and the smartlog at the same time.
Then, opsec can read logs from de manager.

View solution in original post

0 Karma

SplunkTrust
SplunkTrust

Hi @o.calmels,

From the error logs you posted it looks like you have the incorrect Opsec name set. Perhaps double check your OPSEC Application Object SIC Attribute (SIC Name).

Please have a look here for troubleshooting this :
https://docs.splunk.com/Documentation/AddOns/released/OPSEC-LEA/Troubleshoot#SIC_errors

Cheers,
David

0 Karma

Splunk Employee
Splunk Employee

try using offline mode to retieve historical data, online mode attempts to retrieve data as it is generated by CPK in RT.
/data/splunk/etc/apps/Splunk_TA_checkpoint-opseclea/bin/../bin/lea_loggrabber --data non_audit --debug_level 2 --appname Splunk_TA_checkpoint-opseclea --lea_server_ip 10.251.130.6 --lea_server_auth_port 18184 --lea_server_auth_type sslca --opsec_sslca_file /data/splunk/etc/apps/Splunk_TA_checkpoint-opseclea/certs/Connector_SSL_SmartEvent_1874929942.p12 --opsec_sic_name CN=Splunk_LEA2,O=SmartConsole.jmsp.prod.sq5ad5 --opsec_entity_sic_name CN=SmartEvent,O=SmartConsole.jmsp.prod.sq5ad5 --last_record_location -1:0 --no_online --no_resolve

HTH

0 Karma

Communicator

Hi georgen, unfortunaltly, the offline mode gives same result with "cpshared_filename failed" error.

0 Karma