OPSEC LEA lea-loggrabber is giving a Segmentmenti...

rbell54 · ‎08-07-2017

Content: I'm running RHEL 7.2, Splunk 6.6.1 and OPSEC LEA 4.2.0 and configure the OPSEC LEA app. I pull the cert but when i search for data it's not showing nothing. So I trouble shot it by running the lea-loggrabber it's crashing. Is the add app available to run on RHEL 7.2? Why is it's failing? I put the app in debug more and ran the lea-loggrabber and here's the output:

[ 27363 4151757632]server[3 Aug 14:15:04] Env Configuration:
(
        :type (opsec_info)
        :lea_server (
                :opsec_entity_sic_name ()
                :auth_type (sslca)
                :auth_port (18184)
                :ip ()
        )
        :opsec_sslca_file ()
        :opsec_sic_name ()
)

[ 27363 4151757632]server[3 Aug 14:15:04] Could not find info for ...opsec_shared_local_path...
[ 27363 4151757632]server[3 Aug 14:15:04] Could not find info for ...opsec_sic_policy_file...
[ 27363 4151757632]server[3 Aug 14:15:04] Could not find info for ...opsec_mt...
[ 27363 4151757632]server[3 Aug 14:15:04] opsec_init: multithread safety is not initialized
[ 27363 4151757632]server[3 Aug 14:15:04] cpprng_opsec_initialize: path is not initialized - will initialize
[ 27363 4151757632]server[3 Aug 14:15:04] cpprng_opsec_initialize: full file name is ops_prng
[ 27363 4151757632]server[3 Aug 14:15:04] cpprng_opsec_initialize: dev_urandom_poll returned 0
[ 27363 4151757632]server[3 Aug 14:15:04] opsec_file_is_intialized: seed is initialized
[ 27363 4151757632]server[3 Aug 14:15:04] cpprng_opsec_initialize: seed init for opsec succeeded
[ 27363 4151757632]server[3 Aug 14:15:04] opsec_init_sic_id_internal: own sic name not defined.
[ 27363 4151757632]server[3 Aug 14:15:04] PM_policy_create: version 5301.
[ 27363 4151757632]server[3 Aug 14:15:04] PM_policy_add_name_to_group: finished successfully.
[ 27363 4151757632]server[3 Aug 14:15:04] PM_policy_set_local_names: () names. finished successfully.
[ 27363 4151757632]server[3 Aug 14:15:04] PM_policy_create: finished successfully.
[ 27363 4151757632]server[3 Aug 14:15:04] PM_policy_add_name_to_group: finished successfully.
[ 27363 4151757632]server[3 Aug 14:15:04] PM_policy_set_local_names: (local_sic_name) names. finished successfully.
[ 27363 4151757632]server[3 Aug 14:15:04] PM_policy_add_name_to_group: finished successfully.
[ 27363 4151757632]server[3 Aug 14:15:04] PM_policy_set_local_names: (127.0.0.1) names. finished successfully.

Segmentation fault (core dumped)

Any Idea what's going on?

mlogendra_splun · ‎02-07-2019

When the checkpoint add-on is trying to connect to the checkpoint server, it will try to resolve itself. When it is unable to do so, it will exit with a "segmentation fault" message.

Add a host entry with the hostname of Splunk server and its IP in /etc/hosts and the segmentation fault should go away.

aalanisr26 · ‎02-22-2018

I'm experiencing the exact same behavior, did you find a solution to this?

rbell54 · ‎02-22-2018

No I work with support and they we eventually downgraded the OPSEC LEA and now it's working. I did not revisit it but eventually like to go on the newer version.

aalanisr26 · ‎02-22-2018

did you downgrade to version 3.x?

or you are still using version 4.x?
Part of the functionality we want was enabled after 4.0, but if they told you to go back to three it is not an option for us.

OPSEC LEA lea-loggrabber is giving a Segmentmention Error

Aligning Observability Costs with Business Value: Practical Strategies

Mastering Data Pipelines: Unlocking Value with Splunk

Splunk Up Your Game: Why It's Time to Embrace Python 3.9+ and OpenSSL 3.0

Are you a member of the Splunk Community?

OPSEC LEA lea-loggrabber is giving a Segmentmention Error

Aligning Observability Costs with Business Value: Practical Strategies

Mastering Data Pipelines: Unlocking Value with Splunk

Splunk Up Your Game: Why It's Time to Embrace Python 3.9+ and OpenSSL 3.0