All Apps and Add-ons

OPSEC LEA lea-loggrabber is giving a Segmentmention Error

rbell54
Engager

Content: I'm running RHEL 7.2, Splunk 6.6.1 and OPSEC LEA 4.2.0 and configure the OPSEC LEA app. I pull the cert but when i search for data it's not showing nothing. So I trouble shot it by running the lea-loggrabber it's crashing. Is the add app available to run on RHEL 7.2? Why is it's failing? I put the app in debug more and ran the lea-loggrabber and here's the output:

[ 27363 4151757632]server[3 Aug 14:15:04] Env Configuration:
(
        :type (opsec_info)
        :lea_server (
                :opsec_entity_sic_name ()
                :auth_type (sslca)
                :auth_port (18184)
                :ip ()
        )
        :opsec_sslca_file ()
        :opsec_sic_name ()
)

[ 27363 4151757632]server[3 Aug 14:15:04] Could not find info for ...opsec_shared_local_path...
[ 27363 4151757632]server[3 Aug 14:15:04] Could not find info for ...opsec_sic_policy_file...
[ 27363 4151757632]server[3 Aug 14:15:04] Could not find info for ...opsec_mt...
[ 27363 4151757632]server[3 Aug 14:15:04] opsec_init: multithread safety is not initialized
[ 27363 4151757632]server[3 Aug 14:15:04] cpprng_opsec_initialize: path is not initialized - will initialize
[ 27363 4151757632]server[3 Aug 14:15:04] cpprng_opsec_initialize: full file name is ops_prng
[ 27363 4151757632]server[3 Aug 14:15:04] cpprng_opsec_initialize: dev_urandom_poll returned 0
[ 27363 4151757632]server[3 Aug 14:15:04] opsec_file_is_intialized: seed is initialized
[ 27363 4151757632]server[3 Aug 14:15:04] cpprng_opsec_initialize: seed init for opsec succeeded
[ 27363 4151757632]server[3 Aug 14:15:04] opsec_init_sic_id_internal: own sic name not defined.
[ 27363 4151757632]server[3 Aug 14:15:04] PM_policy_create: version 5301.
[ 27363 4151757632]server[3 Aug 14:15:04] PM_policy_add_name_to_group: finished successfully.
[ 27363 4151757632]server[3 Aug 14:15:04] PM_policy_set_local_names: () names. finished successfully.
[ 27363 4151757632]server[3 Aug 14:15:04] PM_policy_create: finished successfully.
[ 27363 4151757632]server[3 Aug 14:15:04] PM_policy_add_name_to_group: finished successfully.
[ 27363 4151757632]server[3 Aug 14:15:04] PM_policy_set_local_names: (local_sic_name) names. finished successfully.
[ 27363 4151757632]server[3 Aug 14:15:04] PM_policy_add_name_to_group: finished successfully.
[ 27363 4151757632]server[3 Aug 14:15:04] PM_policy_set_local_names: (127.0.0.1) names. finished successfully.

Segmentation fault (core dumped)

Any Idea what's going on?

mlogendra_splun
Splunk Employee
Splunk Employee

When the checkpoint add-on is trying to connect to the checkpoint server, it will try to resolve itself. When it is unable to do so, it will exit with a "segmentation fault" message.

Add a host entry with the hostname of Splunk server and its IP in /etc/hosts and the segmentation fault should go away.

0 Karma

aalanisr26
Path Finder

I'm experiencing the exact same behavior, did you find a solution to this?

0 Karma

rbell54
Engager

No I work with support and they we eventually downgraded the OPSEC LEA and now it's working. I did not revisit it but eventually like to go on the newer version.

aalanisr26
Path Finder

did you downgrade to version 3.x?

or you are still using version 4.x?
Part of the functionality we want was enabled after 4.0, but if they told you to go back to three it is not an option for us.

0 Karma
Get Updates on the Splunk Community!

Dashboard Studio Challenge - Learn New Tricks, Showcase Your Skills, and Win Prizes!

Reimagine what you can do with your dashboards. Dashboard Studio is Splunk’s newest dashboard builder to ...

Introducing Edge Processor: Next Gen Data Transformation

We get it - not only can it take a lot of time, money and resources to get data into Splunk, but it also takes ...

Take the 2021 Splunk Career Survey for $50 in Amazon Cash

Help us learn about how Splunk has impacted your career by taking the 2021 Splunk Career Survey. Last year’s ...