All Apps and Add-ons

OPSEC LEA lea-loggrabber is giving a Segmentmention Error

Engager

Content: I'm running RHEL 7.2, Splunk 6.6.1 and OPSEC LEA 4.2.0 and configure the OPSEC LEA app. I pull the cert but when i search for data it's not showing nothing. So I trouble shot it by running the lea-loggrabber it's crashing. Is the add app available to run on RHEL 7.2? Why is it's failing? I put the app in debug more and ran the lea-loggrabber and here's the output:

[ 27363 4151757632]server[3 Aug 14:15:04] Env Configuration:
(
        :type (opsec_info)
        :lea_server (
                :opsec_entity_sic_name ()
                :auth_type (sslca)
                :auth_port (18184)
                :ip ()
        )
        :opsec_sslca_file ()
        :opsec_sic_name ()
)

[ 27363 4151757632]server[3 Aug 14:15:04] Could not find info for ...opsec_shared_local_path...
[ 27363 4151757632]server[3 Aug 14:15:04] Could not find info for ...opsec_sic_policy_file...
[ 27363 4151757632]server[3 Aug 14:15:04] Could not find info for ...opsec_mt...
[ 27363 4151757632]server[3 Aug 14:15:04] opsec_init: multithread safety is not initialized
[ 27363 4151757632]server[3 Aug 14:15:04] cpprng_opsec_initialize: path is not initialized - will initialize
[ 27363 4151757632]server[3 Aug 14:15:04] cpprng_opsec_initialize: full file name is ops_prng
[ 27363 4151757632]server[3 Aug 14:15:04] cpprng_opsec_initialize: dev_urandom_poll returned 0
[ 27363 4151757632]server[3 Aug 14:15:04] opsec_file_is_intialized: seed is initialized
[ 27363 4151757632]server[3 Aug 14:15:04] cpprng_opsec_initialize: seed init for opsec succeeded
[ 27363 4151757632]server[3 Aug 14:15:04] opsec_init_sic_id_internal: own sic name not defined.
[ 27363 4151757632]server[3 Aug 14:15:04] PM_policy_create: version 5301.
[ 27363 4151757632]server[3 Aug 14:15:04] PM_policy_add_name_to_group: finished successfully.
[ 27363 4151757632]server[3 Aug 14:15:04] PM_policy_set_local_names: () names. finished successfully.
[ 27363 4151757632]server[3 Aug 14:15:04] PM_policy_create: finished successfully.
[ 27363 4151757632]server[3 Aug 14:15:04] PM_policy_add_name_to_group: finished successfully.
[ 27363 4151757632]server[3 Aug 14:15:04] PM_policy_set_local_names: (local_sic_name) names. finished successfully.
[ 27363 4151757632]server[3 Aug 14:15:04] PM_policy_add_name_to_group: finished successfully.
[ 27363 4151757632]server[3 Aug 14:15:04] PM_policy_set_local_names: (127.0.0.1) names. finished successfully.

Segmentation fault (core dumped)

Any Idea what's going on?

Splunk Employee
Splunk Employee

When the checkpoint add-on is trying to connect to the checkpoint server, it will try to resolve itself. When it is unable to do so, it will exit with a "segmentation fault" message.

Add a host entry with the hostname of Splunk server and its IP in /etc/hosts and the segmentation fault should go away.

0 Karma

Path Finder

I'm experiencing the exact same behavior, did you find a solution to this?

0 Karma

Engager

No I work with support and they we eventually downgraded the OPSEC LEA and now it's working. I did not revisit it but eventually like to go on the newer version.

Path Finder

did you downgrade to version 3.x?

or you are still using version 4.x?
Part of the functionality we want was enabled after 4.0, but if they told you to go back to three it is not an option for us.

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!