All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

OPSEC lea_loggrabber connects but returns nothing?

gowen
Path Finder
‎07-18-2011 02:37 PM

We have two Splunk servers and two Check Point R71 management servers. One of the management servers is the standby management, but both act as log servers, as validated using 'tracker'.

Our first Splunk box grabs logs from the primary CPM, no problems.

I'm trying to configure the other Splunk box to grab logs from the secondary CPM. fwopsec.conf is configured appropriately, the opsec key is pulled down to the Splunk box, and lea_loggrabber is able to connect to the CPM without errors. However, it just doesn't get any logs. After opsec_mainloop gets called, there never is any callback to LeaRecordHandler, it just exits. LeaEndHandler things that it's at line 0 in the log (as per lea_get_record_pos) and writes that out to lea_log_rec_num.cache.

Has anyone experienced this sort of issue where lea_loggrabber connects properly, but thinks the log is empty even through other methods of looking tell us there is something in it?

Tags (2)
Reply

Chubbybunny
Splunk Employee
Splunk Employee
‎08-04-2011 11:03 PM

I recently came across a similar problem today only to find out my firewall ACL was rejecting access to port 18184 to the Checkpoint manager from the splunk forwarder. As a quick test, try using netcat to ensure the checkpoint auth_port is indeed accessible from the splunk server.
'nc -z IP 18184'
It took me a while to figure it out since the lea_loggrabber binary very much appeared to connect and wrote the cache file. I would expect it to error if communication was offline.

Reply

Chubbybunny
Splunk Employee
Splunk Employee
‎11-07-2011 06:24 PM

in addition, include OPSEC debugging on the lea client:

OPSEC_DEBUG_LEVEL=3; export OPSEC_DEBUG_LEVEL

./lea_loggrabber --lea-config-file ./lea.conf

0 Karma
Reply

Chubbybunny
Splunk Employee
Splunk Employee
‎11-04-2011 02:36 PM

Can you post a capture of the network traffic using (tcpdump -s0 -xX port 18184) and include a copy of your lea.conf ??

0 Karma
Reply

gowen
Path Finder
‎10-25-2011 08:28 AM

Thanks, but in our case that's not the problem. tcpdump on the splunk host clearly shows the TCP connection, including 3-way handshake and 20 or so packets of psh - ack back and forth before a proper close. Also, the firewall logs mark the connection as allowed.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Unlock What’s Next: The Splunk Cloud Platform at .conf25

In just a few days, Boston will be buzzing as the Splunk team and thousands of community members come together ...