Splunk Add-on for Check Point LEA OPSEC Linux: Log...

rafaelqueiroz · ‎10-31-2014

Hello I am using the Add-on for Check Point OPSEC LEA Linux, but I'm having problems searchin on the indexed logs in Splunk. The data is indexed, the license and indexing report is showing activity, but when searching this data, I cannot get results.

I'm seeing the following errors in Splunk:

10-30-2014 14: 57: 19,532 ERROR -0200 ExecProcessor - message from "/opt/splunk/etc/apps/Splunk_TA_opseclea_linux22/bin/lea-loggrabber.sh --configentity SplunkLEA" / bin / sh: / opt / splunk /etc/apps/Splunk_TA_opseclea_linux22/bin/lea-loggrabber.sh: No such file or directory

10-31-2014 09: 20: 49,216 ERROR -0200 ExecProcessor - message from "/opt/splunk/etc/apps/Splunk_TA_opseclea_linux22/bin/lea-loggrabber.sh --configentity SplunkLEA" sh:! [CDATA [1386266990 @ SplunkLEA : No such file or directory

The variable $ SPLUNK_HOME is working properly.

tskinnerivsec · ‎07-08-2015

If this scripted input isn't working, then the data in question is not in the index = checkpoint_lea, so it is not indexed yet. Is the certificate from the checkpoint management station in the path ./certs ? and named SplunkLEA.p12? Can you test network communication on port 18185 between the splunk server and the management station? You should be able to look on the checkpoint management station and verify that you see successful logons from Splunk. you need to verify that you have the correct opsec_entity_sic_name and opsec_sic_name. I remember their being some library dependencies that the script required as well. You can manually run the script from the operating system of the splunk server to verify the it operates correctly. You should also verify that the /etc/apps/Splunk_TA_opseclea_linux22/bin/lea-loggrabber.sh file exists or not, because that is what this error is complaining about.

Chubbybunny · ‎10-31-2014

Perhaps an issue with the script or conf settings.

Can you post the contents of $splunk_home/etc/apps/Splunk_TA_opseclea_linux22/local/inputs.conf and $splunk_home/etc/apps/Splunk_TA_opseclea_linux22/local/opsec.conf,

rafaelqueiroz · ‎11-03-2014

]# cat $SPLUNK_HOME/etc/apps/Splunk_TA_opseclea_linux22/local/inputs.conf
[script:///opt/splunk/etc/apps/Splunk_TA_opseclea_linux22/bin/lea-loggrabber.sh --configentity SplunkLEA]
disabled = 0
interval = 30
passAuth = splunk-system-user
sourcetype = opsec
index = checkpoint_lea

cat /opt/splunk/etc/apps/Splunk_TA_opseclea_linux22/local/opsec.conf
[SplunkLEA]
collect_audit = 0
fw_version = 75.4
is_disabled = 0
lea_server_auth_port = 18185
lea_server_auth_type = sslca
lea_server_ip = x.x.x.x
no_resolve = 1
opsec_entity_sic_name = cn=cp_mgmt,o=EGFWD01..zmib56
opsec_sic_name = CN=SplunkLEA,O=EGFWD01..zmib56
opsec_sslca_file = ../certs/SplunkLEA.p12
disabled = 0

Chubbybunny · ‎11-04-2014

both appear to be properly configured, please open a Support case and provide a diag for further analysis.

Splunk Add-on for Check Point LEA OPSEC Linux: Logs are getting indexed, but why am I getting no results from searches?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

May 2026 Splunk Expert Sessions: Security & Observability

Join the Conversation