All Apps and Add-ons

Splunk Add-on for Check Point OPSEC LEA 3.1.0: Is the firewall version R77.30 supported?

Cris
Explorer

Hi everyone,

I've installed the Splunk Add-on for Checkpoint OPSEC LEA v.3.1.0 on Splunk Enterprise v.6.2.4.
The version of the firewall is R77.30, but on the requirements I can see the upper version indicated i R77.

Does anyone know if version R77.30 is also supported?

On the opsec_watchdog.log file I always have these three lines:

2015-08-07 15:48:51,821 INFO 22457 140600047077184 Starting exec: ['./lea_loggrabber', '--configentity', 'SplunkLEA', '--appname', 'Splunk_TA_opseclea_linux22']
2015-08-07 15:48:53,073 INFO 22457 140600047077184 got ret code 1
2015-08-07 15:48:54,074 INFO 22457 140600047077184 process crashed (1), restarting
0 Karma

mikelanghorst
Motivator

The response I've gotten is that 77.30 is not supported, and I've gotten no response as to when it may be supported.

0 Karma

keithyap
Path Finder

Were you able to solve this issue?

0 Karma

ashokqos
Path Finder

Even I had the issues running LEA version 3.1.0 on CentOS. As I can understand the problem is not with Check Point R77.30 but between LEA3.1.0 and CentOS. I use LEA2.10 and it works perfectly with my R77.30.

0 Karma

mikelanghorst
Motivator

where did you get the LEA 2.10?

Could you provide more details, was it the full 2.10 app you're using?

0 Karma

ashokqos
Path Finder

I downloaded 2.10 version well before 3.10 was released. If you want I can share. Please mail me splunk@qos.co.in
For me 2.10 & R77.30 is working perfectly on CentOS 6.4 (64 - bit). Step by step method I have provided on my blog.

https://qostechnology.wordpress.com/2015/04/29/integration-of-splunk-with-checkpoint-managementlog-s...

Here are some details of my setup. As you can see connection on port 18184 is established by LEA client 2.10.
[root@centos ~]# more /etc/redhat-release
CentOS release 6.4 (Final)
[root@centos ~]# uname -a
Linux centos 2.6.32-358.el6.x86_64 #1 SMP Fri Feb 22 00:31:26 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux
[root@centos ~]# netstat -na | grep 18184
tcp 0 0 192.168.10.28:58978 192.168.10.253:18184 ESTABLISHED
[root@centos ~]#

0 Karma

mreynov_splunk
Splunk Employee
Splunk Employee

This might have been due to lack of 64-bit support of the LEA cert.

0 Karma

mreynov_splunk
Splunk Employee
Splunk Employee

I believe it should be supported, the differences between base 77 and 77.3 should not be disruptive. This is a separate issue. What OS are you running this on?

0 Karma

mikelanghorst
Motivator

Officially, no 77.30 is not supported and my case regarding issues on 77.30 was closed as such.

0 Karma

Cris
Explorer

Linux CentOS 7

0 Karma
Get Updates on the Splunk Community!

Splunk Forwarders and Forced Time Based Load Balancing

Splunk customers use universal forwarders to collect and send data to Splunk. A universal forwarder can send ...

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...