All Apps and Add-ons

Splunk Add-on for Check Point OPSEC LEA (4.0): SIC ERROR 328 - SIC Error for lea: received bad message length from peer

mikaelbje
Motivator

I just installed version 4 of the CP OPSEC LEA app and am able to establish trust with the CP management server as well as add an input, but I see no data coming in. I get the following messages in the _internal log, but I'm unable to figure out what they actually mean (google provided very little info).

The events I see that could be related are the following. The full list is below for clarity

2016-08-22 11:39:14,424 +0000 log_level=ERROR, pid=10303, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=62 | [input_name="opsec_fw" connection="opsec_logs" data="non_audit"]log_level=0 file:lea_loggrabber.cpp func_name:check_session_end_reason code_line_no:2159 :Session end reason: SIC ERROR 328 - SIC Error for lea: received bad message length from peer

2016-08-22 11:39:14,419 +0000 log_level=INFO, pid=10303, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=62 | [input_name="opsec_fw" connection="opsec_logs" data="non_audit"][ 10441 4151970624]@host.example.com[22 Aug 13:39:14] auth_sslca_clnt_handler: illegal server crl_length message.

2016-08-22 11:39:14,226 +0000 log_level=INFO, pid=10303, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=62 | [input_name="opsec_fw" connection="opsec_logs" data="non_audit"][ 10441 4151970624]@host.example.com[22 Aug 13:39:14] client_send_crlreq: fetching crl failed

Full list:

    2016-08-22 11:39:56,748 +0000 log_level=DEBUG, pid=10303, tid=Thread-3, file=file_monitor.py, func_name=check_changes, code_line_no=36 | Checking files=['/opt/2014/splunk/etc/apps/Splunk_TA_checkpoint-opseclea/local/opseclea_connection.conf', '/opt/2014/splunk/etc/apps/Splunk_TA_checkpoint-opseclea/local/opseclea_inputs.conf', '/opt/2014/splunk/etc/apps/Splunk_TA_checkpoint-opseclea/local/opseclea_settings.conf']

2016-08-22 11:39:50,753 +0000 log_level=DEBUG, pid=10303, tid=Thread-8, file=thread_pool.py, func_name=_do_resize_according_to_loads, code_line_no=201 | current_thr_size=4, free_thrs=4, work_size=0

2016-08-22 11:39:46,748 +0000 log_level=DEBUG, pid=10303, tid=Thread-3, file=file_monitor.py, func_name=check_changes, code_line_no=36 | Checking files=['/opt/2014/splunk/etc/apps/Splunk_TA_checkpoint-opseclea/local/opseclea_connection.conf', '/opt/2014/splunk/etc/apps/Splunk_TA_checkpoint-opseclea/local/opseclea_inputs.conf', '/opt/2014/splunk/etc/apps/Splunk_TA_checkpoint-opseclea/local/opseclea_settings.conf']

2016-08-22 11:39:39,752 +0000 log_level=DEBUG, pid=10303, tid=Thread-8, file=thread_pool.py, func_name=_do_resize_according_to_loads, code_line_no=201 | current_thr_size=4, free_thrs=4, work_size=0

2016-08-22 11:39:36,748 +0000 log_level=DEBUG, pid=10303, tid=Thread-3, file=file_monitor.py, func_name=check_changes, code_line_no=36 | Checking files=['/opt/2014/splunk/etc/apps/Splunk_TA_checkpoint-opseclea/local/opseclea_connection.conf', '/opt/2014/splunk/etc/apps/Splunk_TA_checkpoint-opseclea/local/opseclea_inputs.conf', '/opt/2014/splunk/etc/apps/Splunk_TA_checkpoint-opseclea/local/opseclea_settings.conf']

2016-08-22 11:39:28,750 +0000 log_level=DEBUG, pid=10303, tid=Thread-8, file=thread_pool.py, func_name=_do_resize_according_to_loads, code_line_no=201 | current_thr_size=4, free_thrs=4, work_size=0

2016-08-22 11:39:26,748 +0000 log_level=DEBUG, pid=10303, tid=Thread-3, file=file_monitor.py, func_name=check_changes, code_line_no=36 | Checking files=['/opt/2014/splunk/etc/apps/Splunk_TA_checkpoint-opseclea/local/opseclea_connection.conf', '/opt/2014/splunk/etc/apps/Splunk_TA_checkpoint-opseclea/local/opseclea_inputs.conf', '/opt/2014/splunk/etc/apps/Splunk_TA_checkpoint-opseclea/local/opseclea_settings.conf']

2016-08-22 11:39:17,750 +0000 log_level=DEBUG, pid=10303, tid=Thread-8, file=thread_pool.py, func_name=_do_resize_according_to_loads, code_line_no=201 | current_thr_size=4, free_thrs=4, work_size=0

2016-08-22 11:39:16,748 +0000 log_level=DEBUG, pid=10303, tid=Thread-3, file=file_monitor.py, func_name=check_changes, code_line_no=36 | Checking files=['/opt/2014/splunk/etc/apps/Splunk_TA_checkpoint-opseclea/local/opseclea_connection.conf', '/opt/2014/splunk/etc/apps/Splunk_TA_checkpoint-opseclea/local/opseclea_inputs.conf', '/opt/2014/splunk/etc/apps/Splunk_TA_checkpoint-opseclea/local/opseclea_settings.conf']

2016-08-22 11:39:14,767 +0000 log_level=DEBUG, pid=10303, tid=Thread-4, file=thread_pool.py, func_name=_run, code_line_no=240 | Going to get job

2016-08-22 11:39:14,767 +0000 log_level=INFO, pid=10303, tid=Thread-4, file=thread_pool.py, func_name=_run, code_line_no=261 | Thread work_queue_size=0

2016-08-22 11:39:14,767 +0000 log_level=DEBUG, pid=10303, tid=Thread-4, file=thread_pool.py, func_name=_run, code_line_no=260 | Done with exec job

2016-08-22 11:39:14,767 +0000 log_level=INFO, pid=10303, tid=Thread-4, file=ta_data_collector.py, func_name=index_data, code_line_no=114 | [input_name="opsec_fw" data="non_audit"] End of indexing data for opsec_fw_non_audit

2016-08-22 11:39:14,767 +0000 log_level=DEBUG, pid=10303, tid=Thread-4, file=ta_data_collector.py, func_name=_do_safe_index, code_line_no=154 | [input_name="opsec_fw" data="non_audit"] Finished this round

2016-08-22 11:39:14,431 +0000 log_level=DEBUG, pid=10303, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=62 | [input_name="opsec_fw" connection="opsec_logs" data="non_audit"]log_level=3 file:lea_loggrabber.cpp func_name:close_screen code_line_no:5629 :Close connection to screen.

2016-08-22 11:39:14,431 +0000 log_level=INFO, pid=10303, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=62 | [input_name="opsec_fw" connection="opsec_logs" data="non_audit"]log_level=2 file:lea_loggrabber.cpp func_name:read_fw1_logfile code_line_no:1705 :Finish reading fw.log 1

2016-08-22 11:39:14,431 +0000 log_level=INFO, pid=10303, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=62 | [input_name="opsec_fw" connection="opsec_logs" data="non_audit"][ 10441 4151970624]@host.example.com[22 Aug 13:39:14] do_fwd_env_destroy: really destroy 0xf6c03178

2016-08-22 11:39:14,431 +0000 log_level=INFO, pid=10303, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=62 | [input_name="opsec_fw" connection="opsec_logs" data="non_audit"][ 10441 4151970624]@host.example.com[22 Aug 13:39:14] T_env_destroy: env 0xf6c03178

2016-08-22 11:39:14,431 +0000 log_level=INFO, pid=10303, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=62 | [input_name="opsec_fw" connection="opsec_logs" data="non_audit"][ 10441 4151970624]@host.example.com[22 Aug 13:39:14] fwd_env_destroy: env 0xf6c03178 (alloced = 1)

2016-08-22 11:39:14,431 +0000 log_level=INFO, pid=10303, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=62 | [input_name="opsec_fw" connection="opsec_logs" data="non_audit"][ 10441 4151970624]@host.example.com[22 Aug 13:39:14] opsec_env_destroy_sic_id_hash: Destroyed sic id hash

2016-08-22 11:39:14,431 +0000 log_level=INFO, pid=10303, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=62 | [input_name="opsec_fw" connection="opsec_logs" data="non_audit"][ 10441 4151970624]@host.example.com[22 Aug 13:39:14] opsec_destroy_sic_id_internal: Destroyed sic id (ctx id=0)

2016-08-22 11:39:14,430 +0000 log_level=INFO, pid=10303, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=62 | [input_name="opsec_fw" connection="opsec_logs" data="non_audit"][ 10441 4151970624]@host.example.com[22 Aug 13:39:14] PM_policy_destroy: finished successfully.

2016-08-22 11:39:14,430 +0000 log_level=INFO, pid=10303, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=62 | [input_name="opsec_fw" connection="opsec_logs" data="non_audit"][ 10441 4151970624]@host.example.com[22 Aug 13:39:14] sic_sslca_Free: defs = 0xf6c203f8, references = 0

2016-08-22 11:39:14,430 +0000 log_level=INFO, pid=10303, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=62 | [input_name="opsec_fw" connection="opsec_logs" data="non_audit"][ 10441 4151970624]@host.example.com[22 Aug 13:39:14] sic_sslca_Free: defs = 0xf6c1efb0, references = 0

2016-08-22 11:39:14,430 +0000 log_level=INFO, pid=10303, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=62 | [input_name="opsec_fw" connection="opsec_logs" data="non_audit"][ 10441 4151970624]@host.example.com[22 Aug 13:39:14] sic_sslca_Free: defs = 0xf6c1e6b0, references = 0

2016-08-22 11:39:14,430 +0000 log_level=INFO, pid=10303, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=62 | [input_name="opsec_fw" connection="opsec_logs" data="non_audit"][ 10441 4151970624]@host.example.com[22 Aug 13:39:14] sic_sslca_Free: defs = 0xf6c1d258, references = 0

2016-08-22 11:39:14,430 +0000 log_level=INFO, pid=10303, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=62 | [input_name="opsec_fw" connection="opsec_logs" data="non_audit"][ 10441 4151970624]@host.example.com[22 Aug 13:39:14] sic_sslca_Free: defs = 0xf6c1c938, references = 0

2016-08-22 11:39:14,430 +0000 log_level=INFO, pid=10303, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=62 | [input_name="opsec_fw" connection="opsec_logs" data="non_audit"][ 10441 4151970624]@host.example.com[22 Aug 13:39:14] sic_sslca_Free: defs = 0xf6c1b4d0, references = 0

2016-08-22 11:39:14,429 +0000 log_level=INFO, pid=10303, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=62 | [input_name="opsec_fw" connection="opsec_logs" data="non_audit"][ 10441 4151970624]@host.example.com[22 Aug 13:39:14] sic_sslca_Free: defs = 0xf6c1abb0, references = 0

2016-08-22 11:39:14,429 +0000 log_level=INFO, pid=10303, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=62 | [input_name="opsec_fw" connection="opsec_logs" data="non_audit"][ 10441 4151970624]@host.example.com[22 Aug 13:39:14] sic_sslca_Free: defs = 0xf6c19758, references = 0

2016-08-22 11:39:14,429 +0000 log_level=INFO, pid=10303, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=62 | [input_name="opsec_fw" connection="opsec_logs" data="non_audit"][ 10441 4151970624]@host.example.com[22 Aug 13:39:14] sic_sslca_Free: defs = 0xf6c18e10, references = 0

2016-08-22 11:39:14,429 +0000 log_level=INFO, pid=10303, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=62 | [input_name="opsec_fw" connection="opsec_logs" data="non_audit"][ 10441 4151970624]@host.example.com[22 Aug 13:39:14] sic_sslca_Free: defs = 0xf6c17cb0, references = 0

2016-08-22 11:39:14,429 +0000 log_level=INFO, pid=10303, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=62 | [input_name="opsec_fw" connection="opsec_logs" data="non_audit"][ 10441 4151970624]@host.example.com[22 Aug 13:39:14] sic_sslca_Free: defs = 0xf6c246e0, references = 0

2016-08-22 11:39:14,429 +0000 log_level=INFO, pid=10303, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=62 | [input_name="opsec_fw" connection="opsec_logs" data="non_audit"][ 10441 4151970624]@host.example.com[22 Aug 13:39:14] sic_sslca_Free: defs = 0xf6c23508, references = 0

2016-08-22 11:39:14,429 +0000 log_level=INFO, pid=10303, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=62 | [input_name="opsec_fw" connection="opsec_logs" data="non_audit"][ 10441 4151970624]@host.example.com[22 Aug 13:39:14] sic_sslca_Free: defs = 0xf6c223a8, references = 1

2016-08-22 11:39:14,428 +0000 log_level=INFO, pid=10303, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=62 | [input_name="opsec_fw" connection="opsec_logs" data="non_audit"][ 10441 4151970624]@host.example.com[22 Aug 13:39:14] IpcUnMapFile: unmapping file (handle=0xf6c54070)

2016-08-22 11:39:14,428 +0000 log_level=INFO, pid=10303, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=62 | [input_name="opsec_fw" connection="opsec_logs" data="non_audit"][ 10441 4151970624]@host.example.com[22 Aug 13:39:14] IpcUnMapFile: unmapping file (handle=0xf6c53ff0)

2016-08-22 11:39:14,428 +0000 log_level=INFO, pid=10303, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=62 | [input_name="opsec_fw" connection="opsec_logs" data="non_audit"][ 10441 4151970624]@host.example.com[22 Aug 13:39:14] IpcUnMapFile: unmapping file (handle=0xf6c53f60)

2016-08-22 11:39:14,428 +0000 log_level=INFO, pid=10303, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=62 | [input_name="opsec_fw" connection="opsec_logs" data="non_audit"][ 10441 4151970624]@host.example.com[22 Aug 13:39:14] IpcUnMapFile: unmapping file (handle=0xf6c54110)

2016-08-22 11:39:14,428 +0000 log_level=INFO, pid=10303, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=62 | [input_name="opsec_fw" connection="opsec_logs" data="non_audit"][ 10441 4151970624]@host.example.com[22 Aug 13:39:14] IpcUnMapFile: unmapping file (handle=0xf6c02720)

2016-08-22 11:39:14,428 +0000 log_level=INFO, pid=10303, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=62 | [input_name="opsec_fw" connection="opsec_logs" data="non_audit"][ 10441 4151970624]@host.example.com[22 Aug 13:39:14] opsec_destroy_entity_sic: deleting sic rules for entity 0xf6c16420

2016-08-22 11:39:14,428 +0000 log_level=INFO, pid=10303, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=62 | [input_name="opsec_fw" connection="opsec_logs" data="non_audit"][ 10441 4151970624]@host.example.com[22 Aug 13:39:14] Destroying entity 2 with 0 active comms

2016-08-22 11:39:14,428 +0000 log_level=INFO, pid=10303, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=62 | [input_name="opsec_fw" connection="opsec_logs" data="non_audit"][ 10441 4151970624]@host.example.com[22 Aug 13:39:14] opsec_destroy_entity_sic: deleting sic rules for entity 0xf6c16308

2016-08-22 11:39:14,427 +0000 log_level=INFO, pid=10303, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=62 | [input_name="opsec_fw" connection="opsec_logs" data="non_audit"][ 10441 4151970624]@host.example.com[22 Aug 13:39:14] Destroying entity 1 with 0 active comms

2016-08-22 11:39:14,427 +0000 log_level=DEBUG, pid=10303, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=62 | [input_name="opsec_fw" connection="opsec_logs" data="non_audit"]log_level=3 file:lea_loggrabber.cpp func_name:cleanup_fw1_environment code_line_no:2438 :Enter

2016-08-22 11:39:14,427 +0000 log_level=INFO, pid=10303, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=62 | [input_name="opsec_fw" connection="opsec_logs" data="non_audit"][ 10441 4151970624]@host.example.com[22 Aug 13:39:14] T_event_mainloop_e: T_event_mainloop_iter returns 0

2016-08-22 11:39:14,427 +0000 log_level=INFO, pid=10303, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=62 | [input_name="opsec_fw" connection="opsec_logs" data="non_audit"][ 10441 4151970624]@host.example.com[22 Aug 13:39:14] ckpSSL_Destroy: closed fd 15

2016-08-22 11:39:14,426 +0000 log_level=INFO, pid=10303, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=62 | [input_name="opsec_fw" connection="opsec_logs" data="non_audit"][ 10441 4151970624]@host.example.com[22 Aug 13:39:14] ckpSSL_ShutdownTimeout: 0xF6C22058

2016-08-22 11:39:14,426 +0000 log_level=INFO, pid=10303, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=62 | [input_name="opsec_fw" connection="opsec_logs" data="non_audit"][ 10441 4151970624]@host.example.com[22 Aug 13:39:14] ckpSSL_ShutdownHandler_in_sock: called

2016-08-22 11:39:14,426 +0000 log_level=INFO, pid=10303, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=62 | [input_name="opsec_fw" connection="opsec_logs" data="non_audit"][ 10441 4151970624]@host.example.com[22 Aug 13:39:14] ckpSSL_ShutdownHandler: rc=0 (1) SSL negotiation finished successfully

2016-08-22 11:39:14,426 +0000 log_level=INFO, pid=10303, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=62 | [input_name="opsec_fw" connection="opsec_logs" data="non_audit"][ 10441 4151970624]@host.example.com[22 Aug 13:39:14] REMOVING comm=0xf6c53cb8 from ent=0xf6c16308 with key=2

2016-08-22 11:39:14,425 +0000 log_level=INFO, pid=10303, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=62 | [input_name="opsec_fw" connection="opsec_logs" data="non_audit"][ 10441 4151970624]@host.example.com[22 Aug 13:39:14] pulling dgtype=ffffffff len=-1 to list=0xf6c53cd4

2016-08-22 11:39:14,425 +0000 log_level=INFO, pid=10303, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=62 | [input_name="opsec_fw" connection="opsec_logs" data="non_audit"][ 10441 4151970624]@host.example.com[22 Aug 13:39:14] pulling dgtype=40c len=0 to list=0xf6c53cd4

2016-08-22 11:39:14,425 +0000 log_level=INFO, pid=10303, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=62 | [input_name="opsec_fw" connection="opsec_logs" data="non_audit"][ 10441 4151970624]@host.example.com[22 Aug 13:39:14] pulling dgtype=402 len=20 to list=0xf6c53cd4

2016-08-22 11:39:14,424 +0000 log_level=INFO, pid=10303, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=62 | [input_name="opsec_fw" connection="opsec_logs" data="non_audit"][ 10441 4151970624]@host.example.com[22 Aug 13:39:14] pulling dgtype=1 len=0 to list=0xf6c53cd4

2016-08-22 11:39:14,424 +0000 log_level=INFO, pid=10303, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=62 | [input_name="opsec_fw" connection="opsec_logs" data="non_audit"][ 10441 4151970624]@host.example.com[22 Aug 13:39:14] opsec_comm_is_needed:comm 0xf6c53cb8 1/1 sessions need the comm.

2016-08-22 11:39:14,424 +0000 log_level=ERROR, pid=10303, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=62 | [input_name="opsec_fw" connection="opsec_logs" data="non_audit"]log_level=0 file:lea_loggrabber.cpp func_name:check_session_end_reason code_line_no:2159 :Session end reason: SIC ERROR 328 - SIC Error for lea: received bad message length from peer

2016-08-22 11:39:14,424 +0000 log_level=INFO, pid=10303, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=62 | [input_name="opsec_fw" connection="opsec_logs" data="non_audit"]log_level=2 file:lea_loggrabber.cpp func_name:check_session_end_reason code_line_no:2106 :Start to check session end reason: is_read_end 1

2016-08-22 11:39:14,423 +0000 log_level=DEBUG, pid=10303, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=62 | [input_name="opsec_fw" connection="opsec_logs" data="non_audit"]log_level=3 file:lea_loggrabber.cpp func_name:read_fw1_logfile_end code_line_no:2198 :OPSEC_SESSION_END_HANDLER called

2016-08-22 11:39:14,423 +0000 log_level=INFO, pid=10303, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=62 | [input_name="opsec_fw" connection="opsec_logs" data="non_audit"]

2016-08-22 11:39:14,423 +0000 log_level=INFO, pid=10303, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=62 | [input_name="opsec_fw" connection="opsec_logs" data="non_audit"][ 10441 4151970624]@host.example.com[22 Aug 13:39:14] SESSION ID:3 is sending DG_TYPE=3

2016-08-22 11:39:14,423 +0000 log_level=INFO, pid=10303, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=62 | [input_name="opsec_fw" connection="opsec_logs" data="non_audit"][ 10441 4151970624]@host.example.com[22 Aug 13:39:14] Destroying session (f6c54d78) id 3 (ent=f6c16308) reason=SIC_FAILURE

2016-08-22 11:39:14,422 +0000 log_level=INFO, pid=10303, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=62 | [input_name="opsec_fw" connection="opsec_logs" data="non_audit"][ 10441 4151970624]@host.example.com[22 Aug 13:39:14] Destroying comm 0xf6c53cb8 with 1 active sessions

2016-08-22 11:39:14,422 +0000 log_level=INFO, pid=10303, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=62 | [input_name="opsec_fw" connection="opsec_logs" data="non_audit"][ 10441 4151970624]@host.example.com[22 Aug 13:39:14] destroying comm 0xf6c53cb8

2016-08-22 11:39:14,422 +0000 log_level=INFO, pid=10303, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=62 | [input_name="opsec_fw" connection="opsec_logs" data="non_audit"][ 10441 4151970624]@host.example.com[22 Aug 13:39:14] COM 0xf6c53cb8 got signal 131075

2016-08-22 11:39:14,421 +0000 log_level=INFO, pid=10303, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=62 | [input_name="opsec_fw" connection="opsec_logs" data="non_audit"][ 10441 4151970624]@host.example.com[22 Aug 13:39:14] OPSEC_SET_ERRNO: err = 8 Comm is not connected/Unable to connect (pre = 8)

2016-08-22 11:39:14,421 +0000 log_level=INFO, pid=10303, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=62 | [input_name="opsec_fw" connection="opsec_logs" data="non_audit"][ 10441 4151970624]@host.example.com[22 Aug 13:39:14] comm failed to connect 0xf6c53cb8

2016-08-22 11:39:14,421 +0000 log_level=INFO, pid=10303, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=62 | [input_name="opsec_fw" connection="opsec_logs" data="non_audit"][ 10441 4151970624]@host.example.com[22 Aug 13:39:14] opsec_auth_client_connected:conn=(nil) opaque=0xf6c16580 err=0 comm=0xf6c53cb8

2016-08-22 11:39:14,420 +0000 log_level=INFO, pid=10303, tid=Thread-4, file=ta_opseclea_data_collector.py, func_name=get_contents, code_line_no=246 | [input_name="opsec_fw" connection="opsec_logs" data="non_audit"] Successfully indexed events: 0

2016-08-22 11:39:14,420 +0000 log_level=INFO, pid=10303, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=62 | [input_name="opsec_fw" connection="opsec_logs" data="non_audit"][ 10441 4151970624]@host.example.com[22 Aug 13:39:14] opsec_auth_client_connected: SIC Error for lea: received bad message length from peer

2016-08-22 11:39:14,420 +0000 log_level=INFO, pid=10303, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=62 | [input_name="opsec_fw" connection="opsec_logs" data="non_audit"][ 10441 4151970624]@host.example.com[22 Aug 13:39:14] opsec_auth_client_connected: connect failed (328)

2016-08-22 11:39:14,420 +0000 log_level=INFO, pid=10303, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=62 | [input_name="opsec_fw" connection="opsec_logs" data="non_audit"][ 10441 4151970624]@host.example.com[22 Aug 13:39:14] sic_client_end_handler: for conn id = 15

2016-08-22 11:39:14,419 +0000 log_level=INFO, pid=10303, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=62 | [input_name="opsec_fw" connection="opsec_logs" data="non_audit"][ 10441 4151970624]@host.example.com[22 Aug 13:39:14] ckpSSL_fwasync_close: start shutdown

2016-08-22 11:39:14,419 +0000 log_level=INFO, pid=10303, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=62 | [input_name="opsec_fw" connection="opsec_logs" data="non_audit"][ 10441 4151970624]@host.example.com[22 Aug 13:39:14] fwasync_do_mux_in: 15: handler returned with error

2016-08-22 11:39:14,419 +0000 log_level=INFO, pid=10303, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=62 | [input_name="opsec_fw" connection="opsec_logs" data="non_audit"][ 10441 4151970624]@host.example.com[22 Aug 13:39:14] auth_sslca_clnt_handler: illegal server crl_length message.

2016-08-22 11:39:14,418 +0000 log_level=INFO, pid=10303, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=62 | [input_name="opsec_fw" connection="opsec_logs" data="non_audit"][ 10441 4151970624]@host.example.com[22 Aug 13:39:14] ckpSSL_do_read: read 4 bytes

2016-08-22 11:39:14,418 +0000 log_level=INFO, pid=10303, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=62 | [input_name="opsec_fw" connection="opsec_logs" data="non_audit"][ 10441 4151970624]@host.example.com[22 Aug 13:39:14] ckpSSL_do_read: return should retry rc = -1

2016-08-22 11:39:14,418 +0000 log_level=INFO, pid=10303, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=62 | [input_name="opsec_fw" connection="opsec_logs" data="non_audit"][ 10441 4151970624]@host.example.com[22 Aug 13:39:14] ckpSSL_do_read: return should retry rc = -1

2016-08-22 11:39:14,417 +0000 log_level=INFO, pid=10303, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=62 | [input_name="opsec_fw" connection="opsec_logs" data="non_audit"][ 10441 4151970624]@host.example.com[22 Aug 13:39:14] ckpSSL_do_read: return should retry rc = -1

2016-08-22 11:39:14,417 +0000 log_level=INFO, pid=10303, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=62 | [input_name="opsec_fw" connection="opsec_logs" data="non_audit"][ 10441 4151970624]@host.example.com[22 Aug 13:39:14] ckpSSL_do_read: return should retry rc = -1

2016-08-22 11:39:14,417 +0000 log_level=INFO, pid=10303, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=62 | [input_name="opsec_fw" connection="opsec_logs" data="non_audit"][ 10441 4151970624]@host.example.com[22 Aug 13:39:14] ckpSSL_do_read: return should retry rc = -1

2016-08-22 11:39:14,417 +0000 log_level=INFO, pid=10303, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=62 | [input_name="opsec_fw" connection="opsec_logs" data="non_audit"][ 10441 4151970624]@host.example.com[22 Aug 13:39:14] ckpSSL_do_read: return should retry rc = -1

2016-08-22 11:39:14,416 +0000 log_level=INFO, pid=10303, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=62 | [input_name="opsec_fw" connection="opsec_logs" data="non_audit"][ 10441 4151970624]@host.example.com[22 Aug 13:39:14] ckpSSL_do_read: return should retry rc = -1

2016-08-22 11:39:14,226 +0000 log_level=INFO, pid=10303, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=62 | [input_name="opsec_fw" connection="opsec_logs" data="non_audit"][ 10441 4151970624]@host.example.com[22 Aug 13:39:14] fwasync_conn_get: get max buffer size (4194304) .

2016-08-22 11:39:14,226 +0000 log_level=INFO, pid=10303, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=62 | [input_name="opsec_fw" connection="opsec_logs" data="non_audit"][ 10441 4151970624]@host.example.com[22 Aug 13:39:14] ckpSSL_do_write: write 197 bytes

2016-08-22 11:39:14,226 +0000 log_level=INFO, pid=10303, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=62 | [input_name="opsec_fw" connection="opsec_logs" data="non_audit"][ 10441 4151970624]@host.example.com[22 Aug 13:39:14] client_send_crlreq: fetching crl failed

2016-08-22 11:39:14,226 +0000 log_level=INFO, pid=10303, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=62 | [input_name="opsec_fw" connection="opsec_logs" data="non_audit"]

2016-08-22 11:39:14,226 +0000 log_level=INFO, pid=10303, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=62 | [input_name="opsec_fw" connection="opsec_logs" data="non_audit"] DN: CN=ICA_CRL0,O=cpserver.example.com..abab9q

2016-08-22 11:39:14,226 +0000 log_level=INFO, pid=10303, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=62 | [input_name="opsec_fw" connection="opsec_logs" data="non_audit"] URI: http://cpserver.example.com:18264/ICA_CRL0.crl

2016-08-22 11:39:14,225 +0000 log_level=INFO, pid=10303, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=62 | [input_name="opsec_fw" connection="opsec_logs" data="non_audit"] CRL distribution Points:

2016-08-22 11:39:14,225 +0000 log_level=INFO, pid=10303, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=62 | [input_name="opsec_fw" connection="opsec_logs" data="non_audit"] not CA

2016-08-22 11:39:14,225 +0000 log_level=INFO, pid=10303, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=62 | [input_name="opsec_fw" connection="opsec_logs" data="non_audit"] Basic Constraint:

2016-08-22 11:39:14,225 +0000 log_level=INFO, pid=10303, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=62 | [input_name="opsec_fw" connection="opsec_logs" data="non_audit"] keyEncipherment

2016-08-22 11:39:14,225 +0000 log_level=INFO, pid=10303, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=62 | [input_name="opsec_fw" connection="opsec_logs" data="non_audit"] digitalSignature

2016-08-22 11:39:14,225 +0000 log_level=INFO, pid=10303, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=62 | [input_name="opsec_fw" connection="opsec_logs" data="non_audit"] Key Usage:

2016-08-22 11:39:14,225 +0000 log_level=INFO, pid=10303, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=62 | [input_name="opsec_fw" connection="opsec_logs" data="non_audit"]Extensions:

2016-08-22 11:39:14,225 +0000 log_level=INFO, pid=10303, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=62 | [input_name="opsec_fw" connection="opsec_logs" data="non_audit"]Signature Algorithm: RSA with SHA-1 Public key: RSA (1024 bits)

2016-08-22 11:39:14,225 +0000 log_level=INFO, pid=10303, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=62 | [input_name="opsec_fw" connection="opsec_logs" data="non_audit"]Not valid after: Thu Jul 25 02:11:59 2019 Local Time

2016-08-22 11:39:14,225 +0000 log_level=INFO, pid=10303, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=62 | [input_name="opsec_fw" connection="opsec_logs" data="non_audit"]Not valid before: Fri Jul 25 02:11:59 2014 Local Time

2016-08-22 11:39:14,224 +0000 log_level=INFO, pid=10303, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=62 | [input_name="opsec_fw" connection="opsec_logs" data="non_audit"]Subject: CN=cp_mgmt,O=cpserver.example.com..abab9q

2016-08-22 11:39:14,224 +0000 log_level=INFO, pid=10303, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=62 | [input_name="opsec_fw" connection="opsec_logs" data="non_audit"]Issuer: O=cpserver.example.com..abab9q

2016-08-22 11:39:14,224 +0000 log_level=INFO, pid=10303, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=62 | [input_name="opsec_fw" connection="opsec_logs" data="non_audit"]Serial Number: 3046

2016-08-22 11:39:14,224 +0000 log_level=INFO, pid=10303, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=62 | [input_name="opsec_fw" connection="opsec_logs" data="non_audit"][ 10441 4151970624]@host.example.com[22 Aug 13:39:14] X509 Certificate Version 3

2016-08-22 11:39:14,224 +0000 log_level=INFO, pid=10303, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=62 | [input_name="opsec_fw" connection="opsec_logs" data="non_audit"][ 10441 4151970624]@host.example.com[22 Aug 13:39:14] read_crl : failed to read crl from file

2016-08-22 11:39:14,224 +0000 log_level=INFO, pid=10303, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=62 | [input_name="opsec_fw" connection="opsec_logs" data="non_audit"][ 10441 4151970624]@host.example.com[22 Aug 13:39:14] fwca_read_crl_file: failed to open file

2016-08-22 11:39:14,224 +0000 log_level=INFO, pid=10303, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=62 | [input_name="opsec_fw" connection="opsec_logs" data="non_audit"][ 10441 4151970624]@host.example.com[22 Aug 13:39:14] fwca_create_file_name: dn without organizationUnitName

2016-08-22 11:39:14,224 +0000 log_level=INFO, pid=10303, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=62 | [input_name="opsec_fw" connection="opsec_logs" data="non_audit"][ 10441 4151970624]@host.example.com[22 Aug 13:39:14] read_crl: failed to read mgmt crl

2016-08-22 11:39:14,223 +0000 log_level=INFO, pid=10303, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=62 | [input_name="opsec_fw" connection="opsec_logs" data="non_audit"][ 10441 4151970624]@host.example.com[22 Aug 13:39:14] fwca_read_crl_file: failed to open file

2016-08-22 11:39:14,223 +0000 log_level=INFO, pid=10303, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=62 | [input_name="opsec_fw" connection="opsec_logs" data="non_audit"]

2016-08-22 11:39:14,223 +0000 log_level=INFO, pid=10303, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=62 | [input_name="opsec_fw" connection="opsec_logs" data="non_audit"] DN: CN=ICA_CRL0,O=cpserver.example.com..abab9q

2016-08-22 11:39:14,223 +0000 log_level=INFO, pid=10303, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=62 | [input_name="opsec_fw" connection="opsec_logs" data="non_audit"] URI: http://cpserver.example.com:18264/ICA_CRL0.crl

2016-08-22 11:39:14,223 +0000 log_level=INFO, pid=10303, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=62 | [input_name="opsec_fw" connection="opsec_logs" data="non_audit"] CRL distribution Points:

2016-08-22 11:39:14,223 +0000 log_level=INFO, pid=10303, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=62 | [input_name="opsec_fw" connection="opsec_logs" data="non_audit"] not CA

2016-08-22 11:39:14,223 +0000 log_level=INFO, pid=10303, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=62 | [input_name="opsec_fw" connection="opsec_logs" data="non_audit"] Basic Constraint:

2016-08-22 11:39:14,223 +0000 log_level=INFO, pid=10303, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=62 | [input_name="opsec_fw" connection="opsec_logs" data="non_audit"] keyEncipherment

2016-08-22 11:39:14,223 +0000 log_level=INFO, pid=10303, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=62 | [input_name="opsec_fw" connection="opsec_logs" data="non_audit"] digitalSignature

2016-08-22 11:39:14,222 +0000 log_level=INFO, pid=10303, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=62 | [input_name="opsec_fw" connection="opsec_logs" data="non_audit"] Key Usage:

2016-08-22 11:39:14,222 +0000 log_level=INFO, pid=10303, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=62 | [input_name="opsec_fw" connection="opsec_logs" data="non_audit"]Extensions:

2016-08-22 11:39:14,222 +0000 log_level=INFO, pid=10303, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=62 | [input_name="opsec_fw" connection="opsec_logs" data="non_audit"]Signature Algorithm: RSA with SHA-1 Public key: RSA (1024 bits)

2016-08-22 11:39:14,222 +0000 log_level=INFO, pid=10303, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=62 | [input_name="opsec_fw" connection="opsec_logs" data="non_audit"]Not valid after: Thu Jul 25 02:11:59 2019 Local Time

I can see that the modular input is running:

ps aux | grep -i opsec Mon Aug 22 14:22:52 2016

root     12126  0.3  0.0 882628 14176 ?        Ssl  13:40   0:09 python /opt/2014/splunk/etc/apps/Splunk_TA_checkpoint-opseclea/bin/checkpoint_opseclea.py

What is going on?

0 Karma

mikaelbje
Motivator

We finally found a workaround. The loggrabber script never attempts to connect to port 18264 on the Checkpoint Server, but an strace revealed that it tries to open the CRL locally on the Splunk server from

/etc/fw/conf/ICA.crl

We configured a cron script that pulls an updated CRL list to this path. It now works. We are still stumbled when it comes to what changed on the Checkpoint server since this used to work before without the workaround.

0 Karma

mikaelbje
Motivator

Re jamesarmitage's answer:

log_level=3 file:lea_loggrabber.cpp func_name:open_screen code_line_no:5612 :Open connection to screen.
log_level=3 file:lea_loggrabber.cpp func_name:main_worker code_line_no:1160 :Logfilename      : fw.log
log_level=3 file:lea_loggrabber.cpp func_name:main_worker code_line_no:1161 :Record Separator : |
log_level=3 file:lea_loggrabber.cpp func_name:main_worker code_line_no:1162 :Resolve Addresses: No
log_level=3 file:lea_loggrabber.cpp func_name:main_worker code_line_no:1163 :Show Filenames   : No
log_level=3 file:lea_loggrabber.cpp func_name:main_worker code_line_no:1164 :FW1-2000         : No
log_level=3 file:lea_loggrabber.cpp func_name:main_worker code_line_no:1165 :Online-Mode      : No
log_level=3 file:lea_loggrabber.cpp func_name:main_worker code_line_no:1166 :Audit-Log        : Yes
log_level=3 file:lea_loggrabber.cpp func_name:main_worker code_line_no:1167 :Show Fieldnames  : Yes
log_level=3 file:lea_loggrabber.cpp func_name:get_fw1_logfiles code_line_no:2255 :Enter
log_level=3 file:lea_loggrabber.cpp func_name:getSplunkLeaConfigArgs code_line_no:517 :lea arg: -v
log_level=3 file:lea_loggrabber.cpp func_name:getSplunkLeaConfigArgs code_line_no:517 :lea arg: opsec_sic_name
log_level=3 file:lea_loggrabber.cpp func_name:getSplunkLeaConfigArgs code_line_no:517 :lea arg: CN=SplunkLEA,O=cpserver.example.com..abab9q
log_level=3 file:lea_loggrabber.cpp func_name:getSplunkLeaConfigArgs code_line_no:517 :lea arg: -v
log_level=3 file:lea_loggrabber.cpp func_name:getSplunkLeaConfigArgs code_line_no:517 :lea arg: opsec_sslca_file
log_level=3 file:lea_loggrabber.cpp func_name:getSplunkLeaConfigArgs code_line_no:517 :lea arg: /opt/2014/splunk/etc/apps/Splunk_TA_checkpoint-opseclea/certs/opsec_logs_1496239478.p12
log_level=3 file:lea_loggrabber.cpp func_name:getSplunkLeaConfigArgs code_line_no:517 :lea arg: -v
log_level=3 file:lea_loggrabber.cpp func_name:getSplunkLeaConfigArgs code_line_no:517 :lea arg: lea_server
log_level=3 file:lea_loggrabber.cpp func_name:getSplunkLeaConfigArgs code_line_no:517 :lea arg: ip
log_level=3 file:lea_loggrabber.cpp func_name:getSplunkLeaConfigArgs code_line_no:517 :lea arg: 1.1.1.1
log_level=3 file:lea_loggrabber.cpp func_name:getSplunkLeaConfigArgs code_line_no:517 :lea arg: -v
log_level=3 file:lea_loggrabber.cpp func_name:getSplunkLeaConfigArgs code_line_no:517 :lea arg: lea_server
log_level=3 file:lea_loggrabber.cpp func_name:getSplunkLeaConfigArgs code_line_no:517 :lea arg: auth_port
log_level=3 file:lea_loggrabber.cpp func_name:getSplunkLeaConfigArgs code_line_no:517 :lea arg: 18184
log_level=3 file:lea_loggrabber.cpp func_name:getSplunkLeaConfigArgs code_line_no:517 :lea arg: -v
log_level=3 file:lea_loggrabber.cpp func_name:getSplunkLeaConfigArgs code_line_no:517 :lea arg: lea_server
log_level=3 file:lea_loggrabber.cpp func_name:getSplunkLeaConfigArgs code_line_no:517 :lea arg: auth_type
log_level=3 file:lea_loggrabber.cpp func_name:getSplunkLeaConfigArgs code_line_no:517 :lea arg: sslca
log_level=3 file:lea_loggrabber.cpp func_name:getSplunkLeaConfigArgs code_line_no:517 :lea arg: -v
log_level=3 file:lea_loggrabber.cpp func_name:getSplunkLeaConfigArgs code_line_no:517 :lea arg: lea_server
log_level=3 file:lea_loggrabber.cpp func_name:getSplunkLeaConfigArgs code_line_no:517 :lea arg: opsec_entity_sic_name
log_level=3 file:lea_loggrabber.cpp func_name:getSplunkLeaConfigArgs code_line_no:517 :lea arg: CN=cp_mgmt,O=cpserver.example.com..abab9q
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:10] Env Configuration:
(
        :type (opsec_info)
        :lea_server (
                :opsec_entity_sic_name ("CN=cp_mgmt,O=cpserver.example.com..abab9q")
                :auth_type (sslca)
                :auth_port (18184)
                :ip (1.1.1.1)
        )
        :opsec_sslca_file ("/opt/2014/splunk/etc/apps/Splunk_TA_checkpoint-opseclea/certs/opsec_logs_1496239478.p12")
        :opsec_sic_name ("CN=SplunkLEA,O=cpserver.example.com..abab9q")
)

[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:10] Could not find info for ...opsec_shared_local_path...
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:10] Could not find info for ...opsec_sic_policy_file...
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:10] Could not find info for ...opsec_mt...
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:10] opsec_init: multithread safety is not initialized
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:10] cpprng_opsec_initialize: path is not initialized - will initialize
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:10] cpprng_opsec_initialize: full file name is ops_prng
log_level=3 file:lea_loggrabber.cpp func_name:main code_line_no:1107 :Current pid=54515 parent_pid=52671, Sleeping 1 sec
log_level=3 file:lea_loggrabber.cpp func_name:main code_line_no:1107 :Current pid=54515 parent_pid=52671, Sleeping 1 sec
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:12] cpprng_opsec_initialize: dev_urandom_poll returned 0
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:12] opsec_file_is_intialized: seed is initialized
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:12] cpprng_opsec_initialize: seed init for opsec succeeded
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:12] PM_policy_create: version 5301.
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:12] PM_policy_add_name_to_group: finished successfully.
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:12] PM_policy_set_local_names: () names. finished successfully.
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:12] PM_policy_create: finished successfully.
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:12] PM_policy_add_name_to_group: finished successfully.
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:12] PM_policy_set_local_names: (local_sic_name) names. finished successfully.
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:12] PM_policy_add_name_to_group: finished successfully.
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:12] PM_policy_set_local_names: (127.0.0.1) names. finished successfully.
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:12] PM_policy_add_name_to_group: finished successfully.
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:12] PM_policy_set_local_names: ("CN=SplunkLEA,O=cpserver.example.com..abab9q") names. finished successfully.
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:12] CkpRegDir: Environment variable CPDIR is not set.
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:12] GenerateGlobalEntry: Unable to get registry path
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:12] get_bc_ds_choiceID: Failed to open registry;  using default
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:12] PM_apply_default_dn: ca_dn = [O=cpserver.example.com..abab9q].
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:12] PM_apply_default_dn: calling PM_policy_DN_conversion ..
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:12] PM_apply_default_dn: finished successfully.
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:12] fwPubKeyfromPKCS8: decoding RSA key
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:12] ckpSSLctx_New: prefs = 12
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:12] CkpRegDir: Environment variable CPDIR is not set.
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:12] GenerateGlobalEntry: Unable to get registry path
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:12] CkpRegDir: Environment variable CPDIR is not set.
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:12] GenerateGlobalEntry: Unable to get registry path
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:12] cpcrypto_get_registry_value: could not find key 'Get_Disable_RC4' in registry path 'SOFTWARE\CheckPoint\FW1'.
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:12] ckpSSLctx_New: prefs = 12
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:12] CkpRegDir: Environment variable CPDIR is not set.
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:12] GenerateGlobalEntry: Unable to get registry path
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:12] cpcrypto_get_registry_value: could not find key 'Get_Disable_RC4' in registry path 'SOFTWARE\CheckPoint\FW1'.
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:12] opsec_init_sslca: calling sic_set_auth_handler_save_opaque, server_opaque - defs = 0xf6c16f80, client_opaque - defs = 0xf6c16f80
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:12] ckpSSLctx_New: prefs = 32
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:12] CkpRegDir: Environment variable CPDIR is not set.
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:12] GenerateGlobalEntry: Unable to get registry path
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:12] cpcrypto_get_registry_value: could not find key 'Get_Disable_RC4' in registry path 'SOFTWARE\CheckPoint\FW1'.
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:12] opsec_init_sslca: calling sic_set_auth_handler_save_opaque, server_opaque - defs = 0xf6c18060, client_opaque - defs = 0xf6c18060
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:12] ckpSSLctx_New: prefs = 11
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:12] CkpRegDir: Environment variable CPDIR is not set.
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:12] GenerateGlobalEntry: Unable to get registry path
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:12] cpcrypto_get_registry_value: could not find key 'Get_Disable_RC4' in registry path 'SOFTWARE\CheckPoint\FW1'.
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:12] opsec_init_sslca: calling sic_set_auth_handler_save_opaque, server_opaque - defs = 0xf6c19238, client_opaque - defs = 0xf6c19238
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:12] ckpSSLctx_New: prefs = 31
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:12] CkpRegDir: Environment variable CPDIR is not set.
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:12] GenerateGlobalEntry: Unable to get registry path
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:12] cpcrypto_get_registry_value: could not find key 'Get_Disable_RC4' in registry path 'SOFTWARE\CheckPoint\FW1'.
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:12] opsec_init_sslca: calling sic_set_auth_handler_save_opaque, server_opaque - defs = 0xf6c1a3f8, client_opaque - defs = 0xf6c1a3f8
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:12] ckpSSLctx_New: prefs = 12
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:12] CkpRegDir: Environment variable CPDIR is not set.
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:12] GenerateGlobalEntry: Unable to get registry path
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:12] cpcrypto_get_registry_value: could not find key 'Get_Disable_RC4' in registry path 'SOFTWARE\CheckPoint\FW1'.
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:12] opsec_init_sslca: calling sic_set_auth_handler_save_opaque, server_opaque - defs = 0xf6c1b5b8, client_opaque - defs = 0xf6c1b5b8
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:12] sslcaInitCP_Ex: using asym client without ca cert
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:12] ckpSSLctx_New: prefs = 12
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:12] CkpRegDir: Environment variable CPDIR is not set.
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:12] GenerateGlobalEntry: Unable to get registry path
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:12] cpcrypto_get_registry_value: could not find key 'Get_Disable_RC4' in registry path 'SOFTWARE\CheckPoint\FW1'.
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:12] ckpSSLctx_New: prefs = 12
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:12] CkpRegDir: Environment variable CPDIR is not set.
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:12] GenerateGlobalEntry: Unable to get registry path
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:12] cpcrypto_get_registry_value: could not find key 'Get_Disable_RC4' in registry path 'SOFTWARE\CheckPoint\FW1'.
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:12] opsec_init_sslca: calling sic_set_auth_handler_save_opaque, server_opaque - defs = 0xf6c1d348, client_opaque - defs = 0xf6c1bee0
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:12] sslcaInitCP_Ex: using asym client without ca cert
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:12] ckpSSLctx_New: prefs = 32
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:12] CkpRegDir: Environment variable CPDIR is not set.
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:12] GenerateGlobalEntry: Unable to get registry path
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:12] cpcrypto_get_registry_value: could not find key 'Get_Disable_RC4' in registry path 'SOFTWARE\CheckPoint\FW1'.
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:12] ckpSSLctx_New: prefs = 32
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:12] CkpRegDir: Environment variable CPDIR is not set.
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:12] GenerateGlobalEntry: Unable to get registry path
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:12] cpcrypto_get_registry_value: could not find key 'Get_Disable_RC4' in registry path 'SOFTWARE\CheckPoint\FW1'.
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:12] opsec_init_sslca: calling sic_set_auth_handler_save_opaque, server_opaque - defs = 0xf6c1f0e8, client_opaque - defs = 0xf6c1dc88
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:12] sslcaInitCP_Ex: using asym client without ca cert
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:12] ckpSSLctx_New: prefs = 11
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:12] CkpRegDir: Environment variable CPDIR is not set.
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:12] GenerateGlobalEntry: Unable to get registry path
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:12] cpcrypto_get_registry_value: could not find key 'Get_Disable_RC4' in registry path 'SOFTWARE\CheckPoint\FW1'.
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:12] ckpSSLctx_New: prefs = 11
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:12] CkpRegDir: Environment variable CPDIR is not set.
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:12] GenerateGlobalEntry: Unable to get registry path
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:12] cpcrypto_get_registry_value: could not find key 'Get_Disable_RC4' in registry path 'SOFTWARE\CheckPoint\FW1'.
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:12] opsec_init_sslca: calling sic_set_auth_handler_save_opaque, server_opaque - defs = 0xf6c20e68, client_opaque - defs = 0xf6c1fa08
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:12] sslcaInitCP_Ex: using asym client without ca cert
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:12] ckpSSLctx_New: prefs = 31
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:12] CkpRegDir: Environment variable CPDIR is not set.
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:12] GenerateGlobalEntry: Unable to get registry path
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:12] cpcrypto_get_registry_value: could not find key 'Get_Disable_RC4' in registry path 'SOFTWARE\CheckPoint\FW1'.
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:12] ckpSSLctx_New: prefs = 31
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:12] CkpRegDir: Environment variable CPDIR is not set.
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:12] GenerateGlobalEntry: Unable to get registry path
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:12] cpcrypto_get_registry_value: could not find key 'Get_Disable_RC4' in registry path 'SOFTWARE\CheckPoint\FW1'.
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:12] opsec_init_sslca: calling sic_set_auth_handler_save_opaque, server_opaque - defs = 0xf6c22bb8, client_opaque - defs = 0xf6c21750
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:12] sic_sslca_Free: defs = 0xf6c16680, references = 0
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:12] opsec_init_sic_id_internal: Added sic id (ctx id = 0)
log_level=2 file:lea_loggrabber.cpp func_name:get_fw1_logfiles code_line_no:2274 :Successfully create opsec environment
log_level=3 file:lea_loggrabber.cpp func_name:get_fw1_logfiles code_line_no:2277 :OPSEC LEA conf file is lea.conf
log_level=3 file:lea_loggrabber.cpp func_name:get_fw1_logfiles code_line_no:2304 :Authentication mode has been used.
log_level=3 file:lea_loggrabber.cpp func_name:get_fw1_logfiles code_line_no:2305 :Server-IP     : 1.1.1.1
log_level=3 file:lea_loggrabber.cpp func_name:get_fw1_logfiles code_line_no:2306 :Server-Port     : 18184
log_level=3 file:lea_loggrabber.cpp func_name:get_fw1_logfiles code_line_no:2307 :Authentication type: sslca
log_level=3 file:lea_loggrabber.cpp func_name:get_fw1_logfiles code_line_no:2309 :OPSEC sic certificate file name : /opt/2014/splunk/etc/apps/Splunk_TA_checkpoint-opseclea/certs/opsec_logs_1496239478.p12
log_level=3 file:lea_loggrabber.cpp func_name:get_fw1_logfiles code_line_no:2310 :Server DN (sic name) : CN=cp_mgmt,O=cpserver.example.com..abab9q
log_level=3 file:lea_loggrabber.cpp func_name:get_fw1_logfiles code_line_no:2311 :OPSEC LEA client DN (sic name) : CN=SplunkLEA,O=cpserver.example.com..abab9q
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:12] opsec_init_entity_sic: called for the client side
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:12] Configuring entity lea_server
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:12] Could not find info for ...conn_buf_size...
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:12] Could not find info for ...no_nagle...
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:12] Could not find info for ...port...
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:12] opsec_entity_add_sic_rule: adding rules: apply_to: ME, peer: CN=cp_mgmt,O=cpserver.example.com..abab9q, d_ip: NULL, dport 18184, svc: lea, method: sslca
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:12] opsec_entity_add_sic_rule: adding INBOUND rule
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:12] opsec_entity_add_sic_rule: adding OUTBOUND rule
log_level=2 file:lea_loggrabber.cpp func_name:get_fw1_logfiles code_line_no:2357 :Successfully initialize client/server-pair
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:12] opsec_get_comm: creating comm for ent=f6c16458  peer=f6c15e48 passive=0 key=2 info=0
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:12] c=0xf6c16458 s=0xf6c15e48 comm_type=4

[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:12] Could not find info for ...opsec_client...
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:12] opsec_get_comm: Creating session hash (size=256)
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:12] opsec_get_comm: ADDING comm=0xf6c15570 to ent=0xf6c16458 with key=2
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:12] opsec_env_get_context_id_by_peer_sic_name: found context id=0 for peer sic name=CN=cp_mgmt,O=cpserver.example.com..abab9q
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:12] opsec_env_get_sic_handle_by_context_id: found sic handle (ctx id=0)
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:12] opsec_sic_connect: connecting... (ctx id=0)
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:12] fw_do_get_all_ipaddrs: called. naddrs=32769

[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:12] resolver_getaddrinfo_list: name=splunkhf.example.com, pref=0
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:12] resolver_getaddrinfo_list: found peer 0 10.62.9.30
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:12] fw_do_get_all_ipaddrs: fw_ipaddr_both returned 10.62.9.30 ::

[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:12] fw_do_get_all_ipaddrs: found 1 addresses

[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:12] peers addresses are
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:12] fe80::2e44:fdff:fe7a:73c8
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:12] resolver_gethostbyname: Performing gethostbyname for splunkhf.example.com
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:12] peers addresses are
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:12] 10.62.9.30
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:12] CkpRegDir: Environment variable CPDIR is not set.
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:12] GenerateGlobalEntry: Unable to get registry path
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:12] cpsicdemux_get_mode: the mode is 1
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:12] cpsicdemux_check_mode: server_mode=1 | requested_mode=1
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:12] fwasync_get_maxbuf: maxbuf=4194304
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:12] T_event_epoll_report: EPOLL API disabled; SELECT is used
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:12] SESSION ID:3 is sending DG_TYPE=1

[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:12] pushing dgtype=1 len=0 to list=0xf6c1558c
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:12] SESSION ID:3 is sending DG_TYPE=402

[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:12] pushing dgtype=402 len=27 to list=0xf6c1558c
log_level=2 file:lea_loggrabber.cpp func_name:get_fw1_logfiles code_line_no:2371 :Successfully create session
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:12] fwasync_conn_params: <a3e091e,38046> -> <ac10c80c,18184>
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:12] fwasync_connbuf_realloc: reallocating 0 from 0 to 1028
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:12] fwasync_conn_get: get max buffer size (4194304) .
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:12] fwasync_connbuf_realloc: reallocating 0 from 0 to 1028
log_level=3 file:lea_loggrabber.cpp func_name:main code_line_no:1107 :Current pid=54515 parent_pid=52671, Sleeping 1 sec
log_level=3 file:lea_loggrabber.cpp func_name:main code_line_no:1107 :Current pid=54515 parent_pid=52671, Sleeping 1 sec
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] sic_client_set_version: 11: protocol version is 59000000
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] cpsicdemux_check_mode: server_mode=1 | requested_mode=1
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] fwasync_conn_get: get max buffer size (4194304) .
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] fwasync_conn_get: get max buffer size (4194304) .
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] fwasync_conn_get: get max buffer size (4194304) .
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] fwasync_conn_get: get max buffer size (4194304) .
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] fwasync_conn_get: get max buffer size (4194304) .
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] fwasync_conn_get: get max buffer size (4194304) .
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] fwasync_conn_get: get max buffer size (4194304) .
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] fwasync_conn_get: get max buffer size (4194304) .
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] fwasync_conn_get: get max buffer size (4194304) .
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] call_handlers_list: no conversion done, set CN=cp_mgmt,O=cpserver.example.com..abab9q as sic name
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] PM_session_init: given session O(CN=SplunkLEA,O=cpserver.example.com..abab9q;CN=cp_mgmt,O=cpserver.example.com..abab9q;18184;lea).
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] PM_policy_query: input session O(CN=SplunkLEA,O=cpserver.example.com..abab9q;CN=cp_mgmt,O=cpserver.example.com..abab9q;18184;lea).
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] PM_policy_query: rule found (ME;CN=cp_mgmt,O=cpserver.example.com..abab9q;18184;lea;sslca(1/1)).
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] PM_policy_query: finished successfully. 1st method = sslca
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] PM_policy_choose: finished successfully. choose: sslca.
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] sic_client_call_auth_func: calling save_opaque_cb, defs = 0xf6c16f80.
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] check_if_sslca_auth_and_save_opaque: calling sic_sslca_defs_save, defs = 0xf6c16f80.
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] sic_sslca_defs_save: defs = 0xf6c16f80, references = 2
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] fwasync_conn_get: get max buffer size (4194304) .
log_level=3 file:lea_loggrabber.cpp func_name:main code_line_no:1107 :Current pid=54515 parent_pid=52671, Sleeping 1 sec
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] fwasync_conn_get: get max buffer size (4194304) .
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] sslca_get_session_db: Using cache file /etc/fw/database//SessionCache
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] sslca_read_session: failed to get cached session
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] auth_sslca_clnt_handler: failed to read session
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] ckpSSL_PrepareConnection: verify mode: 3
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] My SSL Ciphers:
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] Cipher List:
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] 0: AES128-SHA              SSLv3 Kx=RSA      Au=RSA  Enc=AES(128)  Mac=SHA1

[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] 1: AES256-SHA              SSLv3 Kx=RSA      Au=RSA  Enc=AES(256)  Mac=SHA1

[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] 2: DES-CBC3-SHA            SSLv3 Kx=RSA      Au=RSA  Enc=3DES(168) Mac=SHA1

[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] 3: RC4-SHA                 SSLv3 Kx=RSA      Au=RSA  Enc=RC4(128)  Mac=SHA1

[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] ckpSSL_NegotiateStep: current state = before/connect initialization
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] is_initialized: new process or forked
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] fwprng_get_entropy_collection_time_opsec: value read is 1473071258
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] cpprng_get_opsec_entropy_collection_time: entropy_collection time returned is 1473071258
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] CkpRegDir: Environment variable CPDIR is not set.
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] GenerateGlobalEntry: Unable to get registry path
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] CkpRegDir: Environment variable CPDIR is not set.
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] GenerateGlobalEntry: Unable to get registry path
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] CkpRegDir: Environment variable CPDIR is not set.
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] GenerateGlobalEntry: Unable to get registry path
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] CkpRegDir: Environment variable CPDIR is not set.
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] GenerateGlobalEntry: Unable to get registry path
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] ckpSSL_NegotiateStep: should retry.
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] ckpSSL_NegotiateStep: current state = SSLv3 read server hello A
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] fwCert_FixChain_do: 2 certificates
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] PubKey:
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] Modulus:
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] d4 40 1c 45 91 7d 98 ab 96 23 2b bc 74 89 1a 45 00 f8 37 af
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] 80 e9 69 65 3a 5b b3 e0 c3 79 af af 08 68 74 7f 86 fc f1 6a
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] ad 28 44 42 7b 86 27 ea 37 cb cd 21 1f 27 34 e1 d8 32 76 b6
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] 25 21 68 5e 46 c8 5b 12 89 8e 0e a7 1d 9d 93 a0 de 82 d6 ad
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] 5b 10 11 27 0c 76 cc 56 06 56 95 c4 bf c7 e4 0b 68 6d 51 b5
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] 35 5e 2e ea ef 78 44 0a d9 3d 6e 9c 6e 7e a2 72 89 b3 d8 d9
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] 6b d6 56 c6 21 58 07 d9
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] Exponent: 65537 (0x10001)
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] X509 Certificate Version 3
Serial Number: 3046
Issuer: O=cpserver.example.com..abab9q
Subject: CN=cp_mgmt,O=cpserver.example.com..abab9q
Not valid before: Fri Jul 25 02:11:59 2014 Local Time
Not valid after:  Thu Jul 25 02:11:59 2019 Local Time
Signature Algorithm: RSA with SHA-1  Public key: RSA (1024 bits)
Extensions:
        Key Usage:
                digitalSignature
                keyEncipherment
        Basic Constraint:
                not CA
        CRL distribution Points:
                URI: http://cpserver.example.com:18264/ICA_CRL0.crl
                DN: CN=ICA_CRL0,O=cpserver.example.com..abab9q

[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] PubKey:
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] Modulus:
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] ce 22 3c 31 a0 55 32 96 eb 6c fb be 9e a6 1c b4 21 e4 20 28
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] c2 26 b5 4f 12 de e8 c7 55 a3 2f 78 d8 73 42 7d f4 b2 89 c6
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] 4d af 9f fe fc b7 2f 95 a4 1b a3 66 58 ea 54 a6 9f 0c 40 4e
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] f7 b1 13 bf 25 de c0 01 a1 3c b5 3a ed ca cc 87 04 43 6e 38
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] 50 78 f4 73 99 87 7a 7c 84 86 8c ab af e2 53 25 d6 05 5c f3
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] 24 3c 1e 3c 5a 5d e1 2f 49 ad 1f 53 41 4e f5 fd 07 15 7e 32
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] 42 7f fa 70 84 3b 64 b1 49 33 74 61 df aa 76 b6 64 f3 f7 a3
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] 5f a5 2a 0a 78 48 4d 4f ed f6 a8 1e 2d 36 d7 08 d3 fe b6 02
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] 0d ac f1 ed 39 ba 36 f4 3d c1 56 f7 34 cc fd f3 df 5d 4a 99
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] a1 9a 29 f7 d4 c1 69 96 0b 49 1b 23 1c 73 3c 22 00 e7 53 e7
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] fa 4c dc c0 a3 42 7e c2 6c 54 21 a2 d6 8f 33 c9 48 69 62 bb
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] 15 80 fa 3b 6e 86 a7 15 a4 c8 3c 2f 4a b5 da d8 4e 8c ea f6
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] 15 b6 bc 6f 63 a8 68 01 f4 e3 0e ec 16 f9 da 8d
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] Exponent: 3 (0x3)
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] X509 Certificate Version 3
Serial Number: 1
Issuer: O=cpserver.example.com..abab9q
Subject: O=cpserver.example.com..abab9q
Not valid before: Mon Apr 28 14:11:54 2003 Local Time
Not valid after:  Sun Apr 23 14:11:54 2023 Local Time
Signature Algorithm: RSA with SHA-1  Public key: RSA (2048 bits)
Extensions:
        Key Usage:
                digitalSignature
                keyCertSign
                cRLSign
        Basic Constraint (Critical):
                is CA

[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] fwKeyHolder:
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15]      Root CAs
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15]               1: internal_ca
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15]                      O=cpserver.example.com..abab9q
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15]      Certified keys
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15]               1: SplunkLEA
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15]                      Has Private
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15]                      CN=SplunkLEA,O=cpserver.example.com..abab9q
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15]                      O=cpserver.example.com..abab9q
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15]                      Root: internal_ca
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] fwCert_FixChain_do: found root ca:internal_ca
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] CkpRegDir: Environment variable CPDIR is not set.
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] GenerateGlobalEntry: Unable to get registry path
[ 4152216384][5 Sep 12:28:15] get_pkxld_path: cpshared_filename failed
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] fwCert_FixChain_do: Found the root CA O=cpserver.example.com..abab9q in my token
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] fwValidateCert:certificate - O=cpserver.example.com..abab9q
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] notBefore: Mon Apr 28 14:11:54 2003 Local Time
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] notAfter: Sun Apr 23 14:11:54 2023 Local Time
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] now:        Mon Sep 5 12:28:15 2016 Local Time
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] cert start grace period=7200   cert end grace period=0
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] fwValidateCert:certificate - CN=cp_mgmt,O=cpserver.example.com..abab9q
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] notBefore: Fri Jul 25 02:11:59 2014 Local Time
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] notAfter: Thu Jul 25 02:11:59 2019 Local Time
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] now:        Mon Sep 5 12:28:15 2016 Local Time
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] cert start grace period=7200   cert end grace period=0
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] fwValidatePath: checking PathLen: -1 (elevel: 0).
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] fwValidateNameConstraints: rootCA without name constraints
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] ckpSSL_NegotiateStep: should retry.
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] ckpSSL_NegotiateStep: current state = SSLv3 read finished A
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] ckpSSL_NegotiateStep:  conncected, used TLSv1/SSLv3 ,AES128-SHA (-1)
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] ckpSSL_connected: peer authenticated
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] ckpSSL_connected: current state: SSL negotiation finished successfully
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] Certificate is:
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] PubKey:
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] Modulus:
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] d4 40 1c 45 91 7d 98 ab 96 23 2b bc 74 89 1a 45 00 f8 37 af
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] 80 e9 69 65 3a 5b b3 e0 c3 79 af af 08 68 74 7f 86 fc f1 6a
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] ad 28 44 42 7b 86 27 ea 37 cb cd 21 1f 27 34 e1 d8 32 76 b6
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] 25 21 68 5e 46 c8 5b 12 89 8e 0e a7 1d 9d 93 a0 de 82 d6 ad
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] 5b 10 11 27 0c 76 cc 56 06 56 95 c4 bf c7 e4 0b 68 6d 51 b5
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] 35 5e 2e ea ef 78 44 0a d9 3d 6e 9c 6e 7e a2 72 89 b3 d8 d9
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] 6b d6 56 c6 21 58 07 d9
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] Exponent: 65537 (0x10001)
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] X509 Certificate Version 3
Serial Number: 3046
Issuer: O=cpserver.example.com..abab9q
Subject: CN=cp_mgmt,O=cpserver.example.com..abab9q
Not valid before: Fri Jul 25 02:11:59 2014 Local Time
Not valid after:  Thu Jul 25 02:11:59 2019 Local Time
Signature Algorithm: RSA with SHA-1  Public key: RSA (1024 bits)
Extensions:
        Key Usage:
                digitalSignature
                keyEncipherment
        Basic Constraint:
                not CA
        CRL distribution Points:
                URI: http://cpserver.example.com:18264/ICA_CRL0.crl
                DN: CN=ICA_CRL0,O=cpserver.example.com..abab9q

[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] X509 Certificate Version 3
Serial Number: 3046
Issuer: O=cpserver.example.com..abab9q
Subject: CN=cp_mgmt,O=cpserver.example.com..abab9q
Not valid before: Fri Jul 25 02:11:59 2014 Local Time
Not valid after:  Thu Jul 25 02:11:59 2019 Local Time
Signature Algorithm: RSA with SHA-1  Public key: RSA (1024 bits)
Extensions:
        Key Usage:
                digitalSignature
                keyEncipherment
        Basic Constraint:
                not CA
        CRL distribution Points:
                URI: http://cpserver.example.com:18264/ICA_CRL0.crl
                DN: CN=ICA_CRL0,O=cpserver.example.com..abab9q

[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] fwca_read_crl_file: failed to open file
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] read_crl: failed to read mgmt crl
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] fwca_create_file_name: dn without organizationUnitName
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] fwca_read_crl_file: failed to open file
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] read_crl : failed to read crl from file
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] X509 Certificate Version 3
Serial Number: 3046
Issuer: O=cpserver.example.com..abab9q
Subject: CN=cp_mgmt,O=cpserver.example.com..abab9q
Not valid before: Fri Jul 25 02:11:59 2014 Local Time
Not valid after:  Thu Jul 25 02:11:59 2019 Local Time
Signature Algorithm: RSA with SHA-1  Public key: RSA (1024 bits)
Extensions:
        Key Usage:
                digitalSignature
                keyEncipherment
        Basic Constraint:
                not CA
        CRL distribution Points:
                URI: http://cpserver.example.com:18264/ICA_CRL0.crl
                DN: CN=ICA_CRL0,O=cpserver.example.com..abab9q

[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] client_send_crlreq: fetching crl failed
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] ckpSSL_do_write: write 197 bytes
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] fwasync_conn_get: get max buffer size (4194304) .
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] ckpSSL_do_read: return should retry rc = -1
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] ckpSSL_do_read: return should retry rc = -1
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] ckpSSL_do_read: return should retry rc = -1
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] ckpSSL_do_read: return should retry rc = -1
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] ckpSSL_do_read: return should retry rc = -1
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] ckpSSL_do_read: read 4 bytes
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] auth_sslca_clnt_handler: illegal server crl_length message.
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] fwasync_do_mux_in: 11: handler returned with error
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] ckpSSL_fwasync_close: start shutdown
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] sic_client_end_handler: for conn id = 11
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] opsec_auth_client_connected: connect failed (328)
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] opsec_auth_client_connected: SIC Error for lea: received bad message length from peer
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] opsec_auth_client_connected:conn=(nil) opaque=0xf6c15d60 err=0 comm=0xf6c15570
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] comm failed to connect 0xf6c15570
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] OPSEC_SET_ERRNO: err =  8  Comm is not connected/Unable to connect (pre =  0)
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] COM 0xf6c15570 got signal 131075
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] destroying comm 0xf6c15570
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] Destroying comm 0xf6c15570 with 1 active sessions
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] Destroying session (f6c22128) id 3 (ent=f6c16458) reason=SIC_FAILURE
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] SESSION ID:3 is sending DG_TYPE=3

log_level=3 file:lea_loggrabber.cpp func_name:get_fw1_logfiles_end code_line_no:2184 :OPSEC_SESSION_END_HANDLER called
log_level=2 file:lea_loggrabber.cpp func_name:check_session_end_reason code_line_no:2106 :Start to check session end reason: is_read_end 0
log_level=0 file:lea_loggrabber.cpp func_name:check_session_end_reason code_line_no:2159 :Session end reason: SIC ERROR 328 - SIC Error for lea: received bad message length from peer
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] opsec_comm_is_needed:comm 0xf6c15570 1/1 sessions need the comm.
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] pulling dgtype=1 len=0 to list=0xf6c1558c
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] pulling dgtype=402 len=27 to list=0xf6c1558c
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] pulling dgtype=ffffffff len=-1 to list=0xf6c1558c
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] REMOVING comm=0xf6c15570 from ent=0xf6c16458 with key=2
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] ckpSSL_ShutdownHandler: rc=0 (1) SSL negotiation finished successfully
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] ckpSSL_ShutdownTimeout: 0xF6C156A0
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] ckpSSL_Destroy: closed fd 11
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] T_event_mainloop_e: T_event_mainloop_iter returns 0
log_level=3 file:lea_loggrabber.cpp func_name:cleanup_fw1_environment code_line_no:2438 :Enter
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] Destroying entity 1 with 0 active comms
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] opsec_destroy_entity_sic: deleting sic rules for entity 0xf6c16458
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] Destroying entity 2 with 0 active comms
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] opsec_destroy_entity_sic: deleting sic rules for entity 0xf6c15e48
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] IpcUnMapFile: unmapping file (handle=0xf6c08290)
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] IpcUnMapFile: unmapping file (handle=0xf6c099a0)
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] IpcUnMapFile: unmapping file (handle=0xf6c09a20)
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] IpcUnMapFile: unmapping file (handle=0xf6c09ac0)
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] IpcUnMapFile: unmapping file (handle=0xf6c09b40)
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] sic_sslca_Free: defs = 0xf6c16f80, references = 1
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] sic_sslca_Free: defs = 0xf6c18060, references = 0
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] sic_sslca_Free: defs = 0xf6c19238, references = 0
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] sic_sslca_Free: defs = 0xf6c1a3f8, references = 0
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] sic_sslca_Free: defs = 0xf6c1b5b8, references = 0
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] sic_sslca_Free: defs = 0xf6c1bee0, references = 0
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] sic_sslca_Free: defs = 0xf6c1d348, references = 0
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] sic_sslca_Free: defs = 0xf6c1dc88, references = 0
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] sic_sslca_Free: defs = 0xf6c1f0e8, references = 0
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] sic_sslca_Free: defs = 0xf6c1fa08, references = 0
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] sic_sslca_Free: defs = 0xf6c20e68, references = 0
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] sic_sslca_Free: defs = 0xf6c21750, references = 0
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] sic_sslca_Free: defs = 0xf6c22bb8, references = 0
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] PM_policy_destroy: finished successfully.
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] opsec_destroy_sic_id_internal: Destroyed sic id (ctx id=0)
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] opsec_env_destroy_sic_id_hash: Destroyed sic id hash
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] fwd_env_destroy: env 0xf6c03178 (alloced = 1)
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] T_env_destroy: env 0xf6c03178
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] do_fwd_env_destroy:  really destroy 0xf6c03178
log_level=2 file:lea_loggrabber.cpp func_name:main_worker code_line_no:1220 :Didn't find file, start read normal file: filename=fw.log, fileid=1
log_level=3 file:lea_loggrabber.cpp func_name:read_fw1_logfile code_line_no:1406 :Start reading fw.log 1
log_level=3 file:lea_loggrabber.cpp func_name:getSplunkLeaConfigArgs code_line_no:517 :lea arg: -v
log_level=3 file:lea_loggrabber.cpp func_name:getSplunkLeaConfigArgs code_line_no:517 :lea arg: opsec_sic_name
log_level=3 file:lea_loggrabber.cpp func_name:getSplunkLeaConfigArgs code_line_no:517 :lea arg: CN=SplunkLEA,O=cpserver.example.com..abab9q
log_level=3 file:lea_loggrabber.cpp func_name:getSplunkLeaConfigArgs code_line_no:517 :lea arg: -v
log_level=3 file:lea_loggrabber.cpp func_name:getSplunkLeaConfigArgs code_line_no:517 :lea arg: opsec_sslca_file
log_level=3 file:lea_loggrabber.cpp func_name:getSplunkLeaConfigArgs code_line_no:517 :lea arg: /opt/2014/splunk/etc/apps/Splunk_TA_checkpoint-opseclea/certs/opsec_logs_1496239478.p12
log_level=3 file:lea_loggrabber.cpp func_name:getSplunkLeaConfigArgs code_line_no:517 :lea arg: -v
log_level=3 file:lea_loggrabber.cpp func_name:getSplunkLeaConfigArgs code_line_no:517 :lea arg: lea_server
log_level=3 file:lea_loggrabber.cpp func_name:getSplunkLeaConfigArgs code_line_no:517 :lea arg: ip
log_level=3 file:lea_loggrabber.cpp func_name:getSplunkLeaConfigArgs code_line_no:517 :lea arg: 1.1.1.1
log_level=3 file:lea_loggrabber.cpp func_name:getSplunkLeaConfigArgs code_line_no:517 :lea arg: -v
log_level=3 file:lea_loggrabber.cpp func_name:getSplunkLeaConfigArgs code_line_no:517 :lea arg: lea_server
log_level=3 file:lea_loggrabber.cpp func_name:getSplunkLeaConfigArgs code_line_no:517 :lea arg: auth_port
log_level=3 file:lea_loggrabber.cpp func_name:getSplunkLeaConfigArgs code_line_no:517 :lea arg: 18184
log_level=3 file:lea_loggrabber.cpp func_name:getSplunkLeaConfigArgs code_line_no:517 :lea arg: -v
log_level=3 file:lea_loggrabber.cpp func_name:getSplunkLeaConfigArgs code_line_no:517 :lea arg: lea_server
log_level=3 file:lea_loggrabber.cpp func_name:getSplunkLeaConfigArgs code_line_no:517 :lea arg: auth_type
log_level=3 file:lea_loggrabber.cpp func_name:getSplunkLeaConfigArgs code_line_no:517 :lea arg: sslca
log_level=3 file:lea_loggrabber.cpp func_name:getSplunkLeaConfigArgs code_line_no:517 :lea arg: -v
log_level=3 file:lea_loggrabber.cpp func_name:getSplunkLeaConfigArgs code_line_no:517 :lea arg: lea_server
log_level=3 file:lea_loggrabber.cpp func_name:getSplunkLeaConfigArgs code_line_no:517 :lea arg: opsec_entity_sic_name
log_level=3 file:lea_loggrabber.cpp func_name:getSplunkLeaConfigArgs code_line_no:517 :lea arg: CN=cp_mgmt,O=cpserver.example.com..abab9q
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] Env Configuration:
(
        :type (opsec_info)
        :lea_server (
                :opsec_entity_sic_name ("CN=cp_mgmt,O=cpserver.example.com..abab9q")
                :auth_type (sslca)
                :auth_port (18184)
                :ip (1.1.1.1)
        )
        :opsec_sslca_file ("/opt/2014/splunk/etc/apps/Splunk_TA_checkpoint-opseclea/certs/opsec_logs_1496239478.p12")
        :opsec_sic_name ("CN=SplunkLEA,O=cpserver.example.com..abab9q")
)

[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] Could not find info for ...opsec_shared_local_path...
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] Could not find info for ...opsec_sic_policy_file...
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] Could not find info for ...opsec_mt...
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] opsec_init: multithread safety is not initialized
log_level=3 file:lea_loggrabber.cpp func_name:main code_line_no:1107 :Current pid=54515 parent_pid=52671, Sleeping 1 sec
log_level=3 file:lea_loggrabber.cpp func_name:main code_line_no:1107 :Current pid=54515 parent_pid=52671, Sleeping 1 sec
log_level=3 file:lea_loggrabber.cpp func_name:main code_line_no:1107 :Current pid=54515 parent_pid=52671, Sleeping 1 sec
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:19] fwprng_set_entropy_collection_time_opsec: entering time is Mon Sep  5 12:28:19 2016 (1473071299)
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:19] cpprng_opsec_initialize: dev_urandom_poll returned 0
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:19] opsec_file_is_intialized: seed is initialized
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:19] cpprng_opsec_initialize: seed init for opsec succeeded
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:19] PM_policy_create: version 5301.
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:19] PM_policy_add_name_to_group: finished successfully.
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:19] PM_policy_set_local_names: () names. finished successfully.
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:19] PM_policy_create: finished successfully.
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:19] PM_policy_add_name_to_group: finished successfully.
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:19] PM_policy_set_local_names: (local_sic_name) names. finished successfully.
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:19] PM_policy_add_name_to_group: finished successfully.
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:19] PM_policy_set_local_names: (127.0.0.1) names. finished successfully.
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:19] PM_policy_add_name_to_group: finished successfully.
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:19] PM_policy_set_local_names: ("CN=SplunkLEA,O=cpserver.example.com..abab9q") names. finished successfully.
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:19] PM_apply_default_dn: ca_dn = [O=cpserver.example.com..abab9q].
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:19] PM_apply_default_dn: calling PM_policy_DN_conversion ..
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:19] PM_apply_default_dn: finished successfully.
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:19] fwPubKeyfromPKCS8: decoding RSA key
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:19] ckpSSLctx_New: prefs = 12
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:19] CkpRegDir: Environment variable CPDIR is not set.
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:19] GenerateGlobalEntry: Unable to get registry path
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:19] cpcrypto_get_registry_value: could not find key 'Get_Disable_RC4' in registry path 'SOFTWARE\CheckPoint\FW1'.
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:19] ckpSSLctx_New: prefs = 12
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:19] CkpRegDir: Environment variable CPDIR is not set.
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:19] GenerateGlobalEntry: Unable to get registry path
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:19] cpcrypto_get_registry_value: could not find key 'Get_Disable_RC4' in registry path 'SOFTWARE\CheckPoint\FW1'.
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:19] opsec_init_sslca: calling sic_set_auth_handler_save_opaque, server_opaque - defs = 0xf6c22350, client_opaque - defs = 0xf6c22350
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:19] ckpSSLctx_New: prefs = 32
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:19] CkpRegDir: Environment variable CPDIR is not set.
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:19] GenerateGlobalEntry: Unable to get registry path
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:19] cpcrypto_get_registry_value: could not find key 'Get_Disable_RC4' in registry path 'SOFTWARE\CheckPoint\FW1'.
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:19] opsec_init_sslca: calling sic_set_auth_handler_save_opaque, server_opaque - defs = 0xf6c234c8, client_opaque - defs = 0xf6c234c8
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:19] ckpSSLctx_New: prefs = 11
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:19] CkpRegDir: Environment variable CPDIR is not set.
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:19] GenerateGlobalEntry: Unable to get registry path
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:19] cpcrypto_get_registry_value: could not find key 'Get_Disable_RC4' in registry path 'SOFTWARE\CheckPoint\FW1'.
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:19] opsec_init_sslca: calling sic_set_auth_handler_save_opaque, server_opaque - defs = 0xf6c246a0, client_opaque - defs = 0xf6c246a0
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:19] ckpSSLctx_New: prefs = 31
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:19] CkpRegDir: Environment variable CPDIR is not set.
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:19] GenerateGlobalEntry: Unable to get registry path
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:19] cpcrypto_get_registry_value: could not find key 'Get_Disable_RC4' in registry path 'SOFTWARE\CheckPoint\FW1'.
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:19] opsec_init_sslca: calling sic_set_auth_handler_save_opaque, server_opaque - defs = 0xf6c17c58, client_opaque - defs = 0xf6c17c58
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:19] ckpSSLctx_New: prefs = 12
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:19] CkpRegDir: Environment variable CPDIR is not set.
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:19] GenerateGlobalEntry: Unable to get registry path
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:19] cpcrypto_get_registry_value: could not find key 'Get_Disable_RC4' in registry path 'SOFTWARE\CheckPoint\FW1'.
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:19] opsec_init_sslca: calling sic_set_auth_handler_save_opaque, server_opaque - defs = 0xf6c18dd0, client_opaque - defs = 0xf6c18dd0
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:19] sslcaInitCP_Ex: using asym client without ca cert
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:19] ckpSSLctx_New: prefs = 12
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:19] CkpRegDir: Environment variable CPDIR is not set.
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:19] GenerateGlobalEntry: Unable to get registry path
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:19] cpcrypto_get_registry_value: could not find key 'Get_Disable_RC4' in registry path 'SOFTWARE\CheckPoint\FW1'.
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:19] ckpSSLctx_New: prefs = 12
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:19] CkpRegDir: Environment variable CPDIR is not set.
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:19] GenerateGlobalEntry: Unable to get registry path
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:19] cpcrypto_get_registry_value: could not find key 'Get_Disable_RC4' in registry path 'SOFTWARE\CheckPoint\FW1'.
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:19] opsec_init_sslca: calling sic_set_auth_handler_save_opaque, server_opaque - defs = 0xf6c1ab70, client_opaque - defs = 0xf6c19718
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:19] sslcaInitCP_Ex: using asym client without ca cert
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:19] ckpSSLctx_New: prefs = 32
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:19] CkpRegDir: Environment variable CPDIR is not set.
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:19] GenerateGlobalEntry: Unable to get registry path
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:19] cpcrypto_get_registry_value: could not find key 'Get_Disable_RC4' in registry path 'SOFTWARE\CheckPoint\FW1'.
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:19] ckpSSLctx_New: prefs = 32
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:19] CkpRegDir: Environment variable CPDIR is not set.
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:19] GenerateGlobalEntry: Unable to get registry path
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:19] cpcrypto_get_registry_value: could not find key 'Get_Disable_RC4' in registry path 'SOFTWARE\CheckPoint\FW1'.
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:19] opsec_init_sslca: calling sic_set_auth_handler_save_opaque, server_opaque - defs = 0xf6c1c8f8, client_opaque - defs = 0xf6c1b490
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:19] sslcaInitCP_Ex: using asym client without ca cert
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:19] ckpSSLctx_New: prefs = 11
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:19] CkpRegDir: Environment variable CPDIR is not set.
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:19] GenerateGlobalEntry: Unable to get registry path
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:19] cpcrypto_get_registry_value: could not find key 'Get_Disable_RC4' in registry path 'SOFTWARE\CheckPoint\FW1'.
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:19] ckpSSLctx_New: prefs = 11
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:19] CkpRegDir: Environment variable CPDIR is not set.
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:19] GenerateGlobalEntry: Unable to get registry path
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:19] cpcrypto_get_registry_value: could not find key 'Get_Disable_RC4' in registry path 'SOFTWARE\CheckPoint\FW1'.
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:19] opsec_init_sslca: calling sic_set_auth_handler_save_opaque, server_opaque - defs = 0xf6c1e670, client_opaque - defs = 0xf6c1d218
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:19] sslcaInitCP_Ex: using asym client without ca cert
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:19] ckpSSLctx_New: prefs = 31
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:19] CkpRegDir: Environment variable CPDIR is not set.
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:19] GenerateGlobalEntry: Unable to get registry path
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:19] cpcrypto_get_registry_value: could not find key 'Get_Disable_RC4' in registry path 'SOFTWARE\CheckPoint\FW1'.
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:19] ckpSSLctx_New: prefs = 31
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:19] CkpRegDir: Environment variable CPDIR is not set.
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:19] GenerateGlobalEntry: Unable to get registry path
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:19] cpcrypto_get_registry_value: could not find key 'Get_Disable_RC4' in registry path 'SOFTWARE\CheckPoint\FW1'.
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:19] opsec_init_sslca: calling sic_set_auth_handler_save_opaque, server_opaque - defs = 0xf6c203b8, client_opaque - defs = 0xf6c1ef70
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:19] sic_sslca_Free: defs = 0xf6c06258, references = 0
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:19] opsec_init_sic_id_internal: Added sic id (ctx id = 0)
log_level=2 file:lea_loggrabber.cpp func_name:read_fw1_logfile code_line_no:1443 :Successfully create opsec environment
log_level=3 file:lea_loggrabber.cpp func_name:read_fw1_logfile code_line_no:1454 :Starting fw.log 1 at offset -1
log_level=3 file:lea_loggrabber.cpp func_name:verify_env_parameters code_line_no:1248 :OPSEC LEA conf file is lea.conf
log_level=3 file:lea_loggrabber.cpp func_name:verify_env_parameters code_line_no:1291 :Authentication mode has been used.
log_level=3 file:lea_loggrabber.cpp func_name:verify_env_parameters code_line_no:1292 :Server-IP     : 1.1.1.1
log_level=3 file:lea_loggrabber.cpp func_name:verify_env_parameters code_line_no:1293 :Server-Port     : 18184
log_level=3 file:lea_loggrabber.cpp func_name:verify_env_parameters code_line_no:1294 :Authentication type: sslca
log_level=3 file:lea_loggrabber.cpp func_name:verify_env_parameters code_line_no:1295 :OPSEC sic certificate file name : /opt/2014/splunk/etc/apps/Splunk_TA_checkpoint-opseclea/certs/opsec_logs_1496239478.p12
log_level=3 file:lea_loggrabber.cpp func_name:verify_env_parameters code_line_no:1296 :Server DN (sic name) : CN=cp_mgmt,O=cpserver.example.com..abab9q
log_level=3 file:lea_loggrabber.cpp func_name:verify_env_parameters code_line_no:1297 :OPSEC LEA client DN (sic name) : CN=SplunkLEA,O=cpserver.example.com..abab9q
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:19] opsec_init_entity_sic: called for the client side
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:19] Configuring entity lea_server
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:19] Could not find info for ...conn_buf_size...
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:19] Could not find info for ...no_nagle...
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:19] Could not find info for ...port...
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:19] opsec_entity_add_sic_rule: adding rules: apply_to: ME, peer: CN=cp_mgmt,O=cpserver.example.com..abab9q, d_ip: NULL, dport 18184, svc: lea, method: sslca
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:19] opsec_entity_add_sic_rule: adding INBOUND rule
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:19] opsec_entity_add_sic_rule: adding OUTBOUND rule
log_level=2 file:lea_loggrabber.cpp func_name:read_fw1_logfile code_line_no:1514 :Successfully initialize client/server-pair
log_level=2 file:lea_loggrabber.cpp func_name:read_fw1_logfile code_line_no:1570 :Start to setup suspended session for ng, online 0, last_record_location -1 audit_mode 0
log_level=3 file:lea_loggrabber.cpp func_name:read_fw1_logfile code_line_no:1602 :Starting at position: -1
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:19] opsec_get_comm: creating comm for ent=f6c53108  peer=f6c53bb0 passive=0 key=2 info=0
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:19] c=0xf6c53108 s=0xf6c53bb0 comm_type=4

[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:19] Could not find info for ...opsec_client...
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:19] opsec_get_comm: Creating session hash (size=256)
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:19] opsec_get_comm: ADDING comm=0xf6c534d0 to ent=0xf6c53108 with key=2
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:19] opsec_env_get_context_id_by_peer_sic_name: found context id=0 for peer sic name=CN=cp_mgmt,O=cpserver.example.com..abab9q
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:19] opsec_env_get_sic_handle_by_context_id: found sic handle (ctx id=0)
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:19] opsec_sic_connect: connecting... (ctx id=0)
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:19] peers addresses are
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:19] fe80::2e44:fdff:fe7a:73c8
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:19] peers addresses are
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:19] 10.62.9.30
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:19] cpsicdemux_get_mode: the mode is 1
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:19] cpsicdemux_check_mode: server_mode=1 | requested_mode=1
log_level=2 file:lea_loggrabber.cpp func_name:read_fw1_logfile_start code_line_no:2210 :OPSEC session start handler was invoked
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:19] SESSION ID:3 is sending DG_TYPE=1

[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:19] pushing dgtype=1 len=0 to list=0xf6c534ec
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:19] SESSION ID:3 is sending DG_TYPE=402

[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:19] pushing dgtype=402 len=20 to list=0xf6c534ec
log_level=2 file:lea_loggrabber.cpp func_name:read_fw1_logfile code_line_no:1651 :Successfully create session
log_level=2 file:lea_loggrabber.cpp func_name:do_create_filter_for_session code_line_no:1330 :No need to create filter: filter_count=0
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:19] SESSION ID:3 is sending DG_TYPE=40c

[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:19] pushing dgtype=40c len=0 to list=0xf6c534ec
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:19] fwasync_conn_params: <a3e091e,58787> -> <ac10c80c,18184>
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:19] fwasync_connbuf_realloc: reallocating 0 from 0 to 1028
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:19] fwasync_conn_get: get max buffer size (4194304) .
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:19] fwasync_connbuf_realloc: reallocating 0 from 0 to 1028
log_level=3 file:lea_loggrabber.cpp func_name:main code_line_no:1107 :Current pid=54515 parent_pid=52671, Sleeping 1 sec
log_level=3 file:lea_loggrabber.cpp func_name:main code_line_no:1107 :Current pid=54515 parent_pid=52671, Sleeping 1 sec
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:21] sic_client_set_version: 11: protocol version is 59000000
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:21] cpsicdemux_check_mode: server_mode=1 | requested_mode=1
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:21] fwasync_conn_get: get max buffer size (4194304) .
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:21] fwasync_conn_get: get max buffer size (4194304) .
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:21] fwasync_conn_get: get max buffer size (4194304) .
log_level=3 file:lea_loggrabber.cpp func_name:main code_line_no:1107 :Current pid=54515 parent_pid=52671, Sleeping 1 sec
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:21] fwasync_conn_get: get max buffer size (4194304) .
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:21] fwasync_conn_get: get max buffer size (4194304) .
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:21] fwasync_conn_get: get max buffer size (4194304) .
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:21] fwasync_conn_get: get max buffer size (4194304) .
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:21] fwasync_conn_get: get max buffer size (4194304) .
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:21] fwasync_conn_get: get max buffer size (4194304) .
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:21] call_handlers_list: no conversion done, set CN=cp_mgmt,O=cpserver.example.com..abab9q as sic name
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:21] PM_session_init: given session O(CN=SplunkLEA,O=cpserver.example.com..abab9q;CN=cp_mgmt,O=cpserver.example.com..abab9q;18184;lea).
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:21] PM_policy_query: input session O(CN=SplunkLEA,O=cpserver.example.com..abab9q;CN=cp_mgmt,O=cpserver.example.com..abab9q;18184;lea).
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:21] PM_policy_query: rule found (ME;CN=cp_mgmt,O=cpserver.example.com..abab9q;18184;lea;sslca(1/1)).
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:21] PM_policy_query: finished successfully. 1st method = sslca
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:35] PM_policy_choose: finished successfully. choose: sslca.
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:35] sic_client_call_auth_func: calling save_opaque_cb, defs = 0xf6c22350.
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:35] check_if_sslca_auth_and_save_opaque: calling sic_sslca_defs_save, defs = 0xf6c22350.
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:35] sic_sslca_defs_save: defs = 0xf6c22350, references = 2
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:35] fwasync_conn_get: get max buffer size (4194304) .
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:35] sic_client_end_handler: for conn id = 11
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:35] opsec_auth_client_connected: connect failed (147)
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:35] opsec_auth_client_connected: SIC Error for lea: Authentication error
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:35] opsec_auth_client_connected:conn=(nil) opaque=0xf6c07ed0 err=0 comm=0xf6c534d0
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:35] comm failed to connect 0xf6c534d0
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:35] OPSEC_SET_ERRNO: err =  8  Comm is not connected/Unable to connect (pre =  8)
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:35] COM 0xf6c534d0 got signal 131075
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:35] destroying comm 0xf6c534d0
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:35] Destroying comm 0xf6c534d0 with 1 active sessions
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:35] Destroying session (f6c52f88) id 3 (ent=f6c53108) reason=SIC_FAILURE
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:35] SESSION ID:3 is sending DG_TYPE=3

log_level=3 file:lea_loggrabber.cpp func_name:read_fw1_logfile_end code_line_no:2198 :OPSEC_SESSION_END_HANDLER called
log_level=2 file:lea_loggrabber.cpp func_name:check_session_end_reason code_line_no:2106 :Start to check session end reason: is_read_end 1
log_level=0 file:lea_loggrabber.cpp func_name:check_session_end_reason code_line_no:2159 :Session end reason: SIC ERROR 147 - SIC Error for lea: Authentication error
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:35] opsec_comm_is_needed:comm 0xf6c534d0 1/1 sessions need the comm.
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:35] pulling dgtype=1 len=0 to list=0xf6c534ec
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:35] pulling dgtype=402 len=20 to list=0xf6c534ec
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:35] pulling dgtype=40c len=0 to list=0xf6c534ec
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:35] pulling dgtype=ffffffff len=-1 to list=0xf6c534ec
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:35] REMOVING comm=0xf6c534d0 from ent=0xf6c53108 with key=2
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:35] T_event_mainloop_e: T_event_mainloop_iter returns 0
log_level=3 file:lea_loggrabber.cpp func_name:cleanup_fw1_environment code_line_no:2438 :Enter
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:35] Destroying entity 1 with 0 active comms
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:35] opsec_destroy_entity_sic: deleting sic rules for entity 0xf6c53108
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:35] Destroying entity 2 with 0 active comms
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:35] opsec_destroy_entity_sic: deleting sic rules for entity 0xf6c53bb0
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:35] IpcUnMapFile: unmapping file (handle=0xf6c15d40)
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:35] IpcUnMapFile: unmapping file (handle=0xf6c027c0)
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:35] IpcUnMapFile: unmapping file (handle=0xf6c53f50)
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:35] IpcUnMapFile: unmapping file (handle=0xf6c53ff0)
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:35] IpcUnMapFile: unmapping file (handle=0xf6c54070)
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:35] sic_sslca_Free: defs = 0xf6c22350, references = 1
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:35] sic_sslca_Free: defs = 0xf6c234c8, references = 0
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:35] sic_sslca_Free: defs = 0xf6c246a0, references = 0
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:35] sic_sslca_Free: defs = 0xf6c17c58, references = 0
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:35] sic_sslca_Free: defs = 0xf6c18dd0, references = 0
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:35] sic_sslca_Free: defs = 0xf6c19718, references = 0
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:35] sic_sslca_Free: defs = 0xf6c1ab70, references = 0
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:35] sic_sslca_Free: defs = 0xf6c1b490, references = 0
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:35] sic_sslca_Free: defs = 0xf6c1c8f8, references = 0
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:35] sic_sslca_Free: defs = 0xf6c1d218, references = 0
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:35] sic_sslca_Free: defs = 0xf6c1e670, references = 0
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:35] sic_sslca_Free: defs = 0xf6c1ef70, references = 0
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:35] sic_sslca_Free: defs = 0xf6c203b8, references = 0
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:35] PM_policy_destroy: finished successfully.
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:35] opsec_destroy_sic_id_internal: Destroyed sic id (ctx id=0)
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:35] opsec_env_destroy_sic_id_hash: Destroyed sic id hash
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:35] fwd_env_destroy: env 0xf6c03178 (alloced = 1)
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:35] T_env_destroy: env 0xf6c03178
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:35] do_fwd_env_destroy:  really destroy 0xf6c03178
log_level=2 file:lea_loggrabber.cpp func_name:read_fw1_logfile code_line_no:1705 :Finish reading fw.log 1
log_level=3 file:lea_loggrabber.cpp func_name:close_screen code_line_no:5629 :Close connection to screen.
log_level=3 file:lea_loggrabber.cpp func_name:main code_line_no:1107 :Current pid=54515 parent_pid=52671, Sleeping 1 sec
0 Karma

jamesarmitage
Path Finder

Have you tried running lea_loggrabber manually? There are different debug levels available that might give you additional information:

cd to /opt/splunk/etc/apps/Splunk_TA_checkpoint-opseclea/bin/

You'll have to use your own values for appname, lea_server_ip, etc:

./lea_loggrabber --data non_audit --debug_level 2 --appname Splunk_TA_checkpoint-opseclealea_loggrabber --lea_server_ip 10.1.2.3 --lea_server_auth_port 18184 --lea_server_auth_type sslca --opsec_sslca_file /opt/splunk/etc/apps/Splunk_TA_checkpoint-opseclea/certs/checkpoint.p12 --opsec_sic_name CN=opsec_splunk_hf,O=your.institution.name.7ag9h5 --opsec_entity_sic_name CN=cp_mgmt_yourmanagementserver,O=your.institution.name.7ag9h5 --no_online --no_resolve 2>&1 | less

Change the debug_level flag to modify the verbosity of the output. You might also want to run tcpdump at the same time so you can review the connection attempts in Wireshark.

0 Karma

mikaelbje
Motivator

Thanks. I had to post the output as an answer since the comment box won't accept more than 9999 chars.

I see a few errors. I'm wondering if this is on the Checkpoint side, not Splunk?

0 Karma

jamesarmitage
Path Finder

Form the output you pasted below, I'm seeing the same errors as kmeullercm did above, and that the process is failing to read the CRL which is causing everything else to fail out.

Have you tried running tcpdump and analyzing the traffic in wireshark? It would be interesting to see if the CRL retrieval via cURL is the same as via lea_loggrabber.

0 Karma

mikaelbje
Motivator

Now this is interesting! There is no traffic to TCP port 18264 at all, so it never tries to get the CRL using lea_loggrabber! I can get the CRL just fine using curl.

Do you also see both a URI and a DN as your CRL distribution points? I'm wondering if it fails because of the DN (LDAP query)?

0 Karma

jamesarmitage
Path Finder

Yes, when I run lea_loggrabber at debug_level 3, I see a DN in my CRL distribution point as well as the URI:

[ 20476 4151933760]@my.internal.server[12 Sep 12:24:05] with CRL:
[ 20476 4151933760]@my.internal.server[12 Sep 12:24:05] Issuer: O=checkpoint.server.6bh0i6
This update: Mon Sep 12 01:48:34 2016 Local Time
Next update: Tue Sep 13 01:48:34 2016 Local Time
Extensions:
        Issuing distribution points (Critical):
                URI: http://checkpoint.server:18264/ICA_CRL0.crl
                DN: CN=ICA_CRL0,O=checkpoint.server.6bh0i6

[ 20476 4151933760]@my.internal.server[12 Sep 12:24:05] fwCert_OurValCerts: validation OK

At the same time, your output pasted below also has similar lines, but then you get "client_send_crlreq: fetching crl failed" at line 415... My ouput is:

[ 26077 4151622464]@my.internal.server[12 Sep 12:41:10] fwCRL_CRLisValid:
[ 26077 4151622464]@my.internal.server[12 Sep 12:41:10] thisUpdate: Mon Sep 12 01:48:34 2016 Local Time
[ 26077 4151622464]@my.internal.server[12 Sep 12:41:10] nextUpdate: Tue Sep 13 01:48:34 2016 Local Time
[ 26077 4151622464]@my.internal.server[12 Sep 12:41:10] now:        Mon Sep 12 12:41:10 2016 Local Time

or:

[ 26077 4151622464]@my.internal.server[12 Sep 12:41:10] fwCert_OurValCerts: validation OK
0 Karma

mikaelbje
Motivator

I'm starting to think that something is seriously broken on the CP management server. As another test I compiled fw1-loggrabber from the latest code at github.com/certego and am seeing the exact same issue with the CRL. The port 16264 traffic is not seen in tcpdump at all.

0 Karma

kmuellercm
Explorer

Might need a bit more info to troubleshoot, it seems the SIC connection isn't created

What does your $splunkhome/etc/apps/Splunk_TA_checkpoint-opseclea/local/opseclea_connection.conf look like?

What version is your management server? R77? What's the SIC status in the management server in Checkpoint? Does it have Trust Established?

Do you have a separate logging server?

0 Karma

mikaelbje
Motivator

R77.30.

[opsec_logs]
cert_name = opsec_logs_1496239478.p12
fw_version = R77
lea_app_name = SplunkLEA
lea_server_auth_port = 18184
lea_server_auth_type = sslca
lea_server_ip = 1.1.1.1
lea_server_type = primary
opsec_entity_sic_name = CN=cp_mgmt,O=cpserver.example.com..abab9q
opsec_sic_name = CN=SplunkLEA,O=cpserver.example.com..abab9q
0 Karma

kmuellercm
Explorer

Seems to be choking on the CRL, is the URL http://cpserver.example.com:18264/ICA_CRL0.crl accessible? make sure you can pull it from the server. From the log server itself try the following command:

curl http://cpserver.example.com:18264/ICA_CRL0.crl  | openssl crl -inform der -text

Here are the logs from the same point in my LEA connection:

2016-08-24 14:14:56,405 +0000 log_level=INFO, pid=5273, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=62 | [input_name="Checkpoint NonAudit Events" connection="SplunkLEA-dedicated" data="non_audit"] CRL distribution Points:

2016-08-24 14:14:56,405 +0000 log_level=INFO, pid=5273, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=62 | [input_name="Checkpoint NonAudit Events" connection="SplunkLEA-dedicated" data="non_audit"]     URI: http://cpserver01.example.com:18264/ICA_CRL0.crl

2016-08-24 14:14:56,405 +0000 log_level=INFO, pid=5273, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=62 | [input_name="Checkpoint NonAudit Events" connection="SplunkLEA-dedicated" data="non_audit"]     DN: CN=ICA_CRL0,O=cpserver01.example.com.9my9sy

2016-08-24 14:14:56,406 +0000 log_level=INFO, pid=5273, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=62 | [input_name="Checkpoint NonAudit Events" connection="SplunkLEA-dedicated" data="non_audit"]

2016-08-24 14:14:56,406 +0000 log_level=INFO, pid=5273, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=62 | [input_name="Checkpoint NonAudit Events" connection="SplunkLEA-dedicated" data="non_audit"][ 5335 4152019776]@logserver01.example.com[24 Aug 10:14:56] fwCRL_CRLisValid:

2016-08-24 14:14:56,406 +0000 log_level=INFO, pid=5273, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=62 | [input_name="Checkpoint NonAudit Events" connection="SplunkLEA-dedicated" data="non_audit"][ 5335 4152019776]@logserver01.example.com[24 Aug 10:14:56] thisUpdate: Tue Aug 23 05:00:02 2016 Local Time

2016-08-24 14:14:56,406 +0000 log_level=INFO, pid=5273, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=62 | [input_name="Checkpoint NonAudit Events" connection="SplunkLEA-dedicated" data="non_audit"][ 5335 4152019776]@logserver01.example.com[24 Aug 10:14:56] nextUpdate: Tue Aug 30 05:00:02 2016 Local Time

2016-08-24 14:14:56,406 +0000 log_level=INFO, pid=5273, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=62 | [input_name="Checkpoint NonAudit Events" connection="SplunkLEA-dedicated" data="non_audit"][ 5335 4152019776]@logserver01.example.com[24 Aug 10:14:56] now:        Wed Aug 24 10:14:56 2016 Local Time

2016-08-24 14:14:56,406 +0000 log_level=INFO, pid=5273, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=62 | [input_name="Checkpoint NonAudit Events" connection="SplunkLEA-dedicated" data="non_audit"][ 5335 4152019776]@logserver01.example.com[24 Aug 10:14:56] crl start grace period=600   crl end grace period=600 crl size val=0

2016-08-24 14:14:56,406 +0000 log_level=INFO, pid=5273, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=62 | [input_name="Checkpoint NonAudit Events" connection="SplunkLEA-dedicated" data="non_audit"][ 5335 4152019776]@logserver01.example.com[24 Aug 10:14:56] fwCRL_CRLisValid: NOT checking nextUpdate

2016-08-24 14:14:56,406 +0000 log_level=INFO, pid=5273, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=62 | [input_name="Checkpoint NonAudit Events" connection="SplunkLEA-dedicated" data="non_audit"][ 5335 4152019776]@logserver01.example.com[24 Aug 10:14:56] fwCRL_CRLisValid: NOT checking thisUpdate

2016-08-24 14:14:56,406 +0000 log_level=INFO, pid=5273, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=62 | [input_name="Checkpoint NonAudit Events" connection="SplunkLEA-dedicated" data="non_audit"][ 5335 4152019776]@logserver01.example.com[24 Aug 10:14:56] fwCRL_CRLisValid: NOT checking CRL size

2016-08-24 14:14:56,406 +0000 log_level=INFO, pid=5273, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=62 | [input_name="Checkpoint NonAudit Events" connection="SplunkLEA-dedicated" data="non_audit"][ 5335 4152019776]@logserver01.example.com[24 Aug 10:14:56] fwCRL_validateRevocation: validate cert:

2016-08-24 14:14:56,407 +0000 log_level=INFO, pid=5273, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=62 | [input_name="Checkpoint NonAudit Events" connection="SplunkLEA-dedicated" data="non_audit"][ 5335 4152019776]@logserver01.example.com[24 Aug 10:14:56] Subject: CN=cpserver02,O=cpserver01.example.com.9my9sy
0 Karma

mikaelbje
Motivator

That's what I first thought as well, but I had no trouble getting the CRL from that URL from the Splunk server, so the problem must lie somewhere else. Do you see the CPDIR and registry warnings in your logs too? Wondering if that's the culprit

0 Karma

kmuellercm
Explorer

Yeah I see the same registry errors but not the CPDIR, but that could just be because you're running the lea_loggrabber manually.

I'm definitely not seeing the invalid response error during the CRL download though, I think you should use openssl to verify it

0 Karma

mikaelbje
Motivator

Verified that openssl can open the CRL from the Splunk server:

Certificate Revocation List (CRL):
        Version 2 (0x1)
    Signature Algorithm: sha1WithRSAEncryption
        Issuer: /O=cpserver..abab9q
        Last Update: Sep 11 01:49:43 2016 GMT
        Next Update: Sep 18 01:49:43 2016 GMT
        CRL extensions:
            X509v3 Issuing Distrubution Point: critical
                Full Name:
                  URI:http://cpserver:18264/ICA_CRL0.crl
                  DirName: O = cpserver..abab9q, CN = ICA_CRL0

Revoked Certificates:
    Serial Number: 016000
        Revocation Date: Aug 31 18:55:46 2007 GMT
    Serial Number: 016002
....
....
....
-----END X509 CRL-----

So the problem doesn't seem to be fetching the CRL

0 Karma

mikaelbje
Motivator

I don't have access to the file now and won't have for a few weeks, but it was created via the GUI so I believe it should be fine.

Management is R77.

Trust is established. I reset the connection and set it up again just to be sure that the state had changed.

Firewall rules are in place.

Logging is done on the management server.

0 Karma
Get Updates on the Splunk Community!

The Splunk Success Framework: Your Guide to Successful Splunk Implementations

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...