All Apps and Add-ons

Splunk Add-on for Check Point OPSEC LEA Linux: Why does the last connection status always show never connected?

daniellwd
New Member

The last connection status in the add-on always shows never connected. I did a debug and resulted in a timeout. Please help.

0 Karma

cjmorgan
Engager

I am having the same issue with the LEA connection. Debug connects and starts pulling logs but the agent never starts pulling on its own and feeding to my Indexers. Cert pulls OK. SIC established and trusted. Debug works great.

alt text

Debug command: with output snippet

/opt/splunk/bin/splunk cmd /opt/splunk/etc/apps/Splunk_TA_opseclea_linux22/bin/lea-loggrabber-debug.sh --configentity SplunkLEA

Using Splunk instance: /opt/splunk, app name Splunk_TA_opseclea_linux22
Splunk username: admin
Password: 
DEBUG: LOGGRABBER configuration file is: /opt/splunk/etc/apps/Splunk_TA_opseclea_linux22/bin/fw1-loggrabber.conf
DEBUG: function logging_init_env
DEBUG: function open_screen
DEBUG: Open connection to screen.
DEBUG: Logfilename      : fw.log
DEBUG: Record Separator : |
DEBUG: Resolve Addresses: No
DEBUG: Show Filenames   : No
DEBUG: FW1-2000         : No
DEBUG: Online-Mode      : No
DEBUG: Audit-Log        : No
DEBUG: Show Fieldnames  : Yes
DEBUG: function get_fw1_logfiles
splunk internal call command: $SPLUNK_HOME/bin/splunk _internal call /servicesNS/nobody/Splunk_TA_opseclea_linux22/opsec/opsec_conf/SplunkLEA
splunk output: QUERYING: 'https://127.0.0.1:8089/servicesNS/nobody/Splunk_TA_opseclea_linux22/opsec/opsec_conf/SplunkLEA'
HTTP Status: 200.
Content:

https://127.0.0.1:8089/servicesNS/nobody/Splunk_TA_opseclea_linux22/opsec/opsec_conf
2016-06-06T09:07:48-06:00

<name>Splunk</name>

1
30
0

<title>SplunkLEA</title>
<id>https://127.0.0.1:8089/servicesNS/nobody/Splunk_TA_opseclea_linux22/opsec/opsec_conf/SplunkLEA</id>
<updated>2016-06-06T09:07:48-06:00</updated>
<link href="/servicesNS/nobody/Splunk_TA_opseclea_linux22/opsec/opsec_conf/SplunkLEA" rel="alternate"/>
<author>
  <name>admin</name>
</author>
<link href="/servicesNS/nobody/Splunk_TA_opseclea_linux22/opsec/opsec_conf/SplunkLEA" rel="list"/>
<link href="/servicesNS/nobody/Splunk_TA_opseclea_linux22/opsec/opsec_conf/SplunkLEA" rel="edit"/>
<link href="/servicesNS/nobody/Splunk_TA_opseclea_linux22/opsec/opsec_conf/SplunkLEA" rel="remove"/>
<content type="text/xml">
  <s:dict>
    <s:key name="disabled">0</s:key>
    <s:key name="eai:acl">
      <s:dict>
        <s:key name="app">Splunk_TA_opseclea_linux22</s:key>
        <s:key name="can_change_perms">1</s:key>
        <s:key name="can_list">1</s:key>
        <s:key name="can_share_app">1</s:key>
        <s:key name="can_share_global">1</s:key>
        <s:key name="can_share_user">1</s:key>
        <s:key name="can_write">1</s:key>
        <s:key name="modifiable">1</s:key>
        <s:key name="owner">admin</s:key>
        <s:key name="perms">
          <s:dict>
            <s:key name="read">
              <s:list>
                <s:item>admin</s:item>
              </s:list>
            </s:key>
            <s:key name="write">
              <s:list>
                <s:item>admin</s:item>
              </s:list>
            </s:key>
          </s:dict>
        </s:key>
        <s:key name="removable">1</s:key>
        <s:key name="sharing">app</s:key>
      </s:dict>
    </s:key>
    <s:key name="eai:appName">Splunk_TA_opseclea_linux22</s:key>
    <s:key name="eai:attributes">
      <s:dict>
        <s:key name="optionalFields">
          <s:list>
            <s:item>conn_buf_size</s:item>
            <s:item>is_cma</s:item>
            <s:item>is_disabled</s:item>
            <s:item>is_provider</s:item>
            <s:item>lea_server_port</s:item>
            <s:item>no_nagle</s:item>
            <s:item>no_resolve</s:item>
            <s:item>online_mode</s:item>
          </s:list>
        </s:key>
        <s:key name="requiredFields">
          <s:list>
            <s:item>fw_version</s:item>
            <s:item>lea_server_auth_port</s:item>
            <s:item>lea_server_auth_type</s:item>
            <s:item>lea_server_ip</s:item>
            <s:item>mode</s:item>
            <s:item>opsec_entity_sic_name</s:item>
            <s:item>opsec_sic_name</s:item>
            <s:item>opsec_sslca_file</s:item>
          </s:list>
        </s:key>
        <s:key name="wildcardFields">
          <s:list/>
        </s:key>
      </s:dict>
    </s:key>
    <s:key name="eai:userName">nobody</s:key>
    <s:key name="fw_version">77</s:key>
    <s:key name="is_disabled">0</s:key>
    <s:key name="lea_server_auth_port">18184</s:key>
    <s:key name="lea_server_auth_type">sslca</s:key>
    <s:key name="lea_server_ip">522.17.41.83</s:key>
    <s:key name="mode">non_audit</s:key>
    <s:key name="online_mode">0</s:key>
    <s:key name="opsec_entity_sic_name">CN=cp_mgmt,O=cp-mgr1.domain.com.2jtgc6</s:key>
    <s:key name="opsec_sic_name">CN=SplunkLEA,O=cp-mgr1.domain.com.2jtgc6</s:key>
    <s:key name="opsec_sslca_file">../certs/SplunkLEA.p12</s:key>
  </s:dict>
</content>

mode: non_audit
-v opsec_sic_name CN=SplunkLEA,O=cp-mgr1.domain.com.2jtgc6 -v opsec_sslca_file ../certs/SplunkLEA.p12 -v lea_server ip 522.17.41.83 -v lea_server auth_port 18184 -v lea_server auth_type sslca -v lea_server opsec_entity_sic_name CN=cp_mgmt,O=cp-mgr1.domain.com.2jtgc6 
[ 52100 4151573296]@server[6 Jun  9:07:48] Env Configuration:
(
        :type (opsec_info)
        :lea_server (
                :opsec_entity_sic_name ("CN=cp_mgmt,O=cp-mgr1.domain.com.2jtgc6")
                :auth_type (sslca)
                :auth_port (18184)
                :ip (522.17.41.83)
        )
        :opsec_sslca_file ("../certs/SplunkLEA.p12")
        :opsec_sic_name ("CN=SplunkLEA,O=cp-mgr1.domain.com.2jtgc6")
)

[ 52100 4151573296]@server[6 Jun  9:07:48] Could not find info for ...opsec_shared_local_path...
[ 52100 4151573296]@server[6 Jun  9:07:48] Could not find info for ...opsec_sic_policy_file...
[ 52100 4151573296]@server[6 Jun  9:07:48] Could not find info for ...opsec_mt...
[ 52100 4151573296]@server[6 Jun  9:07:48] opsec_init: multithread safety is not initialized
[ 52100 4151573296]@server[6 Jun  9:07:48] cpprng_opsec_initialize: path is not initialized - will initialize
[ 52100 4151573296]@server[6 Jun  9:07:48] cpprng_opsec_initialize: full file name is ops_prng
[ 52100 4151573296]@server[6 Jun  9:07:48] cpprng_opsec_initialize: dev_urandom_poll returned 0
[ 52100 4151573296]@server[6 Jun  9:07:48] opsec_file_is_intialized: seed is initialized
[ 52100 4151573296]@server[6 Jun  9:07:48] cpprng_opsec_initialize: seed init for opsec succeeded
[ 52100 4151573296]@server[6 Jun  9:07:48] PM_policy_create: version 5301.
[ 52100 4151573296]@server[6 Jun  9:07:48] PM_policy_add_name_to_group: finished successfully.
[ 52100 4151573296]@server[6 Jun  9:07:48] PM_policy_set_local_names: () names. finished successfully.
[ 52100 4151573296]@server[6 Jun  9:07:48] PM_policy_create: finished successfully.
[ 52100 4151573296]@server[6 Jun  9:07:48] PM_policy_add_name_to_group: finished successfully.
[ 52100 4151573296]@server[6 Jun  9:07:48] PM_policy_set_local_names: (local_sic_name) names. finished successfully.
[ 52100 4151573296]@server[6 Jun  9:07:48] PM_policy_add_name_to_group: finished successfully.
[ 52100 4151573296]@server[6 Jun  9:07:48] PM_policy_set_local_names: (127.0.0.1) names. finished successfully.
[ 52100 4151573296]@server[6 Jun  9:07:48] PM_policy_add_name_to_group: finished successfully.
[ 52100 4151573296]@server[6 Jun  9:07:48] PM_policy_set_local_names: ("CN=SplunkLEA,O=cp-mgr1.domain.com.2jtgc6") names. finished successfully.
[ 52100 4151573296]@server[6 Jun  9:07:48] PM_apply_default_dn: ca_dn = [O=cp-mgr1.domain.com.2jtgc6].
[ 52100 4151573296]@server[6 Jun  9:07:48] PM_apply_default_dn: calling PM_policy_DN_conversion ..
[ 52100 4151573296]@server[6 Jun  9:07:48] PM_apply_default_dn: finished successfully.
[ 52100 4151573296]@server[6 Jun  9:07:48] ckpSSLctx_New: prefs = 12
[ 52100 4151573296]@server[6 Jun  9:07:48] CkpRegDir: Environment variable CPDIR is not set.
[ 52100 4151573296]@server[6 Jun  9:07:48] GenerateGlobalEntry: Unable to get registry path
[ 52100 4151573296]@server[6 Jun  9:07:48] ckpSSLctx_New: prefs = 12
[ 52100 4151573296]@server[6 Jun  9:07:48] ckpSSLctx_New: prefs = 32
[ 52100 4151573296]@server[6 Jun  9:07:48] ckpSSLctx_New: prefs = 11
[ 52100 4151573296]@server[6 Jun  9:07:48] ckpSSLctx_New: prefs = 31
[ 52100 4151573296]@server[6 Jun  9:07:48] ckpSSLctx_New: prefs = 12
[ 52100 4151573296]@server[6 Jun  9:07:48] sslcaInitCP_Ex: using asym client without ca cert
[ 52100 4151573296]@server[6 Jun  9:07:48] ckpSSLctx_New: prefs = 12
[ 52100 4151573296]@server[6 Jun  9:07:48] ckpSSLctx_New: prefs = 12
[ 52100 4151573296]@server[6 Jun  9:07:48] sslcaInitCP_Ex: using asym client without ca cert
[ 52100 4151573296]@server[6 Jun  9:07:48] ckpSSLctx_New: prefs = 32
[ 52100 4151573296]@server[6 Jun  9:07:48] ckpSSLctx_New: prefs = 32
[ 52100 4151573296]@server[6 Jun  9:07:48] sslcaInitCP_Ex: using asym client without ca cert
[ 52100 4151573296]@server[6 Jun  9:07:48] ckpSSLctx_New: prefs = 11
[ 52100 4151573296]@server[6 Jun  9:07:48] ckpSSLctx_New: prefs = 11
[ 52100 4151573296]@server[6 Jun  9:07:48] sslcaInitCP_Ex: using asym client without ca cert
[ 52100 4151573296]@server[6 Jun  9:07:48] ckpSSLctx_New: prefs = 31
[ 52100 4151573296]@server[6 Jun  9:07:48] ckpSSLctx_New: prefs = 31
[ 52100 4151573296]@server[6 Jun  9:07:48] opsec_init_sic_id_internal: Added sic id (ctx id = 0)
DEBUG: OPSEC LEA conf file is lea.conf
DEBUG: Authentication mode has been used.
DEBUG: Server-IP     : 522.17.41.83
DEBUG: Server-Port     : 18184
DEBUG: Authentication type: sslca
DEBUG: OPSEC sic certificate file name : ../certs/SplunkLEA.p12
DEBUG: Server DN (sic name) : CN=cp_mgmt,O=cp-mgr1.domain.com.2jtgc6
DEBUG: OPSEC LEA client DN (sic name) : CN=SplunkLEA,O=cp-mgr1.domain.com.2jtgc6
[ 52100 4151573296]@server[6 Jun  9:07:48] opsec_init_entity_sic: called for the client side
[ 52100 4151573296]@server[6 Jun  9:07:48] Configuring entity lea_server
[ 52100 4151573296]@server[6 Jun  9:07:48] Could not find info for ...conn_buf_size...
[ 52100 4151573296]@server[6 Jun  9:07:48] Could not find info for ...no_nagle...
[ 52100 4151573296]@server[6 Jun  9:07:48] Could not find info for ...port...
[ 52100 4151573296]@server[6 Jun  9:07:48] opsec_entity_add_sic_rule: adding rules: apply_to: ME, peer: CN=cp_mgmt,O=cp-mgr1.domain.com.2jtgc6, d_ip: NULL, dport 18184, svc: lea, method: sslca
[ 52100 4151573296]@server[6 Jun  9:07:48] opsec_entity_add_sic_rule: adding INBOUND rule
[ 52100 4151573296]@server[6 Jun  9:07:48] opsec_entity_add_sic_rule: adding OUTBOUND rule
[ 52100 4151573296]@server[6 Jun  9:07:48] opsec_get_comm: creating comm for ent=98fe670  peer=98fdc90 passive=0 key=2 info=0
[ 52100 4151573296]@server[6 Jun  9:07:48] c=0x98fe670 s=0x98fdc90 comm_type=4

[ 52100 4151573296]@server[6 Jun  9:07:48] Could not find info for ...opsec_client...
[ 52100 4151573296]@server[6 Jun  9:07:48] opsec_get_comm: Creating session hash (size=256)
[ 52100 4151573296]@server[6 Jun  9:07:48] opsec_get_comm: ADDING comm=0x98f4130 to ent=0x98fe670 with key=2
[ 52100 4151573296]@server[6 Jun  9:07:48] opsec_env_get_context_id_by_peer_sic_name: found context id=0 for peer sic name=CN=cp_mgmt,O=cp-mgr1.domain.com.2jtgc6
[ 52100 4151573296]@server[6 Jun  9:07:48] opsec_env_get_sic_handle_by_context_id: found sic handle (ctx id=0)
[ 52100 4151573296]@server[6 Jun  9:07:48] opsec_sic_connect: connecting... (ctx id=0)
[ 52100 4151573296]@server[6 Jun  9:07:48] resolver_gethostbyname: Performing gethostbyname for server
[ 52100 4151573296]@server[6 Jun  9:07:48] peers addresses are
[ 52100 4151573296]@server[6 Jun  9:07:48] 10.6.82.20
[ 52100 4151573296]@server[6 Jun  9:07:48] SESSION ID:3 is sending DG_TYPE=1

[ 52100 4151573296]@server[6 Jun  9:07:48] pushing dgtype=1 len=0 to list=0x98f414c
[ 52100 4151573296]@server[6 Jun  9:07:48] SESSION ID:3 is sending DG_TYPE=402

[ 52100 4151573296]@server[6 Jun  9:07:48] pushing dgtype=402 len=27 to list=0x98f414c
[ 52100 4151573296]@server[6 Jun  9:07:48] fwasync_conn_params:  -> 
[ 52100 4151573296]@server[6 Jun  9:07:48] fwasync_connbuf_realloc: reallocating 0 from 0 to 1028
[ 52100 4151573296]@server[6 Jun  9:07:48] fwasync_connbuf_realloc: reallocating 0 from 0 to 1028

_________________________________


DEBUG: function string_cat
DEBUG: function submit_screen
DEBUG: Submit message to screen.
loc=4240|time= 6Jun2016  0:19:48|action=drop|orig=opp-cp2|i/f_dir=inbound|i/f_name=eth1-03|has_accounting=0|uuid=<00000000,00000000,00000000,00000000>|product=VPN-1 & FireWall-1|drop reason=matched optimized drop|rule=231|rule_uid={9DFBBE62-9D08-410F-8520-804737911EB9}|rule_name=Clean-up|src=10.15.255.11|s_port=syslog|dst=192.168.196.212|service=syslog|proto=udp|__policy_id_tag=product=VPN-1 & FireWall-1[db_tag={E885CFC8-D969-D249-9115-129413E07255};mgmt=-cp-mgr1;date=1464825626;policy_name=2015_Policy]|origin_sic_name=CN=opp-cp2,O=den-cp-mgr1.domain.com.2jtgc6
[ 48074 4151507760]@server[6 Jun  8:07:03] ckpSSL_InputPending 1 pending bytes
[ 48074 4151507760]@server[6 Jun  8:07:03] ckpSSL_InputPending 1 pending bytes
[ 48074 4151507760]@server[6 Jun  8:07:03] ckpSSL_do_read: read 12 bytes
[ 48074 4151507760]@server[6 Jun  8:07:03] ckpSSL_InputPending 1 pending bytes
[ 48074 4151507760]@server[6 Jun  8:07:03] ckpSSL_InputPending 1 pending bytes
[ 48074 4151507760]@server[6 Jun  8:07:03] ckpSSL_do_read: read 701 bytes
[ 48074 4151507760]@server[6 Jun  8:07:03] demultiplex type=505 session-id=3
[ 48074 4151507760]@server[6 Jun  8:07:03] client: got RECORD session 3
DEBUG: function read_fw1_logfile_record
0 Karma

ashokqos
Path Finder

Even I struggled a lot to bring Check Point logs into Splunk. Have created a blog with screen shots. Hope this helps.
Our splunk is on CentOS but it should work for most linux distros.
https://qostechnology.wordpress.com/2015/04/29/integration-of-splunk-with-checkpoint-managementlog-s...

splunk24
Path Finder

can you please share your blog again .. above link is not working for me

0 Karma

ektasiwani
Communicator
0 Karma

splunk24
Path Finder

can you please share your blog again .. above link is not working for me

0 Karma

ccheung_splunk
Splunk Employee
Splunk Employee

Hi,

Can you give us some more info on the output of your debug?

./lea-loggrabber-debug.sh --configentity {checkpoint connection} --debug-level 3

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...