All Apps and Add-ons

Splunk Add-on for Check Point OPSEC LEA: SIC ERROR 119 - SIC Error for lea: Client could not choose an authentication method for service lea

Explorer

Hello everyone:

I installed the Splunk Add-on for Check Point OPSEC LEA (https://splunkbase.splunk.com/app/3197/)

I followed all the installation steps, but it gives me the following connection error:

2016-12-20 15:03:18,130 +0000 log_level=ERROR, pid=23280, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=62 | [input_name="CheckPoint" connection="CheckPoint_mgmt" data="fw"]log_level=0 file:lea_loggrabber.cpp func_name:check_session_end_reason code_line_no:2159 :Session end reason: SIC ERROR 119 - SIC Error for lea: Client could not choose an authentication method for service lea

My opseclea_inputs.conf is

[CheckPoint]
connection = CheckPoint_mgmt
data = fw
host = xxx.xxx.xxx.xxx
index = checkpoint_test
interval = 30
mode = offline
noresolve = 1
disabled = 1

And the opseclea_connection.conf is

[CheckPoint_mgmt]
cert_name = CheckPoint_mgmt_20361674.p12
fw_version = R77
lea_app_name = SplunkLEA
lea_object_name =
lea_server_auth_port = 18184
lea_server_auth_type = sslca
lea_server_ip = xxx.xxx.xxx.xxx
lea_server_type = primary
management_server_ip = xxx.xxx.xxx.xxx
opsec_entity_sic_name = CN=cp_mgmt,O=fwmgmt..nnc98w
opsec_sic_name = CN=SplunkLEA,O=fwmgmt..nnc98w
disabled = 0

Where's the problem??

Regards

0 Karma

Splunk Employee
Splunk Employee

The config looks right, so this is probably an issue with the OPSEC app configuration.
Check for some ideas here http://docs.splunk.com/Documentation/AddOns/released/OPSEC-LEA/Troubleshoot (specifically the checkpoint URL: http://dl3.checkpoint.com/paid/20/How-To-Troubleshoot-SIC-related-Issues.pdf?HashKey=1463490738_979d...)

0 Karma

Explorer

Mreynov, thanks for your answer

We saw this in the firewall configuration:

[Expert@fwmgmt:0]# cat /var/opt/CPsuite-R77/fw1/conf/fwopsec.conf | grep lea_server

sam_server, lea_server, ela_server, cpmi_server, uaa_server.

lea_server auth_port 18184
lea_server auth_type ssl_opsec

It is possible to configure this authentication type in the connection?

Or whe need change this in de CheckPoint configuration?

Regards

Horacio

0 Karma

Splunk Employee
Splunk Employee

This is definitely on the checkpoint side, but I am not sure if this is a general setting or specific to the OPSEC app/object

0 Karma

Explorer

Hi mreynov!

When I change the parameter:

lea_server_auth_type = ssl_opsec (in opseclea_connection.conf)

Now give me this error message:

SIC ERROR 302 - SIC Error for ssl_opsec: peer name wasn't found in authentication files

Regards

Horacio

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!