Re: Splunk Add-on for Check Point OPSEC LEA: Tryin...

Federica_92 · ‎08-18-2015

Hi everyone,

I'm trying to configure the Splunk Add-on for Check Point OPSEC LEA following this guide: http://wiki.splunk.com/Community:Configure_OPSEC_LEA_input.

After that my checkpoint server manager is configured, I'm trying to pull the log using the add-on, but whenever I try to use the GUI, add the connection, and pull the certificate I obtain " server error", so I tried to pull the certificate via CLI:

 ./opsec_pull_cert  -h ip -n SplunkLEA <password>

and splunk gives me this error:

 bash: ./opsec_pull_cert: No such file or directory

But typing ls, it displays:

opsec_pull_cert  opsec_putkey

What should I do ?

Federica_92 · ‎10-20-2015

yeah, basically the app isn't being done to run on ubuntu, if you look at the prerequisites you will see it. But I discovered it too late : )

jgoddard · ‎10-16-2015

I am also having this issue on Ubuntu. The files all have appropriate permissions. I've placed the symlink for libcpc++ into /lib/ verified that I have a current glibc (libc6) and libpam0g-dev installed.

using strings and a grep for .so gives me this list:
/lib/ld-linux.so.2
libpthread.so.0
libresolv.so.2
libdl.so.2
libpam.so.0
libnsl.so.1
libcpc++-libc6.1-2.so.3
libc.so.6

It appears that the issue is due to opsec_pull_cert requiring the i386 versions of all the libraries... I'm about half through installing those, will report back if i either kill my splunk server or get it working...

jgoddard · ‎10-16-2015

That was indeed the ticket. On Ubuntu 14.04, adding the following extra packages make it better:
libc6:i386 (pulls in gcc-4.9-base:i386 libc6:i386 libgcc1:i386 )
libpam0g:i386 (pulls in libaudit1:i386)

tskinnerivsec · ‎08-18-2015

Have you installed all of the required libraries on your server? Do you have network communication between the Splunk server and the checkpoint management server? My experience is that when these things are in place, using the web interface is definitely the easiest way to get it configured.

On a 64-bit Redhat/CentOS 6.x server I've had to do the following:

yum install glibc.i686
yum install pam.i686
ln -s /opt/splunk/etc/apps/Splunk_TA_opseclea_linux22/bin/libcpc++libc6.1-2.so.3 /lib/libcpc++libc6.1-2.so.3

It seemed the scripts in the TA required these libraries in the couple cases I've worked on.

Federica_92 · ‎08-18-2015

I can't directly connect to internet from the server, I execute :

ln -s /opt/splunk/etc/apps/Splunk_TA_opseclea_linux22/bin/libcpc++libc6.1-2.so.3 /lib/libcpc++libc6.1-2.so.3

and it's fine, I also checked if the libraries where already installed using:

apt-cache search libpam0g-dev
apt-cache search glibc

And both of the libraries seems to exists:
libpam0g-dev - Development files for PAM
libc6 - Embedded GNU C Library: Shared libraries
libc6-arm64-cross - Embedded GNU C Library: Shared libraries (for cross-compiling)
libc6-armel-cross - Embedded GNU C Library: Shared libraries (for cross-compiling)
libc6-armhf-cross - Embedded GNU C Library: Shared libraries (for cross-compiling)

How can I update them, without access to internet? I can move file on the server and download the package using my laptop...

Splunk Add-on for Check Point OPSEC LEA: Trying to pull the certificate, why do I get "server error" in the GUI and "No such file or directory" in the CLI?

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor