All Apps and Add-ons

Splunk Add-on for Check Point OPSEC LEA: Why am I unable to set up lea_loggrabber?

rubeniturrieta
Communicator

I have a problem, and I hope that you can help me, please:

I'm installing the Splunk Add-on for Check Point OPSEC LEA, and I can't set up lea_loggrabber:

I'm using CentOS 7.1, and I have only one machine with Splunk.

I have attached the output file in this message.

Any help, I'll be very grateful

Regards

  ./lea-loggrabber-debug.sh 
    Using Splunk instance: /opt/splunk, app name Splunk_TA_opseclea_linux22
    Splunk username: admin
    Password: 
    DEBUG: LOGGRABBER configuration file is: /opt/splunk/etc/apps/Splunk_TA_opseclea_linux22/bin/fw1-loggrabber.conf
    DEBUG: function string_trim
    DEBUG: function string_left_trim
    DEBUG: function string_right_trim
    DEBUG: function string_trim
    DEBUG: function string_left_trim
    DEBUG: function string_right_trim
    DEBUG: function string_trim
    DEBUG: function string_left_trim
    DEBUG: function string_right_trim
    DEBUG: function string_trim
    DEBUG: function string_left_trim
    DEBUG: function string_right_trim
    DEBUG: function string_trim
    DEBUG: function string_left_trim
    DEBUG: function string_right_trim
    DEBUG: function string_trim
    DEBUG: function string_left_trim
    DEBUG: function string_right_trim
    DEBUG: function string_trim
    DEBUG: function string_left_trim
    DEBUG: function string_right_trim
    DEBUG: function string_trim
    DEBUG: function string_left_trim
    DEBUG: function string_right_trim
    DEBUG: function string_duplicate
    DEBUG: function string_trim
    DEBUG: function string_left_trim
    DEBUG: function string_right_trim
    DEBUG: function string_trim
    DEBUG: function string_left_trim
    DEBUG: function string_right_trim
    DEBUG: function string_trim
    DEBUG: function string_left_trim
    DEBUG: function string_right_trim
    DEBUG: function string_trim
    DEBUG: function string_left_trim
    DEBUG: function string_right_trim
    DEBUG: function string_trim
    DEBUG: function string_left_trim
    DEBUG: function string_right_trim
    DEBUG: function string_duplicate
    DEBUG: function string_icmp
    DEBUG: function string_duplicate
    DEBUG: function string_duplicate
    DEBUG: function string_icmp
    DEBUG: function string_duplicate
    DEBUG: function string_duplicate
    DEBUG: function string_trim
    DEBUG: function string_left_trim
    DEBUG: function string_right_trim
    DEBUG: function string_trim
    DEBUG: function string_left_trim
    DEBUG: function string_right_trim
    DEBUG: function string_trim
    DEBUG: function string_left_trim
    DEBUG: function string_right_trim
    DEBUG: function string_trim
    DEBUG: function string_left_trim
    DEBUG: function string_right_trim
    DEBUG: function string_trim
    DEBUG: function string_left_trim
    DEBUG: function string_right_trim
    DEBUG: function string_duplicate
    DEBUG: function string_icmp
    DEBUG: function string_duplicate
    DEBUG: function string_duplicate
    DEBUG: function string_trim
    DEBUG: function string_left_trim
    DEBUG: function string_right_trim
    DEBUG: function string_trim
    DEBUG: function string_left_trim
    DEBUG: function string_right_trim
    DEBUG: function string_trim
    DEBUG: function string_left_trim
    DEBUG: function string_right_trim
    DEBUG: function string_trim
    DEBUG: function string_left_trim
    DEBUG: function string_right_trim
    DEBUG: function string_trim
    DEBUG: function string_left_trim
    DEBUG: function string_right_trim
    DEBUG: function string_duplicate
    DEBUG: function string_icmp
    DEBUG: function string_duplicate
    DEBUG: function string_duplicate
    DEBUG: function string_trim
    DEBUG: function string_left_trim
    DEBUG: function string_right_trim
    DEBUG: function string_trim
    DEBUG: function string_left_trim
    DEBUG: function string_right_trim
    DEBUG: function string_trim
    DEBUG: function string_left_trim
    DEBUG: function string_right_trim
    DEBUG: function string_trim
    DEBUG: function string_left_trim
    DEBUG: function string_right_trim
    DEBUG: function string_trim
    DEBUG: function string_left_trim
    DEBUG: function string_right_trim
    DEBUG: function string_duplicate
    DEBUG: function string_icmp
    DEBUG: function string_duplicate
    DEBUG: function string_duplicate
    DEBUG: function string_trim
    DEBUG: function string_left_trim
    DEBUG: function string_right_trim
    DEBUG: function string_trim
    DEBUG: function string_left_trim
    DEBUG: function string_right_trim
    DEBUG: function string_trim
    DEBUG: function string_left_trim
    DEBUG: function string_right_trim
    DEBUG: function string_trim
    DEBUG: function string_left_trim
    DEBUG: function string_right_trim
    DEBUG: function string_trim
    DEBUG: function string_left_trim
    DEBUG: function string_right_trim
    DEBUG: function string_duplicate
    DEBUG: function string_icmp
    DEBUG: function string_duplicate
    DEBUG: function string_duplicate
    DEBUG: function string_trim
    DEBUG: function string_left_trim
    DEBUG: function string_right_trim
    DEBUG: function string_trim
    DEBUG: function string_left_trim
    DEBUG: function string_right_trim
    DEBUG: function string_trim
    DEBUG: function string_left_trim
    DEBUG: function string_right_trim
    DEBUG: function string_trim
    DEBUG: function string_left_trim
    DEBUG: function string_right_trim
    DEBUG: function string_trim
    DEBUG: function string_left_trim
    DEBUG: function string_right_trim
    DEBUG: function string_trim
    DEBUG: function string_left_trim
    DEBUG: function string_right_trim
    DEBUG: function string_trim
    DEBUG: function string_left_trim
    DEBUG: function string_right_trim
    DEBUG: function string_trim
    DEBUG: function string_left_trim
    DEBUG: function string_right_trim
    DEBUG: function string_trim
    DEBUG: function string_left_trim
    DEBUG: function string_right_trim
    DEBUG: function string_trim
    DEBUG: function string_left_trim
    DEBUG: function string_right_trim
    DEBUG: function string_trim
    DEBUG: function string_left_trim
    DEBUG: function string_right_trim
    DEBUG: function string_trim
    DEBUG: function string_left_trim
    DEBUG: function string_right_trim
    DEBUG: function string_trim
    DEBUG: function string_left_trim
    DEBUG: function string_right_trim
    DEBUG: function string_trim
    DEBUG: function string_left_trim
    DEBUG: function string_right_trim
    DEBUG: function string_duplicate
    DEBUG: function string_icmp
    DEBUG: function string_duplicate
    DEBUG: function string_duplicate
    DEBUG: function string_trim
    DEBUG: function string_left_trim
    DEBUG: function string_right_trim
    DEBUG: function string_trim
    DEBUG: function string_left_trim
    DEBUG: function string_right_trim
    DEBUG: function string_trim
    DEBUG: function string_left_trim
    DEBUG: function string_right_trim
    DEBUG: function string_trim
    DEBUG: function string_left_trim
    DEBUG: function string_right_trim
    DEBUG: function string_trim
    DEBUG: function string_left_trim
    DEBUG: function string_right_trim
    DEBUG: function string_trim
    DEBUG: function string_left_trim
    DEBUG: function string_right_trim
    DEBUG: function string_duplicate
    DEBUG: function string_icmp
    DEBUG: function string_duplicate
    DEBUG: function string_duplicate
    DEBUG: function string_trim
    DEBUG: function string_left_trim
    DEBUG: function string_right_trim
    DEBUG: function string_trim
    DEBUG: function string_left_trim
    DEBUG: function string_right_trim
    DEBUG: function string_trim
    DEBUG: function string_left_trim
    DEBUG: function string_right_trim
    DEBUG: function string_trim
    DEBUG: function string_left_trim
    DEBUG: function string_right_trim
    DEBUG: function string_trim
    DEBUG: function string_left_trim
    DEBUG: function string_right_trim
    DEBUG: function string_duplicate
    DEBUG: function string_trim
    DEBUG: function string_left_trim
    DEBUG: function string_right_trim
    DEBUG: function string_trim
    DEBUG: function string_left_trim
    DEBUG: function string_right_trim
    DEBUG: function string_trim
    DEBUG: function string_left_trim
    DEBUG: function string_right_trim
    DEBUG: function string_trim
    DEBUG: function string_left_trim
    DEBUG: function string_right_trim
    DEBUG: function string_trim
    DEBUG: function string_left_trim
    DEBUG: function string_right_trim
    DEBUG: function string_trim
    DEBUG: function string_left_trim
    DEBUG: function string_right_trim
    DEBUG: function string_trim
    DEBUG: function string_left_trim
    DEBUG: function string_right_trim
    DEBUG: function string_trim
    DEBUG: function string_left_trim
    DEBUG: function string_right_trim
    DEBUG: function string_trim
    DEBUG: function string_left_trim
    DEBUG: function string_right_trim
    DEBUG: function string_trim
    DEBUG: function string_left_trim
    DEBUG: function string_right_trim
    DEBUG: function string_trim
    DEBUG: function string_left_trim
    DEBUG: function string_right_trim
    DEBUG: function string_trim
    DEBUG: function string_left_trim
    DEBUG: function string_right_trim
    DEBUG: function string_trim
    DEBUG: function string_left_trim
    DEBUG: function string_right_trim
    DEBUG: function string_trim
    DEBUG: function string_left_trim
    DEBUG: function string_right_trim
    DEBUG: function string_trim
    DEBUG: function string_left_trim
    DEBUG: function string_right_trim
    DEBUG: function string_trim
    DEBUG: function string_left_trim
    DEBUG: function string_right_trim
    DEBUG: function string_trim
    DEBUG: function string_left_trim
    DEBUG: function string_right_trim
    DEBUG: function string_trim
    DEBUG: function string_left_trim
    DEBUG: function string_right_trim
    DEBUG: function logging_init_env
    DEBUG: function open_screen
    DEBUG: Open connection to screen.
    DEBUG: Logfilename      : fw.log
    DEBUG: Record Separator : |
    DEBUG: Resolve Addresses: No
    DEBUG: Show Filenames   : No
    DEBUG: FW1-2000         : No
    DEBUG: Online-Mode      : No
    DEBUG: Audit-Log        : No
    DEBUG: Show Fieldnames  : Yes
    DEBUG: function get_fw1_logfiles
    splunk internal call command: $SPLUNK_HOME/bin/splunk _internal call /servicesNS/nobody/Splunk_TA_opseclea_linux22/opsec/opsec_conf/
    splunk output: QUERYING: 'https://127.0.0.1:8089/servicesNS/nobody/Splunk_TA_opseclea_linux22/opsec/opsec_conf/'
    HTTP Status: 200.
    Content:
    <?xml version="1.0" encoding="UTF-8"?>
    <!--This is to override browser formatting; see server.conf[httpServer] to disable. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .-->
    <?xml-stylesheet type="text/xml" href="/static/atom.xsl"?>
    <feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest" xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
      <title></title>
      <id>https://127.0.0.1:8089/servicesNS/nobody/Splunk_TA_opseclea_linux22/opsec/opsec_conf</id>
      <updated>2015-08-14T13:31:37-03:00</updated>
      <generator build="271043" version="6.2.4"/>
      <author>
        <name>Splunk</name>
      </author>
      <link href="/servicesNS/nobody/Splunk_TA_opseclea_linux22/opsec/opsec_conf/_new" rel="create"/>
      <opensearch:totalResults>1</opensearch:totalResults>
      <opensearch:itemsPerPage>30</opensearch:itemsPerPage>
      <opensearch:startIndex>0</opensearch:startIndex>
      <s:messages/>
      <entry>
        <title>CheckPoint_Internet</title>
        <id>https://127.0.0.1:8089/servicesNS/nobody/Splunk_TA_opseclea_linux22/opsec/opsec_conf/CheckPoint_Internet</id>
        <updated>2015-08-14T13:31:37-03:00</updated>
        <link href="/servicesNS/nobody/Splunk_TA_opseclea_linux22/opsec/opsec_conf/CheckPoint_Internet" rel="alternate"/>
        <author>
          <name>admin</name>
        </author>
        <link href="/servicesNS/nobody/Splunk_TA_opseclea_linux22/opsec/opsec_conf/CheckPoint_Internet" rel="list"/>
        <link href="/servicesNS/nobody/Splunk_TA_opseclea_linux22/opsec/opsec_conf/CheckPoint_Internet" rel="edit"/>
        <link href="/servicesNS/nobody/Splunk_TA_opseclea_linux22/opsec/opsec_conf/CheckPoint_Internet" rel="remove"/>
        <content type="text/xml">
          <s:dict>
            <s:key name="disabled">0</s:key>
            <s:key name="eai:acl">
              <s:dict>
                <s:key name="app">Splunk_TA_opseclea_linux22</s:key>
                <s:key name="can_change_perms">1</s:key>
                <s:key name="can_list">1</s:key>
                <s:key name="can_share_app">1</s:key>
                <s:key name="can_share_global">1</s:key>
                <s:key name="can_share_user">1</s:key>
                <s:key name="can_write">1</s:key>
                <s:key name="modifiable">1</s:key>
                <s:key name="owner">admin</s:key>
                <s:key name="perms">
                  <s:dict>
                    <s:key name="read">
                      <s:list>
                        <s:item>admin</s:item>
                      </s:list>
                    </s:key>
                    <s:key name="write">
                      <s:list>
                        <s:item>admin</s:item>
                      </s:list>
                    </s:key>
                  </s:dict>
                </s:key>
                <s:key name="removable">1</s:key>
                <s:key name="sharing">app</s:key>
              </s:dict>
            </s:key>
            <s:key name="eai:appName">Splunk_TA_opseclea_linux22</s:key>
            <s:key name="eai:userName">nobody</s:key>
            <s:key name="fw_version">77</s:key>
            <s:key name="is_disabled">0</s:key>
            <s:key name="lea_server_auth_port">18184</s:key>
            <s:key name="lea_server_auth_type">sslca</s:key>
            <s:key name="lea_server_ip">10.1.4.41</s:key>
            <s:key name="mode">fw</s:key>
            <s:key name="no_resolve">1</s:key>
            <s:key name="online_mode">1</s:key>
            <s:key name="opsec_entity_sic_name">CN=SensorSplunk,0=mngt-blackhole..rq9q26</s:key>
            <s:key name="opsec_sic_name">cn=cp_mgmt,o=mngt-blackhole..rq9q26</s:key>
            <s:key name="opsec_sslca_file">../certs/newFile.p12</s:key>
          </s:dict>
        </content>
      </entry>
    </feed>


    mode: fw
    addFilter: product=VPN-1 & FireWall-1
    DEBUG: function string_duplicate
    -v opsec_sic_name cn=cp_mgmt,o=mngt-xxx26-v opsec_sslca_file ../certs/newFile.p12 -v lea_server ip 10.1.4.41 -v lea_server auth_port 18184 -v lea_server auth_type sslca -v lea_server opsec_entity_sic_name CN=SensorSplunk,0=mngt-xxx26
    [ 627 4149561024]@localhost.localdomain[14 Aug 13:31:37] Env Configuration:
    (
        :type (opsec_info)
        :lea_server (
            :opsec_entity_sic_name ("CN=SensorSplunk,0=mngt-blackhole..rq9q26")
            :auth_type (sslca)
            :auth_port (18184)
            :ip (10.1.4.41)
        )
        :opsec_sslca_file ("../certs/newFile.p12")
        :opsec_sic_name ("cn=cp_mgmt,o=mngt-blackhole..rq9q26")
    )

    [ 627 4149561024]@localhost.localdomain[14 Aug 13:31:37] Could not find info for ...opsec_shared_local_path...
    [ 627 4149561024]@localhost.localdomain[14 Aug 13:31:37] Could not find info for ...opsec_sic_policy_file...
    [ 627 4149561024]@localhost.localdomain[14 Aug 13:31:37] Could not find info for ...opsec_mt...
    [ 627 4149561024]@localhost.localdomain[14 Aug 13:31:37] opsec_init: multithread safety is not initialized
    [ 627 4149561024]@localhost.localdomain[14 Aug 13:31:37] cpprng_opsec_initialize: path is not initialized - will initialize
    [ 627 4149561024]@localhost.localdomain[14 Aug 13:31:37] cpprng_opsec_initialize: full file name is ops_prng
    [ 627 4149561024]@localhost.localdomain[14 Aug 13:31:37] cpprng_opsec_initialize: dev_urandom_poll returned 0
    [ 627 4149561024]@localhost.localdomain[14 Aug 13:31:37] opsec_file_is_intialized: seed is initialized
    [ 627 4149561024]@localhost.localdomain[14 Aug 13:31:37] cpprng_opsec_initialize: seed init for opsec succeeded
    [ 627 4149561024]@localhost.localdomain[14 Aug 13:31:37] PM_policy_create: version 5301.
    [ 627 4149561024]@localhost.localdomain[14 Aug 13:31:37] PM_policy_add_name_to_group: finished successfully.
    [ 627 4149561024]@localhost.localdomain[14 Aug 13:31:37] PM_policy_set_local_names: () names. finished successfully.
    [ 627 4149561024]@localhost.localdomain[14 Aug 13:31:37] PM_policy_create: finished successfully.
    [ 627 4149561024]@localhost.localdomain[14 Aug 13:31:37] PM_policy_add_name_to_group: finished successfully.
    [ 627 4149561024]@localhost.localdomain[14 Aug 13:31:37] PM_policy_set_local_names: (local_sic_name) names. finished successfully.
    [ 627 4149561024]@localhost.localdomain[14 Aug 13:31:37] PM_policy_add_name_to_group: finished successfully.
    [ 627 4149561024]@localhost.localdomain[14 Aug 13:31:37] PM_policy_set_local_names: (127.0.0.1) names. finished successfully.
    [ 627 4149561024]@localhost.localdomain[14 Aug 13:31:37] PM_policy_add_name_to_group: finished successfully.
    [ 627 4149561024]@localhost.localdomain[14 Aug 13:31:37] PM_policy_set_local_names: ("cn=cp_mgmt,o=mngt-blackhole..rq9q26") names. finished successfully.
    [ 627 4149561024]@localhost.localdomain[14 Aug 13:31:37] PM_apply_default_dn: ca_dn = [O=mngt-blackhole..rq9q26].
    [ 627 4149561024]@localhost.localdomain[14 Aug 13:31:37] PM_apply_default_dn: calling PM_policy_DN_conversion ..
    [ 627 4149561024]@localhost.localdomain[14 Aug 13:31:37] PM_apply_default_dn: finished successfully.
    [ 627 4149561024]@localhost.localdomain[14 Aug 13:31:37] sslcaInitCP_Ex: failed to create keyholder
    [ 627 4149561024]@localhost.localdomain[14 Aug 13:31:37] opsec_init_sslca: no key holder - symmetric SSLCA not started
    [ 627 4149561024]@localhost.localdomain[14 Aug 13:31:37] sslcaInitCP_Ex: using asym client without ca cert
    [ 627 4149561024]@localhost.localdomain[14 Aug 13:31:37] ckpSSLctx_New: prefs = 12
    [ 627 4149561024]@localhost.localdomain[14 Aug 13:31:37] CkpRegDir: Environment variable CPDIR is not set.
    [ 627 4149561024]@localhost.localdomain[14 Aug 13:31:37] GenerateGlobalEntry: Unable to get registry path
    [ 627 4149561024]@localhost.localdomain[14 Aug 13:31:37] sslcaInitCP_Ex: using asym client without ca cert
    [ 627 4149561024]@localhost.localdomain[14 Aug 13:31:37] ckpSSLctx_New: prefs = 32
    [ 627 4149561024]@localhost.localdomain[14 Aug 13:31:37] sslcaInitCP_Ex: using asym client without ca cert
    [ 627 4149561024]@localhost.localdomain[14 Aug 13:31:37] ckpSSLctx_New: prefs = 11
    [ 627 4149561024]@localhost.localdomain[14 Aug 13:31:37] sslcaInitCP_Ex: using asym client without ca cert
    [ 627 4149561024]@localhost.localdomain[14 Aug 13:31:37] ckpSSLctx_New: prefs = 31
    [ 627 4149561024]@localhost.localdomain[14 Aug 13:31:37] opsec_init_sic_id_internal: Added sic id (ctx id = 0)
    DEBUG: OPSEC LEA conf file is lea.conf
    DEBUG: Authentication mode has been used.
    DEBUG: Server-IP     : 10.1.4.41
    DEBUG: Server-Port     : 18184
    DEBUG: Authentication type: sslca
    DEBUG: OPSEC sic certificate file name : ../certs/newFile.p12
    DEBUG: Server DN (sic name) : CN=SensorSplunk,0=mngt-blackhole..rq9q26
    DEBUG: OPSEC LEA client DN (sic name) : cn=cp_mgmt,o=mngt-blackhole..rq9q26
    [ 627 4149561024]@localhost.localdomain[14 Aug 13:31:37] opsec_init_entity_sic: called for the client side
    [ 627 4149561024]@localhost.localdomain[14 Aug 13:31:37] Configuring entity lea_server
    [ 627 4149561024]@localhost.localdomain[14 Aug 13:31:37] Could not find info for ...conn_buf_size...
    [ 627 4149561024]@localhost.localdomain[14 Aug 13:31:37] Could not find info for ...no_nagle...
    [ 627 4149561024]@localhost.localdomain[14 Aug 13:31:37] Could not find info for ...port...
    [ 627 4149561024]@localhost.localdomain[14 Aug 13:31:37] opsec_entity_add_sic_rule: adding rules: apply_to: ME, peer: CN=SensorSplunk,0=mngt-blackhole..rq9q26, d_ip: NULL, dport 18184, svc: lea, method: sslca
    [ 627 4149561024]@localhost.localdomain[14 Aug 13:31:37] opsec_entity_add_sic_rule: adding INBOUND rule
    [ 627 4149561024]@localhost.localdomain[14 Aug 13:31:37] opsec_entity_add_sic_rule: adding OUTBOUND rule
    [ 627 4149561024]@localhost.localdomain[14 Aug 13:31:37] fwDN_add_CN: new dn is illegal
    [ 627 4149561024]@localhost.localdomain[14 Aug 13:31:37] opsec_get_comm: creating comm for ent=8cf3e68  peer=8ceae48 passive=0 key=2 info=0
    [ 627 4149561024]@localhost.localdomain[14 Aug 13:31:37] c=0x8cf3e68 s=0x8ceae48 comm_type=4

    [ 627 4149561024]@localhost.localdomain[14 Aug 13:31:37] Could not find info for ...opsec_client...
    [ 627 4149561024]@localhost.localdomain[14 Aug 13:31:37] opsec_get_comm: Creating session hash (size=256)
    [ 627 4149561024]@localhost.localdomain[14 Aug 13:31:37] opsec_get_comm: ADDING comm=0x8cf6968 to ent=0x8cf3e68 with key=2
    [ 627 4149561024]@localhost.localdomain[14 Aug 13:31:37] opsec_env_get_context_id_by_peer_sic_name: illegal DN of sic name: CN=SensorSplunk,0=mngt-blackhole..rq9q26
    [ 627 4149561024]@localhost.localdomain[14 Aug 13:31:37] OPSEC_SET_ERRNO: err =  4  Argument is NULL or lacks some data (pre =  0)
    [ 627 4149561024]@localhost.localdomain[14 Aug 13:31:37] opsec_sic_connect: failed to get context id for connection
    [ 627 4149561024]@localhost.localdomain[14 Aug 13:31:37] opsec_get_comm: error in opsec_sic_connect
    [ 627 4149561024]@localhost.localdomain[14 Aug 13:31:37] destroying comm 0x8cf6968
    [ 627 4149561024]@localhost.localdomain[14 Aug 13:31:37] Destroying comm 0x8cf6968 with 0 active sessions
    [ 627 4149561024]@localhost.localdomain[14 Aug 13:31:37] pulling dgtype=ffffffff len=-1 to list=0x8cf6984
    [ 627 4149561024]@localhost.localdomain[14 Aug 13:31:37] REMOVING comm=0x8cf6968 from ent=0x8cf3e68 with key=2
    [ 627 4149561024]@localhost.localdomain[14 Aug 13:31:37] Unable to make session
    ERROR: failed to create session (Argument is NULL or lacks some data)
    DEBUG: function cleanup_fw1_environment
    [ 627 4149561024]@localhost.localdomain[14 Aug 13:31:37] Destroying entity 1 with 0 active comms
    [ 627 4149561024]@localhost.localdomain[14 Aug 13:31:37] opsec_destroy_entity_sic: deleting sic rules for entity 0x8cf3e68
    [ 627 4149561024]@localhost.localdomain[14 Aug 13:31:37] Destroying entity 2 with 0 active comms
    [ 627 4149561024]@localhost.localdomain[14 Aug 13:31:37] opsec_destroy_entity_sic: deleting sic rules for entity 0x8ceae48
    [ 627 4149561024]@localhost.localdomain[14 Aug 13:31:37] IpcUnMapFile: unmapping file (handle=0x8cea748)
    [ 627 4149561024]@localhost.localdomain[14 Aug 13:31:37] IpcUnMapFile: unmapping file (handle=0x8cea7f8)
    [ 627 4149561024]@localhost.localdomain[14 Aug 13:31:37] IpcUnMapFile: unmapping file (handle=0x8cea8a8)
    [ 627 4149561024]@localhost.localdomain[14 Aug 13:31:37] IpcUnMapFile: unmapping file (handle=0x8cea948)
    [ 627 4149561024]@localhost.localdomain[14 Aug 13:31:37] IpcUnMapFile: unmapping file (handle=0x8cea9c8)
    [ 627 4149561024]@localhost.localdomain[14 Aug 13:31:37] PM_policy_destroy: finished successfully.
    [ 627 4149561024]@localhost.localdomain[14 Aug 13:31:37] opsec_destroy_sic_id_internal: Destroyed sic id (ctx id=0)
    [ 627 4149561024]@localhost.localdomain[14 Aug 13:31:37] opsec_env_destroy_sic_id_hash: Destroyed sic id hash
    [ 627 4149561024]@localhost.localdomain[14 Aug 13:31:37] fwd_env_destroy: env 0x8ccdfa0 (alloced = 1)
    [ 627 4149561024]@localhost.localdomain[14 Aug 13:31:37] T_env_destroy: env 0x8ccdfa0 
    [ 627 4149561024]@localhost.localdomain[14 Aug 13:31:37] do_fwd_env_destroy:  really destroy 0x8ccdfa0
    DEBUG: function exit_loggrabber
    DEBUG: function free_lfield_arrays
    DEBUG: function free_afield_arrays
    DEBUG: function free_lfield_arrays
    DEBUG: function free_afield_arrays
0 Karma

jcoates_splunk
Splunk Employee
Splunk Employee

just guessing, but did you install the 32 bit libraries mentioned here? http://docs.splunk.com/Documentation/OPSEC-LEA/3.1.0/Install/Systemrequirements

0 Karma
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...