All Apps and Add-ons

Splunk Add-on for Check Point OPSEC LEA: Why am I unable to gather Check Point logs from LEA Server using OPSEC 4.1

georgen_splunk
Splunk Employee
Splunk Employee

After recently configuring the Splunk Add-on for Check Point OPSEC LEA, I'm finding these errors reported in my splunk_ta_checkpoint-opseclea_modinput.log and no events are indexed.

2016-12-27 20:25:58,983 +0000 log_level=ERROR, pid=10558, tid=Thread-5, file=ta_data_collector.py, func_name=index_data, code_line_no=108 | [input_name="SPLUNKLEA" data="non_audit"]  Failed to index data, reason:
Traceback (most recent call last):
  File "/opt/PROD/6.4.3.a/splunk/etc/apps/Splunk_TA_checkpoint-opseclea/bin/splunk_ta_checkpoint_opseclea/splunktaucclib/data_collection/ta_data_collector.py", line 105, in index_data
    self._do_safe_index()
  File "/opt/PROD/6.4.3.a/splunk/etc/apps/Splunk_TA_checkpoint-opseclea/bin/splunk_ta_checkpoint_opseclea/splunktaucclib/data_collection/ta_data_collector.py", line 148, in _do_safe_index
    self._client = self._create_data_client()
  File "/opt/PROD/6.4.3.a/splunk/etc/apps/Splunk_TA_checkpoint-opseclea/bin/splunk_ta_checkpoint_opseclea/splunktaucclib/data_collection/ta_data_collector.py", line 73, in _create_data_client
    ckpt = self._get_ckpt()
  File "/opt/PROD/6.4.3.a/splunk/etc/apps/Splunk_TA_checkpoint-opseclea/bin/splunk_ta_checkpoint_opseclea/splunktaucclib/data_collection/ta_data_collector.py", line 64, in _get_ckpt
    return self._checkpoint_manager.get_ckpt()
  File "/opt/PROD/6.4.3.a/splunk/etc/apps/Splunk_TA_checkpoint-opseclea/bin/splunk_ta_checkpoint_opseclea/splunktaucclib/data_collection/ta_checkpoint_manager.py", line 32, in get_ckpt
    return self._store.get_state(key)
  File "/opt/PROD/6.4.3.a/splunk/etc/apps/Splunk_TA_checkpoint-opseclea/bin/splunk_ta_checkpoint_opseclea/splunktalib/state_store.py", line 202, in get_state
    state = json.load(jsonfile)
  File "/opt/PROD/6.4.3.a/splunk/lib/python2.7/json/__init__.py", line 291, in load
    **kw)
  File "/opt/PROD/6.4.3.a/splunk/lib/python2.7/json/__init__.py", line 339, in loads
    return _default_decoder.decode(s)
  File "/opt/PROD/6.4.3.a/splunk/lib/python2.7/json/decoder.py", line 364, in decode
    obj, end = self.raw_decode(s, idx=_w(s, 0).end())
  File "/opt/PROD/6.4.3.a/splunk/lib/python2.7/json/decoder.py", line 382, in raw_decode
    raise ValueError("No JSON object could be decoded")
ValueError: No JSON object could be decoded
1 Solution

georgen_splunk
Splunk Employee
Splunk Employee

last line in the error above:
>ValueError: No JSON object could be decoded
I was able to fix this by deleting the App's modinputs checkpoint (pointer file) that tracks the last location of the FW log.

fix: cp to backup or delete $SPLUNK_HOME/var/lib/splunk/modinputs/checkpoint_opseclea/<input_name >

I've also reported this as a bug, please contact Support for more info.

View solution in original post

splunkreal
Motivator

Hello,

does restarting Splunkd is necessary after deleting the checkpoint file (pointer)?

Thanks.

 

* If this helps, please upvote or accept solution 🙂 *
0 Karma

georgen_splunk
Splunk Employee
Splunk Employee

last line in the error above:
>ValueError: No JSON object could be decoded
I was able to fix this by deleting the App's modinputs checkpoint (pointer file) that tracks the last location of the FW log.

fix: cp to backup or delete $SPLUNK_HOME/var/lib/splunk/modinputs/checkpoint_opseclea/<input_name >

I've also reported this as a bug, please contact Support for more info.

evinasco
Communicator

I need to delete folder or just the files?

0 Karma

evinasco
Communicator

i have this problem

2018-08-15 22:19:27,785 +0000 log_level=ERROR, pid=36052, tid=MainThread, file=checkpoint_opseclea.py, func_name=main, code_line_no=178 | Encounter exception=Traceback (most recent call last):
  File "/opt/splunk/etc/apps/Splunk_TA_checkpoint-opseclea/bin/checkpoint_opseclea.py", line 175, in main
    run()
  File "/opt/splunk/etc/apps/Splunk_TA_checkpoint-opseclea/bin/checkpoint_opseclea.py", line 97, in run
    tconfig = tc.create_ta_opseclea_config()
  File "/opt/splunk/etc/apps/Splunk_TA_checkpoint-opseclea/bin/splunk_ta_checkpoint_opseclea/ta_opseclea_config.py", line 15, in create_ta_opseclea_config
    return TaOpsecLeaConfig(meta_configs, input_configs, client_schema)
  File "/opt/splunk/etc/apps/Splunk_TA_checkpoint-opseclea/bin/splunk_ta_checkpoint_opseclea/splunktaucclib/data_collection/ta_config.py", line 23, in __init__
    self._generate_configs()
  File "/opt/splunk/etc/apps/Splunk_TA_checkpoint-opseclea/bin/splunk_ta_checkpoint_opseclea/splunktaucclib/data_collection/ta_config.py", line 105, in _generate_configs
    self._set_task_configs(task_configs)
  File "/opt/splunk/etc/apps/Splunk_TA_checkpoint-opseclea/bin/splunk_ta_checkpoint_opseclea/ta_opseclea_config.py", line 21, in _set_task_configs
    connection = task_config[c.connections][task_config[c.connection]]
KeyError: u'10.107.35.30'
0 Karma

georgen_splunk
Splunk Employee
Splunk Employee

this appears to be a configuration issue, would it be possible to capture a diag of this instance and open a Support case? We should be able to quickly identify the stanza/setting that's causing this KeyError

0 Karma

evinasco
Communicator

i created the splunk support 1088513

:9

0 Karma

georgen_splunk
Splunk Employee
Splunk Employee

Just the files

0 Karma

aosso
Path Finder

We had a crash on the ESX containting one of our Splunks that caused a sudden reboot and was facing this same error (latest Opsec lea plugin).

Solution worked great!

Thanks

0 Karma

shawngarrettsgp
Path Finder

Worked great for me on version 4.2.0, thanks so glad I found this post, thanks! I'm still waiting on support to acknowledge the case I submitted for the issue yesterday despite them saying they'ed e-mail back in the morning. Thats what I get for not googling the cryptic error messages first. It was confusing as during my troubleshooting the DEBUG checking running the addon manually to a temp file worked fine. As you mentioned we had a hard reboot so didn't shutdown cleanly. (really not sure why we pay for support still tbh...)

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...