All Apps and Add-ons

Splunk Add-on for Check Point OPSEC LEA not making TCP outbound Connections.

daveABF
Engager

Can Anyone assist. we recently upgraded Linux to the latest version of patches and as a result the Splunk Add-on for Check Point OPSEC LEA appears to have broken.

We have re-installed the app and triple checked the configs. and there are no errors, or warnings to suggest why its not working. but the logs suggest there are 0 events. Can anyone give us an idea what could be preventing the App pulling the logs. (we have disabled the local firewall completely)

2018-09-05 13:34:11,487 +0000 log_level=INFO, pid=15591, tid=Thread-5, file=ta_data_collector.py, func_name=index_data, code_line_no=102 | [input_name="CONTFW01_SmartDefense" data="smartdefense"]  Start indexing data for CONTFW01_SmartDefense_smartdefense
2018-09-05 13:34:11,487 +0000 log_level=INFO, pid=15591, tid=Thread-4, file=ta_data_collector.py, func_name=index_data, code_line_no=102 | [input_name="CONTFW01_Firewall" data="fw"]  Start indexing data for CONTFW01_Firewall_fw
2018-09-05 13:34:11,487 +0000 log_level=INFO, pid=15591, tid=Thread-2, file=scheduler.py, func_name=get_ready_jobs, code_line_no=100 | Get 2 ready jobs, next duration is 59.999459, and there are 2 jobs scheduling
2018-09-05 13:34:11,488 +0000 log_level=INFO, pid=15591, tid=Thread-4, file=ta_opseclea_data_collector.py, func_name=start_lea_loggrabber, code_line_no=337 | [input_name="CONTFW01_Firewall" connection="CONTFW01" data="fw"] Starting /opt/splunk/etc/apps/Splunk_TA_checkpoint-opseclea/bin/../bin/lea_loggrabber --data fw --debug_level 2 --appname Splunk_TA_checkpoint-opseclea --lea_server_ip 172.18.0.1 --lea_server_auth_port 18184 --lea_server_auth_type ssl_opsec --opsec_sslca_file /opt/splunk/etc/apps/Splunk_TA_checkpoint-opseclea/certs/checpointfw.p12 --opsec_sic_name CN=ABF-SplunkLEA,O=CONTFW01.domain.local.erh35p --opsec_entity_sic_name CN=internal_ca,O=CONTFW01.domain.local.erh35p --filter product=VPN-1 & FireWall-1 --last_record_location 1528930800:11950265 --online --no_resolve
2018-09-05 13:34:11,489 +0000 log_level=INFO, pid=15591, tid=Thread-5, file=ta_opseclea_data_collector.py, func_name=start_lea_loggrabber, code_line_no=337 | [input_name="CONTFW01_SmartDefense" connection="CONTFW01" data="smartdefense"] Starting /opt/splunk/etc/apps/Splunk_TA_checkpoint-opseclea/bin/../bin/lea_loggrabber --data smartdefense --debug_level 2 --appname Splunk_TA_checkpoint-opseclea --lea_server_ip 172.18.0.1 --lea_server_auth_port 18184 --lea_server_auth_type ssl_opsec --opsec_sslca_file /opt/splunk/etc/apps/Splunk_TA_checkpoint-opseclea/certs/checpointfw.p12 --opsec_sic_name CN=ABF-SplunkLEA,O=CONTFW01.domain.local.erh35p --opsec_entity_sic_name CN=internal_ca,O=CONTFW01.domain.local.erh35p --filter product=SmartDefense --online --no_resolve
2018-09-05 13:34:11,496 +0000 log_level=INFO, pid=15591, tid=Thread-25, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=75 | [input_name="CONTFW01_Firewall" connection="CONTFW01" data="fw"]log_level=2 file:lea_loggrabber.cpp func_name:get_fw1_logfiles code_line_no:2535 :INFO: Successfully initialize client/server-pair
2018-09-05 13:34:11,496 +0000 log_level=INFO, pid=15591, tid=Thread-25, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=75 | [input_name="CONTFW01_Firewall" connection="CONTFW01" data="fw"]log_level=2 file:lea_loggrabber.cpp func_name:get_fw1_logfiles code_line_no:2506 :INFO: Successfully create opsec environment
2018-09-05 13:34:11,499 +0000 log_level=INFO, pid=15591, tid=Thread-27, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=75 | [input_name="CONTFW01_SmartDefense" connection="CONTFW01" data="smartdefense"]log_level=2 file:lea_loggrabber.cpp func_name:get_fw1_logfiles code_line_no:2535 :INFO: Successfully initialize client/server-pair
2018-09-05 13:34:11,499 +0000 log_level=INFO, pid=15591, tid=Thread-27, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=75 | [input_name="CONTFW01_SmartDefense" connection="CONTFW01" data="smartdefense"]log_level=2 file:lea_loggrabber.cpp func_name:get_fw1_logfiles code_line_no:2506 :INFO: Successfully create opsec environment
2018-09-05 13:34:11,503 +0000 log_level=INFO, pid=15591, tid=Thread-4, file=ta_opseclea_data_collector.py, func_name=get_contents, code_line_no=392 | [input_name="CONTFW01_Firewall" connection="CONTFW01" data="fw"] Successfully indexed events: 0
2018-09-05 13:34:11,505 +0000 log_level=INFO, pid=15591, tid=Thread-5, file=ta_opseclea_data_collector.py, func_name=get_contents, code_line_no=392 | [input_name="CONTFW01_SmartDefense" connection="CONTFW01" data="smartdefense"] Successfully indexed events: 0
2018-09-05 13:34:11,993 +0000 log_level=INFO, pid=15591, tid=Thread-4, file=thread_pool.py, func_name=_run, code_line_no=261 | Thread work_queue_size=0
2018-09-05 13:34:11,993 +0000 log_level=INFO, pid=15591, tid=Thread-4, file=ta_data_collector.py, func_name=index_data, code_line_no=119 | [input_name="CONTFW01_Firewall" data="fw"]  End of indexing data for CONTFW01_Firewall_fw
2018-09-05 13:34:11,995 +0000 log_level=INFO, pid=15591, tid=Thread-5, file=thread_pool.py, func_name=_run, code_line_no=261 | Thread work_queue_size=0
2018-09-05 13:34:11,995 +0000 log_level=INFO, pid=15591, tid=Thread-5, file=ta_data_collector.py, func_name=index_data, code_line_no=119 | [input_name="CONTFW01_SmartDefense" data="smartdefense"]  End of indexing data for CONTFW01_SmartDefense_smartdefense
2018-09-05 13:35:11,487 +0000 log_level=INFO, pid=15591, tid=Thread-7, file=ta_data_collector.py, func_name=index_data, code_line_no=102 | [input_name="CONTFW01_Firewall" data="fw"]  Start indexing data for CONTFW01_Firewall_fw
2018-09-05 13:35:11,487 +0000 log_level=INFO, pid=15591, tid=Thread-2, file=scheduler.py, func_name=get_ready_jobs, code_line_no=100 | Get 2 ready jobs, next duration is 59.999522, and there are 2 jobs scheduling
2018-09-05 13:35:11,488 +0000 log_level=INFO, pid=15591, tid=Thread-7, file=ta_opseclea_data_collector.py, func_name=start_lea_loggrabber, code_line_no=337 | [input_name="CONTFW01_Firewall" connection="CONTFW01" data="fw"] Starting /opt/splunk/etc/apps/Splunk_TA_checkpoint-opseclea/bin/../bin/lea_loggrabber --data fw --debug_level 2 --appname Splunk_TA_checkpoint-opseclea --lea_server_ip 172.18.0.1 --lea_server_auth_port 18184 --lea_server_auth_type ssl_opsec --opsec_sslca_file /opt/splunk/etc/apps/Splunk_TA_checkpoint-opseclea/certs/checpointfw.p12 --opsec_sic_name CN=ABF-SplunkLEA,O=CONTFW01.domain.local.erh35p --opsec_entity_sic_name CN=internal_ca,O=CONTFW01.domain.local.erh35p --filter product=VPN-1 & FireWall-1 --last_record_location 1528930800:11950265 --online --no_resolve
2018-09-05 13:35:11,488 +0000 log_level=INFO, pid=15591, tid=Thread-6, file=ta_data_collector.py, func_name=index_data, code_line_no=102 | [input_name="CONTFW01_SmartDefense" data="smartdefense"]  Start indexing data for CONTFW01_SmartDefense_smartdefense
2018-09-05 13:35:11,491 +0000 log_level=INFO, pid=15591, tid=Thread-6, file=ta_opseclea_data_collector.py, func_name=start_lea_loggrabber, code_line_no=337 | [input_name="CONTFW01_SmartDefense" connection="CONTFW01" data="smartdefense"] Starting /opt/splunk/etc/apps/Splunk_TA_checkpoint-opseclea/bin/../bin/lea_loggrabber --data smartdefense --debug_level 2 --appname Splunk_TA_checkpoint-opseclea --lea_server_ip 172.18.0.1 --lea_server_auth_port 18184 --lea_server_auth_type ssl_opsec --opsec_sslca_file /opt/splunk/etc/apps/Splunk_TA_checkpoint-opseclea/certs/checpointfw.p12 --opsec_sic_name CN=ABF-SplunkLEA,O=CONTFW01.domain.local.erh35p --opsec_entity_sic_name CN=internal_ca,O=CONTFW01.domain.local.erh35p --filter product=SmartDefense --online --no_resolve
2018-09-05 13:35:11,496 +0000 log_level=INFO, pid=15591, tid=Thread-29, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=75 | [input_name="CONTFW01_Firewall" connection="CONTFW01" data="fw"]log_level=2 file:lea_loggrabber.cpp func_name:get_fw1_logfiles code_line_no:2535 :INFO: Successfully initialize client/server-pair
2018-09-05 13:35:11,496 +0000 log_level=INFO, pid=15591, tid=Thread-29, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=75 | [input_name="CONTFW01_Firewall" connection="CONTFW01" data="fw"]log_level=2 file:lea_loggrabber.cpp func_name:get_fw1_logfiles code_line_no:2506 :INFO: Successfully create opsec environment
2018-09-05 13:35:11,498 +0000 log_level=INFO, pid=15591, tid=Thread-31, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=75 | [input_name="CONTFW01_SmartDefense" connection="CONTFW01" data="smartdefense"]log_level=2 file:lea_loggrabber.cpp func_name:get_fw1_logfiles code_line_no:2506 :INFO: Successfully create opsec environment
2018-09-05 13:35:11,499 +0000 log_level=INFO, pid=15591, tid=Thread-31, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=75 | [input_name="CONTFW01_SmartDefense" connection="CONTFW01" data="smartdefense"]log_level=2 file:lea_loggrabber.cpp func_name:get_fw1_logfiles code_line_no:2535 :INFO: Successfully initialize client/server-pair
2018-09-05 13:35:11,504 +0000 log_level=INFO, pid=15591, tid=Thread-7, file=ta_opseclea_data_collector.py, func_name=get_contents, code_line_no=392 | [input_name="CONTFW01_Firewall" connection="CONTFW01" data="fw"] Successfully indexed events: 0
2018-09-05 13:35:11,516 +0000 log_level=INFO, pid=15591, tid=Thread-6, file=ta_opseclea_data_collector.py, func_name=get_contents, code_line_no=392 | [input_name="CONTFW01_SmartDefense" connection="CONTFW01" data="smartdefense"] Successfully indexed events: 0
2018-09-05 13:35:11,994 +0000 log_level=INFO, pid=15591, tid=Thread-6, file=ta_data_collector.py, func_name=index_data, code_line_no=119 | [input_name="CONTFW01_SmartDefense" data="smartdefense"]  End of indexing data for CONTFW01_SmartDefense_smartdefense
2018-09-05 13:35:11,994 +0000 log_level=INFO, pid=15591, tid=Thread-7, file=thread_pool.py, func_name=_run, code_line_no=261 | Thread work_queue_size=0
2018-09-05 13:35:11,994 +0000 log_level=INFO, pid=15591, tid=Thread-7, file=ta_data_collector.py, func_name=index_data, code_line_no=119 | [input_name="CONTFW01_Firewall" data="fw"]  End of indexing data for CONTFW01_Firewall_fw
2018-09-05 13:35:11,995 +0000 log_level=INFO, pid=15591, tid=Thread-6, file=thread_pool.py, func_name=_run, code_line_no=261 | Thread work_queue_size=0
2018-09-05 13:36:11,487 +0000 log_level=INFO, pid=15591, tid=Thread-2, file=scheduler.py, func_name=get_ready_jobs, code_line_no=100 | Get 2 ready jobs, next duration is 59.998939, and there are 2 jobs scheduling
2018-09-05 13:36:11,488 +0000 log_level=INFO, pid=15591, tid=Thread-4, file=ta_opseclea_data_collector.py, func_name=start_lea_loggrabber, code_line_no=337 | [input_name="CONTFW01_Firewall" connection="CONTFW01" data="fw"] Starting /opt/splunk/etc/apps/Splunk_TA_checkpoint-opseclea/bin/../bin/lea_loggrabber --data fw --debug_level 2 --appname Splunk_TA_checkpoint-opseclea --lea_server_ip 172.18.0.1 --lea_server_auth_port 18184 --lea_server_auth_type ssl_opsec --opsec_sslca_file /opt/splunk/etc/apps/Splunk_TA_checkpoint-opseclea/certs/checpointfw.p12 --opsec_sic_name CN=ABF-SplunkLEA,O=CONTFW01.domain.local.erh35p --opsec_entity_sic_name CN=internal_ca,O=CONTFW01.domain.local.erh35p --filter product=VPN-1 & FireWall-1 --last_record_location 1528930800:11950265 --online --no_resolve
2018-09-05 13:36:11,488 +0000 log_level=INFO, pid=15591, tid=Thread-4, file=ta_data_collector.py, func_name=index_data, code_line_no=102 | [input_name="CONTFW01_Firewall" data="fw"]  Start indexing data for CONTFW01_Firewall_fw
2018-09-05 13:36:11,490 +0000 log_level=INFO, pid=15591, tid=Thread-5, file=ta_data_collector.py, func_name=index_data, code_line_no=102 | [input_name="CONTFW01_SmartDefense" data="smartdefense"]  Start indexing data for CONTFW01_SmartDefense_smartdefense
2018-09-05 13:36:11,491 +0000 log_level=INFO, pid=15591, tid=Thread-5, file=ta_opseclea_data_collector.py, func_name=start_lea_loggrabber, code_line_no=337 | [input_name="CONTFW01_SmartDefense" connection="CONTFW01" data="smartdefense"] Starting /opt/splunk/etc/apps/Splunk_TA_checkpoint-opseclea/bin/../bin/lea_loggrabber --data smartdefense --debug_level 2 --appname Splunk_TA_checkpoint-opseclea --lea_server_ip 172.18.0.1 --lea_server_auth_port 18184 --lea_server_auth_type ssl_opsec --opsec_sslca_file /opt/splunk/etc/apps/Splunk_TA_checkpoint-opseclea/certs/checpointfw.p12 --opsec_sic_name CN=ABF-SplunkLEA,O=CONTFW01.domain.local.erh35p --opsec_entity_sic_name CN=internal_ca,O=CONTFW01.domain.local.erh35p --filter product=SmartDefense --online --no_resolve
2018-09-05 13:36:11,495 +0000 log_level=INFO, pid=15591, tid=Thread-33, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=75 | [input_name="CONTFW01_Firewall" connection="CONTFW01" data="fw"]log_level=2 file:lea_loggrabber.cpp func_name:get_fw1_logfiles code_line_no:2535 :INFO: Successfully initialize client/server-pair
2018-09-05 13:36:11,495 +0000 log_level=INFO, pid=15591, tid=Thread-33, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=75 | [input_name="CONTFW01_Firewall" connection="CONTFW01" data="fw"]log_level=2 file:lea_loggrabber.cpp func_name:get_fw1_logfiles code_line_no:2506 :INFO: Successfully create opsec environment
2018-09-05 13:36:11,499 +0000 log_level=INFO, pid=15591, tid=Thread-35, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=75 | [input_name="CONTFW01_SmartDefense" connection="CONTFW01" data="smartdefense"]log_level=2 file:lea_loggrabber.cpp func_name:get_fw1_logfiles code_line_no:2535 :INFO: Successfully initialize client/server-pair
2018-09-05 13:36:11,499 +0000 log_level=INFO, pid=15591, tid=Thread-35, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=75 | [input_name="CONTFW01_SmartDefense" connection="CONTFW01" data="smartdefense"]log_level=2 file:lea_loggrabber.cpp func_name:get_fw1_logfiles code_line_no:2506 :INFO: Successfully create opsec environment
2018-09-05 13:36:11,502 +0000 log_level=INFO, pid=15591, tid=Thread-4, file=ta_opseclea_data_collector.py, func_name=get_contents, code_line_no=392 | [input_name="CONTFW01_Firewall" connection="CONTFW01" data="fw"] Successfully indexed events: 0
2018-09-05 13:36:11,507 +0000 log_level=INFO, pid=15591, tid=Thread-5, file=ta_opseclea_data_collector.py, func_name=get_contents, code_line_no=392 | [input_name="CONTFW01_SmartDefense" connection="CONTFW01" data="smartdefense"] Successfully indexed events: 0
2018-09-05 13:36:11,995 +0000 log_level=INFO, pid=15591, tid=Thread-4, file=thread_pool.py, func_name=_run, code_line_no=261 | Thread work_queue_size=0
2018-09-05 13:36:11,995 +0000 log_level=INFO, pid=15591, tid=Thread-4, file=ta_data_collector.py, func_name=index_data, code_line_no=119 | [input_name="CONTFW01_Firewall" data="fw"]  End of indexing data for CONTFW01_Firewall_fw
2018-09-05 13:36:11,996 +0000 log_level=INFO, pid=15591, tid=Thread-5, file=thread_pool.py, func_name=_run, code_line_no=261 | Thread work_queue_size=0
2018-09-05 13:36:11,996 +0000 log_level=INFO, pid=15591, tid=Thread-5, file=ta_data_collector.py, func_name=index_data, code_line_no=119 | [input_name="CONTFW01_SmartDefense" data="smartdefense"]  End of indexing data for CONTFW01_SmartDefense_smartdefense
2018-09-05 13:37:11,487 +0000 log_level=INFO, pid=15591, tid=Thread-2, file=scheduler.py, func_name=get_ready_jobs, code_line_no=100 | Get 2 ready jobs, next duration is 59.999463, and there are 2 jobs scheduling
2018-09-05 13:37:11,488 +0000 log_level=INFO, pid=15591, tid=Thread-6, file=ta_data_collector.py, func_name=index_data, code_line_no=102 | [input_name="CONTFW01_Firewall" data="fw"]  Start indexing data for CONTFW01_Firewall_fw
2018-09-05 13:37:11,489 +0000 log_level=INFO, pid=15591, tid=Thread-6, file=ta_opseclea_data_collector.py, func_name=start_lea_loggrabber, code_line_no=337 | [input_name="CONTFW01_Firewall" connection="CONTFW01" data="fw"] Starting /opt/splunk/etc/apps/Splunk_TA_checkpoint-opseclea/bin/../bin/lea_loggrabber --data fw --debug_level 2 --appname Splunk_TA_checkpoint-opseclea --lea_server_ip 172.18.0.1 --lea_server_auth_port 18184 --lea_server_auth_type ssl_opsec --opsec_sslca_file /opt/splunk/etc/apps/Splunk_TA_checkpoint-opseclea/certs/checpointfw.p12 --opsec_sic_name CN=ABF-SplunkLEA,O=CONTFW01.domain.local.erh35p --opsec_entity_sic_name CN=internal_ca,O=CONTFW01.domain.local.erh35p --filter product=VPN-1 & FireWall-1 --last_record_location 1528930800:11950265 --online --no_resolve
2018-09-05 13:37:11,492 +0000 log_level=INFO, pid=15591, tid=Thread-7, file=ta_data_collector.py, func_name=index_data, code_line_no=102 | [input_name="CONTFW01_SmartDefense" data="smartdefense"]  Start indexing data for CONTFW01_SmartDefense_smartdefense
1 Solution

daveABF
Engager

Found the answer to our problem.

The Lea_loggrabber was having a segmentation crash. turned out the problem was due to the hostname not being listed in the hosts file.

adding it solved the issue.

View solution in original post

Jammular
New Member

I'm using R80.10 Checkpoint Management and I have no data coming from the Checkpoint Management. may I know which file needs to be changed?" hostname not being listed in the hosts file. "

2019-04-02 09:29:44,915 +0000 log_level=INFO, pid=27948, tid=Thread-7, file=ta_opseclea_data_collector.py, func_name=get_contents, code_line_no=392 | [input_name="tfnsw-fw-logs" connection="SplunkLEA-Cisco" data="fw"] Successfully indexed events: 0
2019-04-02 09:29:44,915 +0000 log_level=INFO, pid=27948, tid=Thread-13597, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=75 | [input_name="tfnsw-fw-audit-logs" connection="SplunkLEA-Cisco" data="audit"] :opsec_sslca_file ("/opt/splunk/etc/apps/Splunk_TA_checkpoint-opseclea/certs/SplunkLEA-Cisco_2473663670.p12")
2019-04-02 09:29:44,915 +0000 log_level=INFO, pid=27948, tid=Thread-13599, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=75 | [input_name="tfnsw-fw-logs" connection="SplunkLEA-Cisco" data="fw"] :auth_type (sslca)
2019-04-02 09:29:44,915 +0000 log_level=INFO, pid=27948, tid=Thread-13597, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=75 | [input_name="tfnsw-fw-audit-logs" connection="SplunkLEA-Cisco" data="audit"] :opsec_sic_name ("CN=,O=")
2019-04-02 09:29:44,915 +0000 log_level=INFO, pid=27948, tid=Thread-13599, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=75 | [input_name="tfnsw-fw-logs" connection="SplunkLEA-Cisco" data="fw"] :auth_port (18184)

0 Karma

richgalloway
SplunkTrust
SplunkTrust

@Jammular Please post a new question describing your problem.

---
If this reply helps you, Karma would be appreciated.
0 Karma

anywhere99
Explorer

Thanks for this answered helped me alot, I am trying just to understand what type of segmentation crash it was?

daveABF
Engager

Found the answer to our problem.

The Lea_loggrabber was having a segmentation crash. turned out the problem was due to the hostname not being listed in the hosts file.

adding it solved the issue.

yangban
Explorer

Having a exactly same issue here. Did you just put host stanza in your input?

0 Karma

Jammular
New Member

Not exactly. you need to update your hosts file with exactly the same FQDN as your SPLUNK LEA uses.

You should see something like this in your leagrabber logs
resolver_getaddrinfo_list: name=XXXXXXXXXXXXXXX, pref=0

just check if this is the same in /etc/hosts else add the same.

0 Karma

yangban
Explorer

Fantastic! thanks! I was stuck here for days!

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...