Can Anyone assist. we recently upgraded Linux to the latest version of patches and as a result the Splunk Add-on for Check Point OPSEC LEA appears to have broken.
We have re-installed the app and triple checked the configs. and there are no errors, or warnings to suggest why its not working. but the logs suggest there are 0 events. Can anyone give us an idea what could be preventing the App pulling the logs. (we have disabled the local firewall completely)
2018-09-05 13:34:11,487 +0000 log_level=INFO, pid=15591, tid=Thread-5, file=ta_data_collector.py, func_name=index_data, code_line_no=102 | [input_name="CONTFW01_SmartDefense" data="smartdefense"] Start indexing data for CONTFW01_SmartDefense_smartdefense
2018-09-05 13:34:11,487 +0000 log_level=INFO, pid=15591, tid=Thread-4, file=ta_data_collector.py, func_name=index_data, code_line_no=102 | [input_name="CONTFW01_Firewall" data="fw"] Start indexing data for CONTFW01_Firewall_fw
2018-09-05 13:34:11,487 +0000 log_level=INFO, pid=15591, tid=Thread-2, file=scheduler.py, func_name=get_ready_jobs, code_line_no=100 | Get 2 ready jobs, next duration is 59.999459, and there are 2 jobs scheduling
2018-09-05 13:34:11,488 +0000 log_level=INFO, pid=15591, tid=Thread-4, file=ta_opseclea_data_collector.py, func_name=start_lea_loggrabber, code_line_no=337 | [input_name="CONTFW01_Firewall" connection="CONTFW01" data="fw"] Starting /opt/splunk/etc/apps/Splunk_TA_checkpoint-opseclea/bin/../bin/lea_loggrabber --data fw --debug_level 2 --appname Splunk_TA_checkpoint-opseclea --lea_server_ip 172.18.0.1 --lea_server_auth_port 18184 --lea_server_auth_type ssl_opsec --opsec_sslca_file /opt/splunk/etc/apps/Splunk_TA_checkpoint-opseclea/certs/checpointfw.p12 --opsec_sic_name CN=ABF-SplunkLEA,O=CONTFW01.domain.local.erh35p --opsec_entity_sic_name CN=internal_ca,O=CONTFW01.domain.local.erh35p --filter product=VPN-1 & FireWall-1 --last_record_location 1528930800:11950265 --online --no_resolve
2018-09-05 13:34:11,489 +0000 log_level=INFO, pid=15591, tid=Thread-5, file=ta_opseclea_data_collector.py, func_name=start_lea_loggrabber, code_line_no=337 | [input_name="CONTFW01_SmartDefense" connection="CONTFW01" data="smartdefense"] Starting /opt/splunk/etc/apps/Splunk_TA_checkpoint-opseclea/bin/../bin/lea_loggrabber --data smartdefense --debug_level 2 --appname Splunk_TA_checkpoint-opseclea --lea_server_ip 172.18.0.1 --lea_server_auth_port 18184 --lea_server_auth_type ssl_opsec --opsec_sslca_file /opt/splunk/etc/apps/Splunk_TA_checkpoint-opseclea/certs/checpointfw.p12 --opsec_sic_name CN=ABF-SplunkLEA,O=CONTFW01.domain.local.erh35p --opsec_entity_sic_name CN=internal_ca,O=CONTFW01.domain.local.erh35p --filter product=SmartDefense --online --no_resolve
2018-09-05 13:34:11,496 +0000 log_level=INFO, pid=15591, tid=Thread-25, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=75 | [input_name="CONTFW01_Firewall" connection="CONTFW01" data="fw"]log_level=2 file:lea_loggrabber.cpp func_name:get_fw1_logfiles code_line_no:2535 :INFO: Successfully initialize client/server-pair
2018-09-05 13:34:11,496 +0000 log_level=INFO, pid=15591, tid=Thread-25, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=75 | [input_name="CONTFW01_Firewall" connection="CONTFW01" data="fw"]log_level=2 file:lea_loggrabber.cpp func_name:get_fw1_logfiles code_line_no:2506 :INFO: Successfully create opsec environment
2018-09-05 13:34:11,499 +0000 log_level=INFO, pid=15591, tid=Thread-27, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=75 | [input_name="CONTFW01_SmartDefense" connection="CONTFW01" data="smartdefense"]log_level=2 file:lea_loggrabber.cpp func_name:get_fw1_logfiles code_line_no:2535 :INFO: Successfully initialize client/server-pair
2018-09-05 13:34:11,499 +0000 log_level=INFO, pid=15591, tid=Thread-27, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=75 | [input_name="CONTFW01_SmartDefense" connection="CONTFW01" data="smartdefense"]log_level=2 file:lea_loggrabber.cpp func_name:get_fw1_logfiles code_line_no:2506 :INFO: Successfully create opsec environment
2018-09-05 13:34:11,503 +0000 log_level=INFO, pid=15591, tid=Thread-4, file=ta_opseclea_data_collector.py, func_name=get_contents, code_line_no=392 | [input_name="CONTFW01_Firewall" connection="CONTFW01" data="fw"] Successfully indexed events: 0
2018-09-05 13:34:11,505 +0000 log_level=INFO, pid=15591, tid=Thread-5, file=ta_opseclea_data_collector.py, func_name=get_contents, code_line_no=392 | [input_name="CONTFW01_SmartDefense" connection="CONTFW01" data="smartdefense"] Successfully indexed events: 0
2018-09-05 13:34:11,993 +0000 log_level=INFO, pid=15591, tid=Thread-4, file=thread_pool.py, func_name=_run, code_line_no=261 | Thread work_queue_size=0
2018-09-05 13:34:11,993 +0000 log_level=INFO, pid=15591, tid=Thread-4, file=ta_data_collector.py, func_name=index_data, code_line_no=119 | [input_name="CONTFW01_Firewall" data="fw"] End of indexing data for CONTFW01_Firewall_fw
2018-09-05 13:34:11,995 +0000 log_level=INFO, pid=15591, tid=Thread-5, file=thread_pool.py, func_name=_run, code_line_no=261 | Thread work_queue_size=0
2018-09-05 13:34:11,995 +0000 log_level=INFO, pid=15591, tid=Thread-5, file=ta_data_collector.py, func_name=index_data, code_line_no=119 | [input_name="CONTFW01_SmartDefense" data="smartdefense"] End of indexing data for CONTFW01_SmartDefense_smartdefense
2018-09-05 13:35:11,487 +0000 log_level=INFO, pid=15591, tid=Thread-7, file=ta_data_collector.py, func_name=index_data, code_line_no=102 | [input_name="CONTFW01_Firewall" data="fw"] Start indexing data for CONTFW01_Firewall_fw
2018-09-05 13:35:11,487 +0000 log_level=INFO, pid=15591, tid=Thread-2, file=scheduler.py, func_name=get_ready_jobs, code_line_no=100 | Get 2 ready jobs, next duration is 59.999522, and there are 2 jobs scheduling
2018-09-05 13:35:11,488 +0000 log_level=INFO, pid=15591, tid=Thread-7, file=ta_opseclea_data_collector.py, func_name=start_lea_loggrabber, code_line_no=337 | [input_name="CONTFW01_Firewall" connection="CONTFW01" data="fw"] Starting /opt/splunk/etc/apps/Splunk_TA_checkpoint-opseclea/bin/../bin/lea_loggrabber --data fw --debug_level 2 --appname Splunk_TA_checkpoint-opseclea --lea_server_ip 172.18.0.1 --lea_server_auth_port 18184 --lea_server_auth_type ssl_opsec --opsec_sslca_file /opt/splunk/etc/apps/Splunk_TA_checkpoint-opseclea/certs/checpointfw.p12 --opsec_sic_name CN=ABF-SplunkLEA,O=CONTFW01.domain.local.erh35p --opsec_entity_sic_name CN=internal_ca,O=CONTFW01.domain.local.erh35p --filter product=VPN-1 & FireWall-1 --last_record_location 1528930800:11950265 --online --no_resolve
2018-09-05 13:35:11,488 +0000 log_level=INFO, pid=15591, tid=Thread-6, file=ta_data_collector.py, func_name=index_data, code_line_no=102 | [input_name="CONTFW01_SmartDefense" data="smartdefense"] Start indexing data for CONTFW01_SmartDefense_smartdefense
2018-09-05 13:35:11,491 +0000 log_level=INFO, pid=15591, tid=Thread-6, file=ta_opseclea_data_collector.py, func_name=start_lea_loggrabber, code_line_no=337 | [input_name="CONTFW01_SmartDefense" connection="CONTFW01" data="smartdefense"] Starting /opt/splunk/etc/apps/Splunk_TA_checkpoint-opseclea/bin/../bin/lea_loggrabber --data smartdefense --debug_level 2 --appname Splunk_TA_checkpoint-opseclea --lea_server_ip 172.18.0.1 --lea_server_auth_port 18184 --lea_server_auth_type ssl_opsec --opsec_sslca_file /opt/splunk/etc/apps/Splunk_TA_checkpoint-opseclea/certs/checpointfw.p12 --opsec_sic_name CN=ABF-SplunkLEA,O=CONTFW01.domain.local.erh35p --opsec_entity_sic_name CN=internal_ca,O=CONTFW01.domain.local.erh35p --filter product=SmartDefense --online --no_resolve
2018-09-05 13:35:11,496 +0000 log_level=INFO, pid=15591, tid=Thread-29, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=75 | [input_name="CONTFW01_Firewall" connection="CONTFW01" data="fw"]log_level=2 file:lea_loggrabber.cpp func_name:get_fw1_logfiles code_line_no:2535 :INFO: Successfully initialize client/server-pair
2018-09-05 13:35:11,496 +0000 log_level=INFO, pid=15591, tid=Thread-29, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=75 | [input_name="CONTFW01_Firewall" connection="CONTFW01" data="fw"]log_level=2 file:lea_loggrabber.cpp func_name:get_fw1_logfiles code_line_no:2506 :INFO: Successfully create opsec environment
2018-09-05 13:35:11,498 +0000 log_level=INFO, pid=15591, tid=Thread-31, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=75 | [input_name="CONTFW01_SmartDefense" connection="CONTFW01" data="smartdefense"]log_level=2 file:lea_loggrabber.cpp func_name:get_fw1_logfiles code_line_no:2506 :INFO: Successfully create opsec environment
2018-09-05 13:35:11,499 +0000 log_level=INFO, pid=15591, tid=Thread-31, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=75 | [input_name="CONTFW01_SmartDefense" connection="CONTFW01" data="smartdefense"]log_level=2 file:lea_loggrabber.cpp func_name:get_fw1_logfiles code_line_no:2535 :INFO: Successfully initialize client/server-pair
2018-09-05 13:35:11,504 +0000 log_level=INFO, pid=15591, tid=Thread-7, file=ta_opseclea_data_collector.py, func_name=get_contents, code_line_no=392 | [input_name="CONTFW01_Firewall" connection="CONTFW01" data="fw"] Successfully indexed events: 0
2018-09-05 13:35:11,516 +0000 log_level=INFO, pid=15591, tid=Thread-6, file=ta_opseclea_data_collector.py, func_name=get_contents, code_line_no=392 | [input_name="CONTFW01_SmartDefense" connection="CONTFW01" data="smartdefense"] Successfully indexed events: 0
2018-09-05 13:35:11,994 +0000 log_level=INFO, pid=15591, tid=Thread-6, file=ta_data_collector.py, func_name=index_data, code_line_no=119 | [input_name="CONTFW01_SmartDefense" data="smartdefense"] End of indexing data for CONTFW01_SmartDefense_smartdefense
2018-09-05 13:35:11,994 +0000 log_level=INFO, pid=15591, tid=Thread-7, file=thread_pool.py, func_name=_run, code_line_no=261 | Thread work_queue_size=0
2018-09-05 13:35:11,994 +0000 log_level=INFO, pid=15591, tid=Thread-7, file=ta_data_collector.py, func_name=index_data, code_line_no=119 | [input_name="CONTFW01_Firewall" data="fw"] End of indexing data for CONTFW01_Firewall_fw
2018-09-05 13:35:11,995 +0000 log_level=INFO, pid=15591, tid=Thread-6, file=thread_pool.py, func_name=_run, code_line_no=261 | Thread work_queue_size=0
2018-09-05 13:36:11,487 +0000 log_level=INFO, pid=15591, tid=Thread-2, file=scheduler.py, func_name=get_ready_jobs, code_line_no=100 | Get 2 ready jobs, next duration is 59.998939, and there are 2 jobs scheduling
2018-09-05 13:36:11,488 +0000 log_level=INFO, pid=15591, tid=Thread-4, file=ta_opseclea_data_collector.py, func_name=start_lea_loggrabber, code_line_no=337 | [input_name="CONTFW01_Firewall" connection="CONTFW01" data="fw"] Starting /opt/splunk/etc/apps/Splunk_TA_checkpoint-opseclea/bin/../bin/lea_loggrabber --data fw --debug_level 2 --appname Splunk_TA_checkpoint-opseclea --lea_server_ip 172.18.0.1 --lea_server_auth_port 18184 --lea_server_auth_type ssl_opsec --opsec_sslca_file /opt/splunk/etc/apps/Splunk_TA_checkpoint-opseclea/certs/checpointfw.p12 --opsec_sic_name CN=ABF-SplunkLEA,O=CONTFW01.domain.local.erh35p --opsec_entity_sic_name CN=internal_ca,O=CONTFW01.domain.local.erh35p --filter product=VPN-1 & FireWall-1 --last_record_location 1528930800:11950265 --online --no_resolve
2018-09-05 13:36:11,488 +0000 log_level=INFO, pid=15591, tid=Thread-4, file=ta_data_collector.py, func_name=index_data, code_line_no=102 | [input_name="CONTFW01_Firewall" data="fw"] Start indexing data for CONTFW01_Firewall_fw
2018-09-05 13:36:11,490 +0000 log_level=INFO, pid=15591, tid=Thread-5, file=ta_data_collector.py, func_name=index_data, code_line_no=102 | [input_name="CONTFW01_SmartDefense" data="smartdefense"] Start indexing data for CONTFW01_SmartDefense_smartdefense
2018-09-05 13:36:11,491 +0000 log_level=INFO, pid=15591, tid=Thread-5, file=ta_opseclea_data_collector.py, func_name=start_lea_loggrabber, code_line_no=337 | [input_name="CONTFW01_SmartDefense" connection="CONTFW01" data="smartdefense"] Starting /opt/splunk/etc/apps/Splunk_TA_checkpoint-opseclea/bin/../bin/lea_loggrabber --data smartdefense --debug_level 2 --appname Splunk_TA_checkpoint-opseclea --lea_server_ip 172.18.0.1 --lea_server_auth_port 18184 --lea_server_auth_type ssl_opsec --opsec_sslca_file /opt/splunk/etc/apps/Splunk_TA_checkpoint-opseclea/certs/checpointfw.p12 --opsec_sic_name CN=ABF-SplunkLEA,O=CONTFW01.domain.local.erh35p --opsec_entity_sic_name CN=internal_ca,O=CONTFW01.domain.local.erh35p --filter product=SmartDefense --online --no_resolve
2018-09-05 13:36:11,495 +0000 log_level=INFO, pid=15591, tid=Thread-33, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=75 | [input_name="CONTFW01_Firewall" connection="CONTFW01" data="fw"]log_level=2 file:lea_loggrabber.cpp func_name:get_fw1_logfiles code_line_no:2535 :INFO: Successfully initialize client/server-pair
2018-09-05 13:36:11,495 +0000 log_level=INFO, pid=15591, tid=Thread-33, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=75 | [input_name="CONTFW01_Firewall" connection="CONTFW01" data="fw"]log_level=2 file:lea_loggrabber.cpp func_name:get_fw1_logfiles code_line_no:2506 :INFO: Successfully create opsec environment
2018-09-05 13:36:11,499 +0000 log_level=INFO, pid=15591, tid=Thread-35, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=75 | [input_name="CONTFW01_SmartDefense" connection="CONTFW01" data="smartdefense"]log_level=2 file:lea_loggrabber.cpp func_name:get_fw1_logfiles code_line_no:2535 :INFO: Successfully initialize client/server-pair
2018-09-05 13:36:11,499 +0000 log_level=INFO, pid=15591, tid=Thread-35, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=75 | [input_name="CONTFW01_SmartDefense" connection="CONTFW01" data="smartdefense"]log_level=2 file:lea_loggrabber.cpp func_name:get_fw1_logfiles code_line_no:2506 :INFO: Successfully create opsec environment
2018-09-05 13:36:11,502 +0000 log_level=INFO, pid=15591, tid=Thread-4, file=ta_opseclea_data_collector.py, func_name=get_contents, code_line_no=392 | [input_name="CONTFW01_Firewall" connection="CONTFW01" data="fw"] Successfully indexed events: 0
2018-09-05 13:36:11,507 +0000 log_level=INFO, pid=15591, tid=Thread-5, file=ta_opseclea_data_collector.py, func_name=get_contents, code_line_no=392 | [input_name="CONTFW01_SmartDefense" connection="CONTFW01" data="smartdefense"] Successfully indexed events: 0
2018-09-05 13:36:11,995 +0000 log_level=INFO, pid=15591, tid=Thread-4, file=thread_pool.py, func_name=_run, code_line_no=261 | Thread work_queue_size=0
2018-09-05 13:36:11,995 +0000 log_level=INFO, pid=15591, tid=Thread-4, file=ta_data_collector.py, func_name=index_data, code_line_no=119 | [input_name="CONTFW01_Firewall" data="fw"] End of indexing data for CONTFW01_Firewall_fw
2018-09-05 13:36:11,996 +0000 log_level=INFO, pid=15591, tid=Thread-5, file=thread_pool.py, func_name=_run, code_line_no=261 | Thread work_queue_size=0
2018-09-05 13:36:11,996 +0000 log_level=INFO, pid=15591, tid=Thread-5, file=ta_data_collector.py, func_name=index_data, code_line_no=119 | [input_name="CONTFW01_SmartDefense" data="smartdefense"] End of indexing data for CONTFW01_SmartDefense_smartdefense
2018-09-05 13:37:11,487 +0000 log_level=INFO, pid=15591, tid=Thread-2, file=scheduler.py, func_name=get_ready_jobs, code_line_no=100 | Get 2 ready jobs, next duration is 59.999463, and there are 2 jobs scheduling
2018-09-05 13:37:11,488 +0000 log_level=INFO, pid=15591, tid=Thread-6, file=ta_data_collector.py, func_name=index_data, code_line_no=102 | [input_name="CONTFW01_Firewall" data="fw"] Start indexing data for CONTFW01_Firewall_fw
2018-09-05 13:37:11,489 +0000 log_level=INFO, pid=15591, tid=Thread-6, file=ta_opseclea_data_collector.py, func_name=start_lea_loggrabber, code_line_no=337 | [input_name="CONTFW01_Firewall" connection="CONTFW01" data="fw"] Starting /opt/splunk/etc/apps/Splunk_TA_checkpoint-opseclea/bin/../bin/lea_loggrabber --data fw --debug_level 2 --appname Splunk_TA_checkpoint-opseclea --lea_server_ip 172.18.0.1 --lea_server_auth_port 18184 --lea_server_auth_type ssl_opsec --opsec_sslca_file /opt/splunk/etc/apps/Splunk_TA_checkpoint-opseclea/certs/checpointfw.p12 --opsec_sic_name CN=ABF-SplunkLEA,O=CONTFW01.domain.local.erh35p --opsec_entity_sic_name CN=internal_ca,O=CONTFW01.domain.local.erh35p --filter product=VPN-1 & FireWall-1 --last_record_location 1528930800:11950265 --online --no_resolve
2018-09-05 13:37:11,492 +0000 log_level=INFO, pid=15591, tid=Thread-7, file=ta_data_collector.py, func_name=index_data, code_line_no=102 | [input_name="CONTFW01_SmartDefense" data="smartdefense"] Start indexing data for CONTFW01_SmartDefense_smartdefense
Found the answer to our problem.
The Lea_loggrabber was having a segmentation crash. turned out the problem was due to the hostname not being listed in the hosts file.
adding it solved the issue.
I'm using R80.10 Checkpoint Management and I have no data coming from the Checkpoint Management. may I know which file needs to be changed?" hostname not being listed in the hosts file. "
2019-04-02 09:29:44,915 +0000 log_level=INFO, pid=27948, tid=Thread-7, file=ta_opseclea_data_collector.py, func_name=get_contents, code_line_no=392 | [input_name="tfnsw-fw-logs" connection="SplunkLEA-Cisco" data="fw"] Successfully indexed events: 0
2019-04-02 09:29:44,915 +0000 log_level=INFO, pid=27948, tid=Thread-13597, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=75 | [input_name="tfnsw-fw-audit-logs" connection="SplunkLEA-Cisco" data="audit"] :opsec_sslca_file ("/opt/splunk/etc/apps/Splunk_TA_checkpoint-opseclea/certs/SplunkLEA-Cisco_2473663670.p12")
2019-04-02 09:29:44,915 +0000 log_level=INFO, pid=27948, tid=Thread-13599, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=75 | [input_name="tfnsw-fw-logs" connection="SplunkLEA-Cisco" data="fw"] :auth_type (sslca)
2019-04-02 09:29:44,915 +0000 log_level=INFO, pid=27948, tid=Thread-13597, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=75 | [input_name="tfnsw-fw-audit-logs" connection="SplunkLEA-Cisco" data="audit"] :opsec_sic_name ("CN=,O=")
2019-04-02 09:29:44,915 +0000 log_level=INFO, pid=27948, tid=Thread-13599, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=75 | [input_name="tfnsw-fw-logs" connection="SplunkLEA-Cisco" data="fw"] :auth_port (18184)
@Jammular Please post a new question describing your problem.
Thanks for this answered helped me alot, I am trying just to understand what type of segmentation crash it was?
Found the answer to our problem.
The Lea_loggrabber was having a segmentation crash. turned out the problem was due to the hostname not being listed in the hosts file.
adding it solved the issue.
Having a exactly same issue here. Did you just put host stanza in your input?
Not exactly. you need to update your hosts file with exactly the same FQDN as your SPLUNK LEA uses.
You should see something like this in your leagrabber logs
resolver_getaddrinfo_list: name=XXXXXXXXXXXXXXX, pref=0
just check if this is the same in /etc/hosts else add the same.
Fantastic! thanks! I was stuck here for days!