All Apps and Add-ons

Splunk Add-on for Check Point OPSEC LEA "ERROR: unable to get splunk lea config arguments(get_fw1_logfiles)"

mfamagnus
Engager

Hi!

This works:

./lea-loggrabber-debug.sh  --configentity CP

This does not:

./lea-loggrabber.sh --configentity CP

Message:

ERROR: unable to get splunk lea config arguments(get_fw1_logfiles)

In Splunk GUI the "last connection" state will never show anything else than Never Connected.

This is running on a minimal Centos 7 host with indexer clustering.

Here is the opsec.conf file:

[CP]
fw_version = 77
is_disabled = 0
lea_server_auth_port = 18184
lea_server_auth_type = sslca
lea_server_ip = 10.10.102.12
mode = fw
online_mode = 1
#some parts are left out here, I know they work though. 

opsec.log:

2015-10-17 21:58:09,963 [INFO] [<string>] remoteRequestHandler: params: {'output_mode': u'json', '': u'servicesNS/admin/Splunk_TA_opseclea_linux22/configs/conf-inputs/script:///opt/splunk/etc/apps/Splunk_TA_opseclea_linux2
2/bin/lea-loggrabber.sh --configentity MFACP', '_': u'1445111873118', 'targetHost': u'localhost'}
2015-10-17 21:58:09,963 [INFO] [<string>] remoteRequestHandler: qs: output_mode=json&targetHost=localhost&_=1445111873118
2015-10-17 21:58:09,963 [INFO] [<string>] remoteRequestHandler: qs: output_mode=json&targetHost=localhost&_=1445111873118
2015-10-17 21:58:09,963 [INFO] [<string>] query arg:output_mode
2015-10-17 21:58:09,963 [INFO] [<string>] query arg:_
2015-10-17 21:58:09,963 [INFO] [<string>] query arg:targetHost
2015-10-17 21:58:09,963 [INFO] [<string>] query args dict: {'output_mode': 'json', 'targetHost': 'localhost'}
2015-10-17 21:58:09,963 [INFO] [<string>] remote_request: no_cache: False
2015-10-17 21:58:09,964 [INFO] [<string>] remote_request: qs: {'output_mode': 'json', 'targetHost': 'localhost'}
2015-10-17 21:58:09,964 [INFO] [<string>] remote_request: postargs: None
2015-10-17 21:58:09,964 [INFO] [<string>] remote: fetch all uri: /servicesNS/admin/Splunk_TA_opseclea_linux22/configs/conf-inputs/script%3A%252F%252F%252Fopt%252Fsplunk%252Fetc%252Fapps%252FSplunk_TA_opseclea_linux22%252Fbin%252Flea-loggrabber.sh%20--configentity%20MFACP?output_mode=json&count=0&sort_mode=natural&offset=0
2015-10-17 21:58:09,964 [INFO] [<string>] remote_request: targetHost: localhost
2015-10-17 21:58:09,964 [INFO] [<string>] Requesting from peers: ['localhost']
2015-10-17 21:58:09,964 [INFO] [cached.py] cache key: ('eAfSfXA3274WMz^C_ARN8w224QnRKJmTx5A2sjhXLfboyNtCMeNfEFHS^x49BIvpllQsi_uCyx0hTLNKqkQAZ2CTbm25LCiWuS5XpM5iPsDxqq5Ns6ivYM_AXe21LFIc6gZXY8L', ('/servicesNS/admin/Splunk_TA_opseclea_linux22/configs/conf-inputs/script%3A%252F%252F%252Fopt%252Fsplunk%252Fetc%252Fapps%252FSplunk_TA_opseclea_linux22%252Fbin%252Flea-loggrabber.sh%20--configentity%20MFACP?output_mode=json&count=0&sort_mode=natural&offset=0', 'localhost', True))
2015-10-17 21:58:09,964 [INFO] [cached.py] caching data (cache miss)
2015-10-17 21:58:09,964 [INFO] [peer.py] peer: uri: /servicesNS/admin/Splunk_TA_opseclea_linux22/configs/conf-inputs/script%3A%252F%252F%252Fopt%252Fsplunk%252Fetc%252Fapps%252FSplunk_TA_opseclea_linux22%252Fbin%252Flea-loggrabber.sh%20--configentity%20MFACP?output_mode=json&count=0&sort_mode=natural&offset=0
2015-10-17 21:58:09,964 [INFO] [peer.py] peer: postargs: None
2015-10-17 21:58:09,964 [INFO] [peer.py] peer: body: None
2015-10-17 21:58:09,964 [INFO] [peer.py] peer: method: GET
2015-10-17 21:58:09,970 [INFO] [peer.py] peer: nEntries: 1
2015-10-17 21:58:09,971 [INFO] [<string>] sort params {'output_mode': 'json'}
2015-10-17 21:58:09,971 [INFO] [<string>] sorting by name
2015-10-17 21:58:09,971 [INFO] [<string>] 1 entries
2015-10-17 21:58:09,971 [INFO] [<string>] start: 0, end: 30
2015-10-17 21:58:09,979 [INFO] [<string>] remoteRequestHandler: params: {'output_mode': u'json', 'host': u'osludfw01', 'passAuth': u'splunk-system-user', 'index': u'CP', '': u'servicesNS/admin/Splunk_TA_opseclea_linux22/configs/conf-inputs/script:///opt/splunk/etc/apps/Splunk_TA_opseclea_linux22/bin/lea-loggrabber.sh --configentity MFACP', 'interval': u'30', 'sourcetype': u'opsec', 'disabled': u'1', 'targetHost': u'localhost'}
2015-10-17 21:58:09,980 [INFO] [<string>] remoteRequestHandler: qs:
2015-10-17 21:58:09,980 [INFO] [<string>] remote_request: no_cache: False
2015-10-17 21:58:09,980 [INFO] [<string>] remote_request: qs: {'output_mode': 'json'}
2015-10-17 21:58:09,980 [INFO] [<string>] remote_request: postargs: {'host': 'osludfw01', 'passAuth': 'splunk-system-user', 'index': 'CP', 'interval': '30', 'sourcetype': 'opsec', 'disabled': '1', 'targetHost': 'localhost'}
2015-10-17 21:58:09,980 [INFO] [<string>] remote: fetch all uri: /servicesNS/admin/Splunk_TA_opseclea_linux22/configs/conf-inputs/script%3A%252F%252F%252Fopt%252Fsplunk%252Fetc%252Fapps%252FSplunk_TA_opseclea_linux22%252Fbin%252Flea-loggrabber.sh%20--configentity%20MFACP?output_mode=json&count=0&sort_mode=natural&offset=0
2015-10-17 21:58:09,980 [INFO] [<string>] remote_request: targetHost: localhost
2015-10-17 21:58:09,980 [INFO] [<string>] Requesting from peers: ['localhost']
2015-10-17 21:58:09,980 [INFO] [<string>] flush cache
2015-10-17 21:58:09,980 [INFO] [peer.py] flushPeer: localhost
2015-10-17 21:58:09,980 [INFO] [peer.py] done flushing peer
2015-10-17 21:58:09,980 [INFO] [cached.py] Not using cache
2015-10-17 21:58:09,981 [INFO] [peer.py] peer: uri: /servicesNS/admin/Splunk_TA_opseclea_linux22/configs/conf-inputs/script%3A%252F%252F%252Fopt%252Fsplunk%252Fetc%252Fapps%252FSplunk_TA_opseclea_linux22%252Fbin%252Flea-loggrabber.sh%20--configentity%20MFACP?output_mode=json&count=0&sort_mode=natural&offset=0
2015-10-17 21:58:09,981 [INFO] [peer.py] peer: postargs: {'host': 'osludfw01', 'interval': '30', 'passAuth': 'splunk-system-user', 'index': 'CP', 'sourcetype': 'opsec', 'disabled': '1'}
2015-10-17 21:58:09,981 [INFO] [peer.py] peer: body: None
2015-10-17 21:58:09,981 [INFO] [peer.py] peer: method: POST
2015-10-17 21:58:09,988 [INFO] [peer.py] peer: nEntries: 1
2015-10-17 21:58:09,998 [INFO] [<string>] remoteRequestHandler: params: {'output_mode': u'json', '': u'servicesNS/admin/Splunk_TA_opseclea_linux22/data/inputs/script/_reload', 'targetHost': u'localhost'}
2015-10-17 21:58:09,998 [INFO] [<string>] remoteRequestHandler: qs:
2015-10-17 21:58:09,998 [INFO] [<string>] remote_request: no_cache: False
2015-10-17 21:58:09,998 [INFO] [<string>] remote_request: qs: {'output_mode': 'json'}
2015-10-17 21:58:09,998 [INFO] [<string>] remote_request: postargs: {'targetHost': 'localhost'}
2015-10-17 21:58:09,998 [INFO] [<string>] remote: fetch all uri: /servicesNS/admin/Splunk_TA_opseclea_linux22/data/inputs/script/_reload?output_mode=json&count=0&sort_mode=natural&offset=0
2015-10-17 21:58:09,998 [INFO] [<string>] remote_request: targetHost: localhost
2015-10-17 21:58:09,998 [INFO] [<string>] Requesting from peers: ['localhost']
2015-10-17 21:58:09,999 [INFO] [<string>] flush cache
2015-10-17 21:58:09,999 [INFO] [peer.py] flushPeer: localhost
2015-10-17 21:58:09,999 [INFO] [peer.py] done flushing peer
2015-10-17 21:58:09,999 [INFO] [cached.py] Not using cache
2015-10-17 21:58:09,999 [INFO] [peer.py] peer: uri: /servicesNS/admin/Splunk_TA_opseclea_linux22/data/inputs/script/_reload?output_mode=json&count=0&sort_mode=natural&offset=0
2015-10-17 21:58:09,999 [INFO] [peer.py] peer: postargs: {}
2015-10-17 21:58:09,999 [INFO] [peer.py] peer: body: None
2015-10-17 21:58:09,999 [INFO] [peer.py] peer: method: POST
2015-10-17 21:58:10,011 [INFO] [peer.py] peer: nEntries: 0
2015-10-17 21:58:10,011 [INFO] [<string>] 0 entries
2015-10-17 21:58:10,011 [INFO] [<string>] start: 0, end: 30
2015-10-17 21:58:10,529 [INFO] [<string>] remoteRequestHandler: params: {'output_mode': u'json', 'count': u'-1', '_': u'1445111890178', '': u'servicesNS/admin/Splunk_TA_opseclea_linux22/opsec/getScriptedInputPath'}
2015-10-17 21:58:10,530 [INFO] [<string>] remoteRequestHandler: qs: output_mode=json&count=-1&_=1445111890178
2015-10-17 21:58:10,530 [INFO] [<string>] remoteRequestHandler: qs: output_mode=json&count=-1&_=1445111890178
2015-10-17 21:58:10,530 [INFO] [<string>] query arg:output_mode
2015-10-17 21:58:10,530 [INFO] [<string>] query arg:count
2015-10-17 21:58:10,530 [INFO] [<string>] query arg:_
2015-10-17 21:58:10,530 [INFO] [<string>] query args dict: {'output_mode': 'json', 'count': '-1'}
2015-10-17 21:58:10,530 [INFO] [<string>] remote_request: no_cache: False
2015-10-17 21:58:10,530 [INFO] [<string>] remote_request: qs: {'output_mode': 'json', 'count': '-1'}
2015-10-17 21:58:10,530 [INFO] [<string>] remote_request: postargs: None
2015-10-17 21:58:10,530 [INFO] [<string>] remote: fetch all uri: /servicesNS/admin/Splunk_TA_opseclea_linux22/opsec/getScriptedInputPath?output_mode=json&count=0&sort_mode=natural&offset=0
2015-10-17 21:58:10,539 [INFO] [<string>] Requesting from peers: ['localhost']
2015-10-17 21:58:10,540 [INFO] [cached.py] cache key: ('eAfSfXA3274WMz^C_ARN8w224QnRKJmTx5A2sjhXLfboyNtCMeNfEFHS^x49BIvpllQsi_uCyx0hTLNKqkQAZ2CTbm25LCiWuS5XpM5iPsDxqq5Ns6ivYM_AXe21LFIc6gZXY8L', ('/servicesNS/admin/Splunk_TA_opseclea_linux22/opsec/getScriptedInputPath?output_mode=json&count=0&sort_mode=natural&offset=0', 'localhost', True))
2015-10-17 21:58:10,540 [INFO] [cached.py] caching data (cache miss)
2015-10-17 21:58:10,540 [INFO] [peer.py] peer: uri: /servicesNS/admin/Splunk_TA_opseclea_linux22/opsec/getScriptedInputPath?output_mode=json&count=0&sort_mode=natural&offset=0
2015-10-17 21:58:10,540 [INFO] [peer.py] peer: postargs: None
2015-10-17 21:58:10,540 [INFO] [peer.py] peer: body: None
2015-10-17 21:58:10,540 [INFO] [peer.py] peer: method: GET
2015-10-17 21:58:10,707 [INFO] [peer.py] peer: nEntries: 1
2015-10-17 21:58:10,708 [INFO] [<string>] sort params {'output_mode': 'json', 'count': '-1'}
2015-10-17 21:58:10,708 [INFO] [<string>] sorting by name
2015-10-17 21:58:10,708 [INFO] [<string>] 1 entries
2015-10-17 21:58:10,708 [INFO] [<string>] start: 0, end: -1
2015-10-17 21:58:10,708 [INFO] [<string>] cannot paginate this endpoint
2015-10-17 21:58:10,806 [INFO] [<string>] remoteRequestHandler: params: {'output_mode': u'json', 'count': u'-1', '_': u'1445111890198', 'search': u'name=*configentity*', '': u'servicesNS/admin/Splunk_TA_opseclea_linux22/configs/conf-inputs'}
2015-10-17 21:58:10,806 [INFO] [<string>] remoteRequestHandler: qs: output_mode=json&count=-1&search=name%3D*configentity*&_=1445111890198
2015-10-17 21:58:10,806 [INFO] [<string>] remoteRequestHandler: qs: output_mode=json&count=-1&search=name%3D*configentity*&_=1445111890198
2015-10-17 21:58:10,806 [INFO] [<string>] query arg:output_mode
2015-10-17 21:58:10,807 [INFO] [<string>] query arg:count
2015-10-17 21:58:10,807 [INFO] [<string>] query arg:_
2015-10-17 21:58:10,807 [INFO] [<string>] query arg:search
2015-10-17 21:58:10,807 [INFO] [<string>] query args dict: {'output_mode': 'json', 'count': '-1', 'search': 'name=*configentity*'}

olanandkate
Engager

I'm working with Splunk support right now to figure this out. I will let you know what I figure out.

0 Karma

jcoates_splunk
Splunk Employee
Splunk Employee

if the add-on can't get configuration from the splunk server, that's highly likely to be permissions or timeout, with name resolution as a distant third. If you can rule those three out, it might be worth a support ticket.

0 Karma

olanandkate
Engager

I'm in the same boat on this one. The interesting thing is that using the debug version of the lea-loggrabber, it connects fine and I can see events that it is pulling. But when i try to run the normal version of lea-loggrabber, it gives me that specific error you were getting:
ERROR: unable to get splunk lea config arguments(get_fw1_logfiles)
I've been unable to figure out what the difference is between the debug version and the normal version that would cause this.

0 Karma

o_calmels
Communicator

Hi, Have you found a solution, I got exactly the same error ,
Thank's.

Olivier.

0 Karma

neelamsantosh
Path Finder

How did u resolve the issue?

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...