All Apps and Add-ons

Splunk Check Point LEA OPSEC error : Fatal error: glibc detected an invalid stdio handle

arrowecssupport
Communicator
    ./pull-cert.sh: line 7:  4740 Aborted                 (core dumped) $cmd
    root@LabSplunk:/opt/splunk/etc/apps/Splunk_TA_checkpoint-opseclea/bin# ./pull-cert.sh 192.168.0.1 SplunkLEA passwd labfirewall.p12

    Fatal error: glibc detected an invalid stdio handle
    ./pull-cert.sh: line 7:  4771 Aborted                 (core dumped) 

$cmd
0 Karma
1 Solution

selim
Path Finder

I had the exact same issue and it turns out that OPSEC side started to use sha256 and updated its SDK. I downloaded http://supportcontent.checkpoint.com/file_download?id=50832 and replaced $SPLUNK_HOME/etc/apps/Splunk_TA_checkpoint-opseclea/bin/opsec-tools binaries with these new ones. That seems to do the trick.

View solution in original post

junedec21
New Member

Any resolution steps ?

0 Karma

jfeitosa_real
Path Finder

In my case, I left OPSEC LEA and used the Checkpoint Log Exporter to send via syslog. It comes very complete also in OPSEC.

Thank you.

James \m/

0 Karma

jfeitosa_real
Path Finder

I have the same problem, I downloaded the SDK at http://supportcontent.checkpoint.com/file_download?id=50832 and replaced the $ SPLUNK_HOME / etc / apps / Splunk_TA_checkpoint-opseclea / bin / opsec-tools binaries.
Still the error 'REST ERROR [400]: Bad Request - Failed to fetch the certificate from server' appears.

Any idea how to solve it?

Thank You in Advance

James \m/

0 Karma

nedokpayi
Splunk Employee
Splunk Employee

Did you chmod +x the new opsec_pull_cert ?

0 Karma

mreynov_splunk
Splunk Employee
Splunk Employee

This is a known issue in the addon which stems from Checkpoint OPSEC SDK only working with 32-bit OS flavors: http://docs.splunk.com/Documentation/AddOns/released/OPSEC-LEA/Releasenotes

OPSEC SDK is no longer maintained and Checkpoint recommends Log Exporter instead (which is based on syslog integration and thus avoids OPSEC all together): https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

selim
Path Finder

I had the exact same issue and it turns out that OPSEC side started to use sha256 and updated its SDK. I downloaded http://supportcontent.checkpoint.com/file_download?id=50832 and replaced $SPLUNK_HOME/etc/apps/Splunk_TA_checkpoint-opseclea/bin/opsec-tools binaries with these new ones. That seems to do the trick.

dgrotenb
Explorer

This method worked and allows patching to the latest glibc.
I recommend the solution provided by selim.

0 Karma

mlogendra_splun
Splunk Employee
Splunk Employee

This worked for me. Thank you

0 Karma

selim
Path Finder

Quick update: with this approach I was able to bypass opsec_pull_cert issue; however, we failed to collect any logs and received following errors:

ERROR: Session end reason: SIC ERROR 147 - SIC Error for lea: Authentication error

This may be an issue with either entity_sic_name and/or password. Password worked before and we double checked it. We also checked with checkpoint admins and tried pretty much all possible combinations for various opsec_entity_sic_name entries within the opseclea_connection.conf file. So far no luck 😞

0 Karma

dgrotenb
Explorer

Downgrading glibc to 2.17-196 worked.
There appears to be an issue with the Checkpoint App and glibc version 2.17-222.

yum downgrade glibc glibc-common

kalaiarasu
Explorer

Hi dgrotenb, what is the command to downgrade in Centos 7, i'm getting this:

yum downgrade glibc glibc-common
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
* base: centos.mirror.myduniahost.com
* extras: centos.mirror.myduniahost.com
* updates: centos.mirror.myduniahost.com
Nothing to do

dgrotenb
Explorer

did you run "yum clean all"

Also you may have needed to have a previous version installed for this to work. Worse case you can manually download the 2.17-196 versions use rpm -ivh --force on those rpms to force install them. Not recommended, but an option if nothing else works.

0 Karma

dgrotenb
Explorer

Seeing this error too.

0 Karma

arrowecssupport
Communicator

Any idea why i'm getting this error?

0 Karma

socespap
Explorer

Hi,

I have the same problem, I have splunk version 7.1.3 and Add-On 4.3.1 and the problem persists. Any idea how to circumvent this issue?

via CLI the error is
[root@splunk bin]# ./pull-cert.sh --help
Fatal error: glibc detected an invalid stdio handle
./pull-cert.sh: line 7: 15906 Aborted $cmd
[root@splunk bin]#

Also verified that pam and glibc are running on the last versions
[root@splunk ~]# yum install glibc.i686
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
* base: centos.mirror.ptisp.pt
* extras: centos.mirror.ptisp.pt
* updates: centos.mirror.ptisp.pt
Package glibc-2.17-222.el7.i686 already installed and latest version
Nothing to do
[root@splunk ~]# yum install pam.i686
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
* base: centos.mirror.ptisp.pt
* extras: centos.mirror.ptisp.pt
* updates: centos.mirror.ptisp.pt
Package pam-1.1.8-22.el7.i686 already installed and latest version
Nothing to do
[root@splunk ~]#

0 Karma

dgrotenb
Explorer

I am seeing this issue too.

0 Karma
Get Updates on the Splunk Community!

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

🍂 Fall into November with a fresh lineup of Community Office Hours, Tech Talks, and Webinars we’ve ...

Transform your security operations with Splunk Enterprise Security

Hi Splunk Community, Splunk Platform has set a great foundation for your security operations. With the ...

Splunk Admins and App Developers | Earn a $35 gift card!

Splunk, in collaboration with ESG (Enterprise Strategy Group) by TechTarget, is excited to announce a ...