./pull-cert.sh: line 7: 4740 Aborted (core dumped) $cmd
root@LabSplunk:/opt/splunk/etc/apps/Splunk_TA_checkpoint-opseclea/bin# ./pull-cert.sh 192.168.0.1 SplunkLEA passwd labfirewall.p12
Fatal error: glibc detected an invalid stdio handle
./pull-cert.sh: line 7: 4771 Aborted (core dumped)
$cmd
I had the exact same issue and it turns out that OPSEC side started to use sha256 and updated its SDK. I downloaded http://supportcontent.checkpoint.com/file_download?id=50832 and replaced $SPLUNK_HOME/etc/apps/Splunk_TA_checkpoint-opseclea/bin/opsec-tools binaries with these new ones. That seems to do the trick.
Any resolution steps ?
In my case, I left OPSEC LEA and used the Checkpoint Log Exporter to send via syslog. It comes very complete also in OPSEC.
Thank you.
James \m/
I have the same problem, I downloaded the SDK at http://supportcontent.checkpoint.com/file_download?id=50832 and replaced the $ SPLUNK_HOME / etc / apps / Splunk_TA_checkpoint-opseclea / bin / opsec-tools binaries.
Still the error 'REST ERROR [400]: Bad Request - Failed to fetch the certificate from server' appears.
Any idea how to solve it?
Thank You in Advance
James \m/
Did you chmod +x the new opsec_pull_cert ?
This is a known issue in the addon which stems from Checkpoint OPSEC SDK only working with 32-bit OS flavors: http://docs.splunk.com/Documentation/AddOns/released/OPSEC-LEA/Releasenotes
OPSEC SDK is no longer maintained and Checkpoint recommends Log Exporter instead (which is based on syslog integration and thus avoids OPSEC all together): https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...
I had the exact same issue and it turns out that OPSEC side started to use sha256 and updated its SDK. I downloaded http://supportcontent.checkpoint.com/file_download?id=50832 and replaced $SPLUNK_HOME/etc/apps/Splunk_TA_checkpoint-opseclea/bin/opsec-tools binaries with these new ones. That seems to do the trick.
This method worked and allows patching to the latest glibc.
I recommend the solution provided by selim.
This worked for me. Thank you
Quick update: with this approach I was able to bypass opsec_pull_cert
issue; however, we failed to collect any logs and received following errors:
ERROR: Session end reason: SIC ERROR 147 - SIC Error for lea: Authentication error
This may be an issue with either entity_sic_name
and/or password. Password worked before and we double checked it. We also checked with checkpoint admins and tried pretty much all possible combinations for various opsec_entity_sic_name
entries within the opseclea_connection.conf
file. So far no luck 😞
Downgrading glibc to 2.17-196 worked.
There appears to be an issue with the Checkpoint App and glibc version 2.17-222.
yum downgrade glibc glibc-common
Hi dgrotenb, what is the command to downgrade in Centos 7, i'm getting this:
yum downgrade glibc glibc-common
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
* base: centos.mirror.myduniahost.com
* extras: centos.mirror.myduniahost.com
* updates: centos.mirror.myduniahost.com
Nothing to do
did you run "yum clean all"
Also you may have needed to have a previous version installed for this to work. Worse case you can manually download the 2.17-196 versions use rpm -ivh --force on those rpms to force install them. Not recommended, but an option if nothing else works.
Seeing this error too.
Any idea why i'm getting this error?
Hi,
I have the same problem, I have splunk version 7.1.3 and Add-On 4.3.1 and the problem persists. Any idea how to circumvent this issue?
via CLI the error is
[root@splunk bin]# ./pull-cert.sh --help
Fatal error: glibc detected an invalid stdio handle
./pull-cert.sh: line 7: 15906 Aborted $cmd
[root@splunk bin]#
Also verified that pam and glibc are running on the last versions
[root@splunk ~]# yum install glibc.i686
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
* base: centos.mirror.ptisp.pt
* extras: centos.mirror.ptisp.pt
* updates: centos.mirror.ptisp.pt
Package glibc-2.17-222.el7.i686 already installed and latest version
Nothing to do
[root@splunk ~]# yum install pam.i686
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
* base: centos.mirror.ptisp.pt
* extras: centos.mirror.ptisp.pt
* updates: centos.mirror.ptisp.pt
Package pam-1.1.8-22.el7.i686 already installed and latest version
Nothing to do
[root@splunk ~]#
I am seeing this issue too.