All Apps and Add-ons

Why Splunk Add-on for Check Point OPSEC LEA is not collecting any firewall logs?

Contributor

Hello everyone,

I am using Splunk add-on for Check Point OPSEC LEA on linux HF to collect the Checkpoint firewall logs. I have established the connection and configured input (firewall events and firewall audit logs). There is no internal error or issues I faced during establishing the connection and configuring inputs but yet I am not receiving any logs.
I checked splunktacheckpoint-opseclea_modinput.log and splunktacheckpoint-opsecleaucclib.log to look for any errors. There is also network connectivity between the firewall device and my HF.

If anyone has faced such issue, kindly help me if I am missing on something.

Thank you!

0 Karma

SplunkTrust
SplunkTrust

Is this a standalone or distributed Check Point environment? (eg, is there a dedicated management server, or does the management server and the firewall exist on the same server/appliance)

Do you have an explicit firewall rule to allow the Splunk forwarder to communicate to your management server on the FW1lea service? If you were able to pull the certificate successfully that would confirm that FW1ica_pull is allowed at least. If you make any modifications to these rules you'll need to either install database to the management server, install policy to the firewall, or both (depending on the communication path and type of Check Point environment).

0 Karma

Contributor

I am able to pull the certificate successfully. The management server IP and the log server IP is different. Also, I have an explicit firewall rule to allow the Splunk forwarder to communicate to the management server on the FW1_lea service.

0 Karma

Contributor

Hi, I am getting the below error now.

2019-02-07 06:56:53,772 +0000 log_level=INFO, pid=8708, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=75 | [input_name="fw events" connection="fw_mgmt" data="fw"][ 8736 156715136]@xxxxxxxx[7 Feb  7:56:53] rand_add_seedfile: Failed to create mutex.: Permission denied
    2019-02-07 06:56:53,785 +0000 log_level=INFO, pid=8708, tid=Thread-11, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=75 | [input_name="opsec_firewall" connection="fw_mgmt" data="fw"][ 8739 161634432]@xxxxxxxx[7 Feb  7:56:53] rand_add_external_source: Failed to create mutex.: Permission denied
    2019-02-07 06:56:53,785 +0000 log_level=INFO, pid=8708, tid=Thread-11, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=75 | [input_name="opsec_firewall" connection="fw_mgmt" data="fw"][ 8739 161634432]@xxxxxxxx[7 Feb  7:56:53] rand_add_seedfile: Failed to create mutex.: Permission denied
    2019-02-07 06:56:55,569 +0000 log_level=INFO, pid=8708, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=75 | [input_name="fw events" connection="fw_mgmt" data="fw"][ 8736 156715136]@xxxxxxxx[7 Feb  7:56:55] file_open_and_init: failed to create file: Permission denied
    2019-02-07 06:56:55,583 +0000 log_level=INFO, pid=8708, tid=Thread-11, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=75 | [input_name="opsec_firewall" connection="fw_mgmt" data="fw"][ 8739 161634432]@xxxxxxxx[7 Feb  7:56:55] file_open_and_init: failed to create file: Permission denied
    2019-02-07 06:57:46,616 +0000 log_level=INFO, pid=8822, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=75 | [input_name="fw events" connection="fw_mgmt" data="fw"][ 8849 143599744]@xxxxxxxx[7 Feb  7:57:46] file_open_and_init: failed to create file: Permission denied
    2019-02-07 06:57:46,618 +0000 log_level=INFO, pid=8822, tid=Thread-11, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=75 | [input_name="opsec_firewall" connection="fw_mgmt" data="fw"][ 8853 140867712]@xxxxxxxx[7 Feb  7:57:46] file_open_and_init: failed to create file: Permission denied
    2019-02-07 06:57:47,952 +0000 log_level=INFO, pid=8822, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=75 | [input_name="fw events" connection="fw_mgmt" data="fw"][ 8849 143599744]@xxxxxxxx[7 Feb  7:57:47] rand_add_external_source: Failed to create mutex.: Permission denied
    2019-02-07 06:57:47,952 +0000 log_level=INFO, pid=8822, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=75 | [input_name="fw events" connection="fw_mgmt" data="fw"][ 8849 143599744]@xxxxxxxx[7 Feb  7:57:47] rand_add_seedfile: Failed to create mutex.: Permission denied
    2019-02-07 06:57:47,972 +0000 log_level=INFO, pid=8822, tid=Thread-11, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=75 | [input_name="opsec_firewall" connection="fw_mgmt" data="fw"][ 8853 140867712]@xxxxxxxx[7 Feb  7:57:47] rand_add_external_source: Failed to create mutex.: Permission denied
    2019-02-07 06:57:47,973 +0000 log_level=INFO, pid=8822, tid=Thread-11, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=75 | [input_name="opsec_firewall" connection="fw_mgmt" data="fw"][ 8853 140867712]@xxxxxxxx[7 Feb  7:57:47] rand_add_seedfile: Failed to create mutex.: Permission denied
    2019-02-07 06:57:49,890 +0000 log_level=INFO, pid=8822, tid=Thread-11, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=75 | [input_name="opsec_firewall" connection="fw_mgmt" data="fw"][ 8853 140867712]@xxxxxxxx[7 Feb  7:57:49] file_open_and_init: failed to create file: Permission denied
    2019-02-07 06:57:49,971 +0000 log_level=INFO, pid=8822, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=75 | [input_name="fw events" connection="fw_mgmt" data="fw"][ 8849 143599744]@xxxxxxxx[7 Feb  7:57:49] file_open_and_init: failed to create file: Permission denied
0 Karma

SplunkTrust
SplunkTrust

Looks like the 'user' running the process is not having required permissions/privileges. could you check that? Also, will this help? - https://www.giac.org/paper/gsna/154/auditing-check-point-secureplat-formng-apaplication-inteligence-...

0 Karma

Contributor

Hi @lakshman239,

I checked all the permissions of the user running the process. Also, the same user with same privileges is running checkpoint in some other environment. I am not facing any issue there. Can you more specific on what process that could be that needs any special permission?

0 Karma