All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Why Splunk Add-on for Check Point OPSEC LEA is not collecting any firewall logs?

MousumiChowdhur
Contributor
‎02-05-2019 03:01 AM

Hello everyone,

I am using Splunk add-on for Check Point OPSEC LEA on linux HF to collect the Checkpoint firewall logs. I have established the connection and configured input (firewall events and firewall audit logs). There is no internal error or issues I faced during establishing the connection and configuring inputs but yet I am not receiving any logs.
I checked splunk_ta_checkpoint-opseclea_modinput.log and splunk_ta_checkpoint-opseclea_ucc_lib.log to look for any errors. There is also network connectivity between the firewall device and my HF.

If anyone has faced such issue, kindly help me if I am missing on something.

Thank you!

0 Karma
Reply

tkopchak
SplunkTrust
SplunkTrust
‎02-05-2019 06:00 AM

Is this a standalone or distributed Check Point environment? (eg, is there a dedicated management server, or does the management server and the firewall exist on the same server/appliance)

Do you have an explicit firewall rule to allow the Splunk forwarder to communicate to your management server on the FW1_lea service? If you were able to pull the certificate successfully that would confirm that FW1_ica_pull is allowed at least. If you make any modifications to these rules you'll need to either install database to the management server, install policy to the firewall, or both (depending on the communication path and type of Check Point environment).

0 Karma
Reply

MousumiChowdhur
Contributor
‎02-05-2019 09:01 PM

I am able to pull the certificate successfully. The management server IP and the log server IP is different. Also, I have an explicit firewall rule to allow the Splunk forwarder to communicate to the management server on the FW1_lea service.

0 Karma
Reply

MousumiChowdhur
Contributor
‎02-07-2019 01:23 AM

Hi, I am getting the below error now.

2019-02-07 06:56:53,772 +0000 log_level=INFO, pid=8708, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=75 | [input_name="fw events" connection="fw_mgmt" data="fw"][ 8736 156715136]@xxxxxxxx[7 Feb  7:56:53] rand_add_seedfile: Failed to create mutex.: Permission denied
    2019-02-07 06:56:53,785 +0000 log_level=INFO, pid=8708, tid=Thread-11, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=75 | [input_name="opsec_firewall" connection="fw_mgmt" data="fw"][ 8739 161634432]@xxxxxxxx[7 Feb  7:56:53] rand_add_external_source: Failed to create mutex.: Permission denied
    2019-02-07 06:56:53,785 +0000 log_level=INFO, pid=8708, tid=Thread-11, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=75 | [input_name="opsec_firewall" connection="fw_mgmt" data="fw"][ 8739 161634432]@xxxxxxxx[7 Feb  7:56:53] rand_add_seedfile: Failed to create mutex.: Permission denied
    2019-02-07 06:56:55,569 +0000 log_level=INFO, pid=8708, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=75 | [input_name="fw events" connection="fw_mgmt" data="fw"][ 8736 156715136]@xxxxxxxx[7 Feb  7:56:55] file_open_and_init: failed to create file: Permission denied
    2019-02-07 06:56:55,583 +0000 log_level=INFO, pid=8708, tid=Thread-11, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=75 | [input_name="opsec_firewall" connection="fw_mgmt" data="fw"][ 8739 161634432]@xxxxxxxx[7 Feb  7:56:55] file_open_and_init: failed to create file: Permission denied
    2019-02-07 06:57:46,616 +0000 log_level=INFO, pid=8822, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=75 | [input_name="fw events" connection="fw_mgmt" data="fw"][ 8849 143599744]@xxxxxxxx[7 Feb  7:57:46] file_open_and_init: failed to create file: Permission denied
    2019-02-07 06:57:46,618 +0000 log_level=INFO, pid=8822, tid=Thread-11, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=75 | [input_name="opsec_firewall" connection="fw_mgmt" data="fw"][ 8853 140867712]@xxxxxxxx[7 Feb  7:57:46] file_open_and_init: failed to create file: Permission denied
    2019-02-07 06:57:47,952 +0000 log_level=INFO, pid=8822, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=75 | [input_name="fw events" connection="fw_mgmt" data="fw"][ 8849 143599744]@xxxxxxxx[7 Feb  7:57:47] rand_add_external_source: Failed to create mutex.: Permission denied
    2019-02-07 06:57:47,952 +0000 log_level=INFO, pid=8822, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=75 | [input_name="fw events" connection="fw_mgmt" data="fw"][ 8849 143599744]@xxxxxxxx[7 Feb  7:57:47] rand_add_seedfile: Failed to create mutex.: Permission denied
    2019-02-07 06:57:47,972 +0000 log_level=INFO, pid=8822, tid=Thread-11, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=75 | [input_name="opsec_firewall" connection="fw_mgmt" data="fw"][ 8853 140867712]@xxxxxxxx[7 Feb  7:57:47] rand_add_external_source: Failed to create mutex.: Permission denied
    2019-02-07 06:57:47,973 +0000 log_level=INFO, pid=8822, tid=Thread-11, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=75 | [input_name="opsec_firewall" connection="fw_mgmt" data="fw"][ 8853 140867712]@xxxxxxxx[7 Feb  7:57:47] rand_add_seedfile: Failed to create mutex.: Permission denied
    2019-02-07 06:57:49,890 +0000 log_level=INFO, pid=8822, tid=Thread-11, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=75 | [input_name="opsec_firewall" connection="fw_mgmt" data="fw"][ 8853 140867712]@xxxxxxxx[7 Feb  7:57:49] file_open_and_init: failed to create file: Permission denied
    2019-02-07 06:57:49,971 +0000 log_level=INFO, pid=8822, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=75 | [input_name="fw events" connection="fw_mgmt" data="fw"][ 8849 143599744]@xxxxxxxx[7 Feb  7:57:49] file_open_and_init: failed to create file: Permission denied
0 Karma
Reply

lakshman239
Influencer
‎02-07-2019 01:41 AM

Looks like the 'user' running the process is not having required permissions/privileges. could you check that? Also, will this help? - https://www.giac.org/paper/gsna/154/auditing-check-point-secureplat-formng-apaplication-inteligence-...

0 Karma
Reply

MousumiChowdhur
Contributor
‎02-07-2019 04:37 AM

Hi @lakshman239,

I checked all the permissions of the user running the process. Also, the same user with same privileges is running checkpoint in some other environment. I am not facing any issue there. Can you more specific on what process that could be that needs any special permission?

0 Karma
Reply
Get Updates on the Splunk Community!

CX Day is Coming!

Customer Experience (CX) Day is on October 7th!! We're so excited to bring back another day full of wonderful ...

Strengthen Your Future: A Look Back at Splunk 10 Innovations and .conf25 Highlights!

The Big One: Splunk 10 is Here!  The moment many of you have been waiting for has arrived! We are thrilled to ...

Now Offering the AI Assistant Usage Dashboard in Cloud Monitoring Console

Today, we’re excited to announce the release of a brand new AI assistant usage dashboard in Cloud Monitoring ...