All Apps and Add-ons

Why is Splunk reporting invalid key stanza for the "management_server_ip" value in the conf file check of the Splunk Add-on for Check Point OPSEC LEA?

jmaple
Communicator

I've configured the app with the proper values including the management server IP address but when starting Splunk, the conf file check shows the management server IP is, for some reason, invalid.

Invalid key in stanza [CHECKPOINT_MGR] in /opt/splunk/etc/apps/Splunk_TA_checkpoint-opseclea/local/opseclea_connection.conf, line 9: management_server_ip (value: 192.168.0.10).

Below is the config file we are using.

[root@splunk local]# more opseclea_connection.conf
[CHECKPOINT_MGR]
cert_name = CHECKPOINT_MGR_4189510259.p12
fw_version = R77
lea_app_name = SplunkLEA
lea_server_auth_port = 18184
lea_server_auth_type = sslca
lea_server_ip = 192.168.0.10
lea_server_type = primary
management_server_ip = 192.168.0.10
opsec_entity_sic_name = CN=cp_mgmt,O=CHECKPOINT_MGR.wrbdb6
opsec_sic_name = CN=SplunkLEA,O=CHECKPOINT_MGR.wrbdb6

0 Karma
1 Solution

woodcock
Esteemed Legend

It is telling you that line #9 ( management_server_ip = 192.168.0.10 ) is malformed. Usually this means that you have spelled the key wrong (case matters) or that the line is garbage/unnecessary/deprecated. That is not listed in the docs so REMOVE IT:

https://docs.splunk.com/Documentation/AddOns/released/OPSEC-LEA/Configureinputs

View solution in original post

0 Karma

Kieffer87
Communicator

I'm getting the same error, though everything seems to work as expected. The GUI actually populates the config file with the management_server_ip value that Splunk doesn't like.

0 Karma

woodcock
Esteemed Legend

It is telling you that line #9 ( management_server_ip = 192.168.0.10 ) is malformed. Usually this means that you have spelled the key wrong (case matters) or that the line is garbage/unnecessary/deprecated. That is not listed in the docs so REMOVE IT:

https://docs.splunk.com/Documentation/AddOns/released/OPSEC-LEA/Configureinputs

View solution in original post

0 Karma

jmaple
Communicator

So it looks like the error was related to it not existing however the app itself requires that value when you configure the connection using the GUI. Might need an update to not require it/remove it?

0 Karma

woodcock
Esteemed Legend

I have NEVER done either of these things that you are doing:
1: put anything on the same line as the stanza header (i.e. the first line should be [CHECKPOINT_MGR] and the second line should be cert_name = CHECKPOINT_MGR_4189510259.p12).
2: Split my KVP across lines (e.g the last 2 lines should actually be 1 line that reads opsec_sic_name =
CN=SplunkLEA,O=CHECKPOINT_MGR.wrbdb6
).

0 Karma

jmaple
Communicator

Apologies for the formatting issues. I've fixed the lines to read how they are in the actual file.

0 Karma
.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!