All Apps and Add-ons

Why is Splunk reporting invalid key stanza for the "management_server_ip" value in the conf file check of the Splunk Add-on for Check Point OPSEC LEA?

jmaple
Communicator

I've configured the app with the proper values including the management server IP address but when starting Splunk, the conf file check shows the management server IP is, for some reason, invalid.

Invalid key in stanza [CHECKPOINT_MGR] in /opt/splunk/etc/apps/Splunk_TA_checkpoint-opseclea/local/opseclea_connection.conf, line 9: management_server_ip (value: 192.168.0.10).

Below is the config file we are using.

[root@splunk local]# more opseclea_connection.conf
[CHECKPOINT_MGR]
cert_name = CHECKPOINT_MGR_4189510259.p12
fw_version = R77
lea_app_name = SplunkLEA
lea_server_auth_port = 18184
lea_server_auth_type = sslca
lea_server_ip = 192.168.0.10
lea_server_type = primary
management_server_ip = 192.168.0.10
opsec_entity_sic_name = CN=cp_mgmt,O=CHECKPOINT_MGR.wrbdb6
opsec_sic_name = CN=SplunkLEA,O=CHECKPOINT_MGR.wrbdb6

0 Karma
1 Solution

woodcock
Esteemed Legend

It is telling you that line #9 ( management_server_ip = 192.168.0.10 ) is malformed. Usually this means that you have spelled the key wrong (case matters) or that the line is garbage/unnecessary/deprecated. That is not listed in the docs so REMOVE IT:

https://docs.splunk.com/Documentation/AddOns/released/OPSEC-LEA/Configureinputs

View solution in original post

0 Karma

Kieffer87
Communicator

I'm getting the same error, though everything seems to work as expected. The GUI actually populates the config file with the management_server_ip value that Splunk doesn't like.

0 Karma

woodcock
Esteemed Legend

It is telling you that line #9 ( management_server_ip = 192.168.0.10 ) is malformed. Usually this means that you have spelled the key wrong (case matters) or that the line is garbage/unnecessary/deprecated. That is not listed in the docs so REMOVE IT:

https://docs.splunk.com/Documentation/AddOns/released/OPSEC-LEA/Configureinputs

0 Karma

jmaple
Communicator

So it looks like the error was related to it not existing however the app itself requires that value when you configure the connection using the GUI. Might need an update to not require it/remove it?

0 Karma

woodcock
Esteemed Legend

I have NEVER done either of these things that you are doing:
1: put anything on the same line as the stanza header (i.e. the first line should be [CHECKPOINT_MGR] and the second line should be cert_name = CHECKPOINT_MGR_4189510259.p12).
2: Split my KVP across lines (e.g the last 2 lines should actually be 1 line that reads opsec_sic_name =
CN=SplunkLEA,O=CHECKPOINT_MGR.wrbdb6
).

0 Karma

jmaple
Communicator

Apologies for the formatting issues. I've fixed the lines to read how they are in the actual file.

0 Karma
Get Updates on the Splunk Community!

Optimize Cloud Monitoring

  TECH TALKS Optimize Cloud Monitoring Tuesday, August 13, 2024  |  11:00AM–12:00PM PST   Register to ...

What's New in Splunk Cloud Platform 9.2.2403?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.2.2403! Analysts can ...

Stay Connected: Your Guide to July and August Tech Talks, Office Hours, and Webinars!

Dive into our sizzling summer lineup for July and August Community Office Hours and Tech Talks. Scroll down to ...