All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why is Splunk reporting invalid key stanza for the "management_server_ip" value in the conf file check of the Splunk Add-on for Check Point OPSEC LEA?

jmaple
Communicator
‎04-03-2017 05:21 AM

I've configured the app with the proper values including the management server IP address but when starting Splunk, the conf file check shows the management server IP is, for some reason, invalid.

Invalid key in stanza [CHECKPOINT_MGR] in /opt/splunk/etc/apps/Splunk_TA_checkpoint-opseclea/local/opseclea_connection.conf, line 9: management_server_ip (value: 192.168.0.10).

Below is the config file we are using.

[root@splunk local]# more opseclea_connection.conf
[CHECKPOINT_MGR]
cert_name = CHECKPOINT_MGR_4189510259.p12
fw_version = R77
lea_app_name = SplunkLEA
lea_server_auth_port = 18184
lea_server_auth_type = sslca
lea_server_ip = 192.168.0.10
lea_server_type = primary
management_server_ip = 192.168.0.10
opsec_entity_sic_name = CN=cp_mgmt,O=CHECKPOINT_MGR.wrbdb6
opsec_sic_name = CN=SplunkLEA,O=CHECKPOINT_MGR.wrbdb6

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎04-03-2017 07:17 AM

It is telling you that line #9 ( management_server_ip = 192.168.0.10 ) is malformed. Usually this means that you have spelled the key wrong (case matters) or that the line is garbage/unnecessary/deprecated. That is not listed in the docs so REMOVE IT:

https://docs.splunk.com/Documentation/AddOns/released/OPSEC-LEA/Configureinputs

View solution in original post

0 Karma
Reply
Solved! Jump to solution

Kieffer87
Communicator
‎04-03-2017 05:40 PM

I'm getting the same error, though everything seems to work as expected. The GUI actually populates the config file with the management_server_ip value that Splunk doesn't like.

0 Karma
Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎04-03-2017 07:17 AM

It is telling you that line #9 ( management_server_ip = 192.168.0.10 ) is malformed. Usually this means that you have spelled the key wrong (case matters) or that the line is garbage/unnecessary/deprecated. That is not listed in the docs so REMOVE IT:

https://docs.splunk.com/Documentation/AddOns/released/OPSEC-LEA/Configureinputs

0 Karma
Reply
Solved! Jump to solution

jmaple
Communicator
‎04-03-2017 09:12 AM

So it looks like the error was related to it not existing however the app itself requires that value when you configure the connection using the GUI. Might need an update to not require it/remove it?

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎04-03-2017 06:33 AM

I have NEVER done either of these things that you are doing:
1: put anything on the same line as the stanza header (i.e. the first line should be [CHECKPOINT_MGR] and the second line should be cert_name = CHECKPOINT_MGR_4189510259.p12).
2: Split my KVP across lines (e.g the last 2 lines should actually be 1 line that reads opsec_sic_name =
CN=SplunkLEA,O=CHECKPOINT_MGR.wrbdb6).

0 Karma
Reply
Solved! Jump to solution

jmaple
Communicator
‎04-03-2017 06:47 AM

Apologies for the formatting issues. I've fixed the lines to read how they are in the actual file.

0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...