Here might be I am wrong because when I check the props.conf file I did not find any stanza for audit logs. So how can I proceed further with audit logs?
deleting /splunk/var/lib/splunk/modinputs/checkpoint_opseclea/Audit_audit then splunk restart solved the problem.
Same problem since upgrade from CP R77 to R80
I'm not receiving any Audit data either. But, I have seen in the Splunk logs where its trying to grab the logs from fw.adtlog. The problem is my audit data logs roll over every day and its not trying to grab the daily audit logs (only the default fw.adtlog). Example, it's trying to grab audit data from the main logs that roll-over every day (2018-11-05_000000.log, 2018-11-06_000000.log, etc.) and NOT from (2018-11-05_000000.adtlog, 2018-11-06_000000.adtlog). So, I think that's the problem - it recognizes and grabs the NON-Audit data from these daily roll-over logs, but NOT the audit data - because it's not looking for YYYY-MM-DD_XXXX.adtlog as a log to grab info from.
I am having similar issue where Splunk stops fetching audit logs after midnight when file is rolled over. Did you find any solution for this? Appreciate your help!
you need to check this file opseclea_inputs.conf in $SPLUNK_HOME/etc/apps/Splunk_TA_checkpoint-opseclea/local.
Refer below document:
https://docs.splunk.com/Documentation/AddOns/released/OPSEC-LEA/Configureinputs
@p_gurav I have added two different connection in inputs.conf 1. Non-audit & 2. Audit for single configuration connection.
When two or more data inputs are configured for the same product (e.g. non_audit
, firewall
,vpn
,smartdefense
) and follow similar naming convention (e.g input/9, input/19, etc), there is a possibility of race condition as all these inputs refer to the same checkpoint file.
You will see the following warning message: Unable to get a lock or parse the checkpoint file
. Will retry on next run.
Your error will be logged in splunk_ta_checkpoint-opseclea_modinput.log
and Splunk software will stop indexing data for that particular data input.
Hope this helps to helps
I am not getting any error or warning in modinput.log file. But I am receiving the logs as shown below for audit connection.
log_level=INFO, pid=2919, tid=Thread-16856, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=73 | [input_name="XYZ_Firewall_Audit" connection="XYZ" data="audit"]log_level=2 file:lea_loggrabber.cpp func_name:get_fw1_logfiles_dict code_line_no:2442 :- 2018-03-09_093944_98.log nID 1520585520 aID 1520585520^C
But not able to search in Splunk.
Can you give inputs.conf
file details which you configured?
[NAME 1]
connection = N
data = non_audit
host = XXXXXX
index = checkpoint
interval = 60
mode = online
noresolve = 1
starttime = XXXXXXX
disabled = 0
[NAME 2]
connection = N1
data = non_audit
host = XXXX
index = checkpoint
interval = 60
mode = online
noresolve = 1
starttime = XXXXXXX
disabled = 0
[NAME 3]
connection = N2
data = non_audit
host = XXXXX
index = checkpoint
interval = 60
mode = offline
noresolve = 1
disabled = 0
[NAME 4]
connection = N3
data = non_audit
host = XXXXXX
index = checkpoint
interval = 60
mode = offline
noresolve = 1
starttime = 2018-02-28T20:00:00+05:00
disabled = 0
[QWE_Firewall_Audit]
connection = N
data = audit
host = XXXXX
index = checkpoint
interval = 3600
mode = offline
noresolve = 1
[XYZ_Firewall_Audit]
connection = N1
data = audit
host = XXXXX
index = checkpoint
interval = 3600
mode = offline
noresolve = 1
disabled = 0
[ABC_Firewall_Audit]
connection = N2
data = audit
host = XXXXXX
index = checkpoint
interval = 3600
mode = offline
noresolve = 0
[def_Firewall_Audit]
connection = N3
data = audit
host = XXXXXX
index = checkpoint
interval = 3600
mode = offline
noresolve = 1
disabled = 0
I have masked some values & change some names
Any news on this issue? I have the same problem for a few connections