- Apps and Add-ons
- :
- All Apps and Add-ons
- :
- Why is the checkpoint OPSEC LEA app not fetching a...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Why is the checkpoint OPSEC LEA app not fetching audit logs?
Here might be I am wrong because when I check the props.conf file I did not find any stanza for audit logs. So how can I proceed further with audit logs?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
deleting /splunk/var/lib/splunk/modinputs/checkpoint_opseclea/Audit_audit then splunk restart solved the problem.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Same problem since upgrade from CP R77 to R80
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm not receiving any Audit data either. But, I have seen in the Splunk logs where its trying to grab the logs from fw.adtlog. The problem is my audit data logs roll over every day and its not trying to grab the daily audit logs (only the default fw.adtlog). Example, it's trying to grab audit data from the main logs that roll-over every day (2018-11-05_000000.log, 2018-11-06_000000.log, etc.) and NOT from (2018-11-05_000000.adtlog, 2018-11-06_000000.adtlog). So, I think that's the problem - it recognizes and grabs the NON-Audit data from these daily roll-over logs, but NOT the audit data - because it's not looking for YYYY-MM-DD_XXXX.adtlog as a log to grab info from.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am having similar issue where Splunk stops fetching audit logs after midnight when file is rolled over. Did you find any solution for this? Appreciate your help!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
you need to check this file opseclea_inputs.conf in $SPLUNK_HOME/etc/apps/Splunk_TA_checkpoint-opseclea/local.
Refer below document:
https://docs.splunk.com/Documentation/AddOns/released/OPSEC-LEA/Configureinputs
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@p_gurav I have added two different connection in inputs.conf 1. Non-audit & 2. Audit for single configuration connection.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
When two or more data inputs are configured for the same product (e.g. non_audit, firewall,vpn,smartdefense) and follow similar naming convention (e.g input/9, input/19, etc), there is a possibility of race condition as all these inputs refer to the same checkpoint file.
You will see the following warning message: Unable to get a lock or parse the checkpoint file . Will retry on next run.
Your error will be logged in splunk_ta_checkpoint-opseclea_modinput.log and Splunk software will stop indexing data for that particular data input.
Hope this helps to helps
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am not getting any error or warning in modinput.log file. But I am receiving the logs as shown below for audit connection.
log_level=INFO, pid=2919, tid=Thread-16856, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=73 | [input_name="XYZ_Firewall_Audit" connection="XYZ" data="audit"]log_level=2 file:lea_loggrabber.cpp func_name:get_fw1_logfiles_dict code_line_no:2442 :- 2018-03-09_093944_98.log nID 1520585520 aID 1520585520^C
But not able to search in Splunk.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can you give inputs.conf file details which you configured?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
[NAME 1]
connection = N
data = non_audit
host = XXXXXX
index = checkpoint
interval = 60
mode = online
noresolve = 1
starttime = XXXXXXX
disabled = 0
[NAME 2]
connection = N1
data = non_audit
host = XXXX
index = checkpoint
interval = 60
mode = online
noresolve = 1
starttime = XXXXXXX
disabled = 0
[NAME 3]
connection = N2
data = non_audit
host = XXXXX
index = checkpoint
interval = 60
mode = offline
noresolve = 1
disabled = 0
[NAME 4]
connection = N3
data = non_audit
host = XXXXXX
index = checkpoint
interval = 60
mode = offline
noresolve = 1
starttime = 2018-02-28T20:00:00+05:00
disabled = 0
[QWE_Firewall_Audit]
connection = N
data = audit
host = XXXXX
index = checkpoint
interval = 3600
mode = offline
noresolve = 1
[XYZ_Firewall_Audit]
connection = N1
data = audit
host = XXXXX
index = checkpoint
interval = 3600
mode = offline
noresolve = 1
disabled = 0
[ABC_Firewall_Audit]
connection = N2
data = audit
host = XXXXXX
index = checkpoint
interval = 3600
mode = offline
noresolve = 0
[def_Firewall_Audit]
connection = N3
data = audit
host = XXXXXX
index = checkpoint
interval = 3600
mode = offline
noresolve = 1
disabled = 0
I have masked some values & change some names
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Any news on this issue? I have the same problem for a few connections
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
Splunk Custom Visualizations App End of Life
