I have an issue setting up the LEA pull for Check Point logs. The only thing unusual in my environment, particularly given the errors about passAuth, is that I'm running the free version of Splunk.
I go through the installation process without issue, but when I hit the last step (providing the SIC name and the Entity SIC name), I click submit and get no response at all (no errors, no logs, etc.). I've tried restarting, tried going back and resubmitting the previous page (both of which work without an error message), and tried listing my OPSEC connectors which produces a /fail page.
When I search for the logs, I see a bunch of the following messages (seeming to roughly correlate to each time I clicked the submit button):
2013-07-22 08:25:13,491 ERROR [51ed4ed8e7ab62378c] <string>:449 - opsec_lea_ui_controller: unable to create scripted input for opsec config HomeProductionEvents - error: passAuth user does not exist: splunk-system-user
and then I also see a few of these messages, which seems to correlate with trying to view the existing connections:
2013-07-22 08:28:02,267 WARNING [51ed4f8203ad590b0c] <string>:115 - opsec_lea_ui_controller: problem retreiving opsec config HomeProductionEvents
Any ideas for how I could troubleshoot or resolve this?
Splunk is complaining about the inexistence of splunk-system-user.
Do you have such a user in Splunk? Usually admin is used.
In inputs.conf you should have a entry like this:
[script:///opt/splunk/etc/apps/Splunk_TA_opseclea_linux22/bin/lea-loggrabber.my --configentity Fire01] disabled = 0 interval = 600 passAuth = admin sourcetype = opsec index = checkpointfw
Ah ha, you got me very close. There's no such scripted input in my system (verified with a cd /opt/splunk/etc && grep passAuth . -r), however in apps/Splunk_TA_opseclea_linux22/bin/opsec/models/input.py there is the line:
pass_auth = Field(api_name='passAuth')
That doesn't seem like it should be the place to change it, though...
And I don't seem to have a splunk-system-user.. it's the free version, so I don't actually have access that section of the UI.
The first issue is caused by the lack of FS permission on the home directory running Splunkd. Check the home directory '~/.splunk' to ensure it is RW.
I haven't encountered the second issue myself, but the opsec configs are stored in:
opsec-entity-health.conf opsec-entity-log-status.conf opsec-log-status.conf opsec.conf
For #1, I should be able to do that by
su splunk - and then checking in
cd ~ correct? That puts me at /opt/splunk and there is no .splunk folder at all there, but the entire directory is 700 owned by splunk, so the splunk user has full access... (This is just a generic splunk installation.)