Archive

Check Point LEA Pull Errors on Splunk Free

Splunk Employee
Splunk Employee

Hello all,

I have an issue setting up the LEA pull for Check Point logs. The only thing unusual in my environment, particularly given the errors about passAuth, is that I'm running the free version of Splunk.

I go through the installation process without issue, but when I hit the last step (providing the SIC name and the Entity SIC name), I click submit and get no response at all (no errors, no logs, etc.). I've tried restarting, tried going back and resubmitting the previous page (both of which work without an error message), and tried listing my OPSEC connectors which produces a /fail page.

When I search for the logs, I see a bunch of the following messages (seeming to roughly correlate to each time I clicked the submit button):

2013-07-22 08:25:13,491 ERROR   [51ed4ed8e7ab62378c] <string>:449 - opsec_lea_ui_controller: unable to create scripted input for opsec config HomeProductionEvents - error: passAuth user does not exist: splunk-system-user

and then I also see a few of these messages, which seems to correlate with trying to view the existing connections:

2013-07-22 08:28:02,267 WARNING [51ed4f8203ad590b0c] <string>:115 - opsec_lea_ui_controller: problem retreiving opsec config HomeProductionEvents

Any ideas for how I could troubleshoot or resolve this?

0 Karma

Communicator

Splunk is complaining about the inexistence of splunk-system-user.

Do you have such a user in Splunk? Usually admin is used.

In inputs.conf you should have a entry like this:

[script:///opt/splunk/etc/apps/Splunk_TA_opseclea_linux22/bin/lea-loggrabber.my --configentity Fire01]
disabled = 0
interval = 600
passAuth = admin
sourcetype = opsec
index = checkpointfw
0 Karma

Splunk Employee
Splunk Employee

Ah ha, you got me very close. There's no such scripted input in my system (verified with a cd /opt/splunk/etc && grep passAuth . -r), however in apps/Splunk_TA_opseclea_linux22/bin/opsec/models/input.py there is the line:
pass_auth = Field(api_name='passAuth')

That doesn't seem like it should be the place to change it, though...

And I don't seem to have a splunk-system-user.. it's the free version, so I don't actually have access that section of the UI.

0 Karma

Splunk Employee
Splunk Employee

The first issue is caused by the lack of FS permission on the home directory running Splunkd. Check the home directory '~/.splunk' to ensure it is RW.

I haven't encountered the second issue myself, but the opsec configs are stored in:
$SPLUNK_home/etc/apps/Splunk_TA_opseclea_linux22/local

opsec-entity-health.conf  opsec-entity-log-status.conf  opsec-log-status.conf  opsec.conf
0 Karma

Splunk Employee
Splunk Employee

For #1, I should be able to do that by su splunk - and then checking in cd ~ correct? That puts me at /opt/splunk and there is no .splunk folder at all there, but the entire directory is 700 owned by splunk, so the splunk user has full access... (This is just a generic splunk installation.)

0 Karma