All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Configure the Splunk Add-on for Check Point OPSEC LEA

lnhquang1993
New Member
‎12-15-2017 08:37 PM

Hi everyone,
I'm need to Configure the Splunk Add-on for Check Point OPSEC LEA but i has faced some problems. I can't add new connection.
alt text

192.168.20.1 is IP of Checkpoint FW
192.168.20.30 is IP of Splunk

I has pull the certifiacte success from Checkpoint but i can't select it on SIC Certificate. I can't Reuse Existing SIC Certificate option.

And in Checkpoint SmartConsole. I can't see where to check SIC status.

Please help,
Quang

Preview file
1 KB
0 Karma
Reply

Enedis
New Member
‎07-03-2019 07:42 AM

Hi,

The OPSEC App Name does not contain specials characters.
Try : splunklea.

Alex

0 Karma
Reply

ektasiwani
Communicator
‎07-26-2018 12:17 AM

Hi,

I was facing the same issue. I solved this by giving proper permission to "$SPLUK_HOME/etc/apps/Splunk_TA_checkpoint-opseclea/" folder. Make sure your application folder is having proper permission and should have "$SPLUK_HOME/etc/apps/Splunk_TA_checkpoint-opseclea/local/" folder.

0 Karma
Reply

evinasco
Communicator
‎08-15-2018 09:47 AM

what kind of permissions does it need? 777? in linux

0 Karma
Reply

ektasiwani
Communicator
‎08-15-2018 09:59 AM

Yes. You need to give 777 permission.

If giving permission will not solve your issue please follow steps mentioned in below link.

https://answers.splunk.com/answers/614787/splunk-check-point-lea-opsec-error-fatal-error-gli.html

0 Karma
Reply

evinasco
Communicator
‎08-15-2018 01:36 PM

hi thanks, but i know have the next issue jejeje .. when i create a input

ERROR: Session end reason: SIC ERROR 119 - SIC Error for lea: Client could not choose an authentication method for service lea

do you know what is going on ?

0 Karma
Reply

ektasiwani
Communicator
‎08-15-2018 09:02 PM

Hi,

This issue is because OPSEC side started to use sha256 and updated its SDK.
Download file from http://supportcontent.checkpoint.com/file_download?id=50832 and replace $SPLUNK_HOME/etc/apps/Splunk_TA_checkpoint-opseclea/bin/opsec-tools binaries with these new ones.

This solution is mentioned in the link which I shared in my comment:
https://answers.splunk.com/answers/614787/splunk-check-point-lea-opsec-error-fatal-error-gli.html

Check out below link by checkpoint:
https://supportcenter.checkpoint.com/supportcenter/portal?action=portlets.SearchResultMainAction&eve...

0 Karma
Reply

lmaclean
Path Finder
‎12-17-2017 05:13 PM

Hi,

Looking at the doco Mgt Server IP isn't that of the Splunk server but of the Check Point Mgt Server, if it is a standalone environment (#6.2 on doco page).

I would suggest confirming all of the steps in the doco setup, then if it still isn't working provide here:

  1. Which step you believe it failed upon
  2. The stderr lines within the splunkd.log referenced in the error message
  3. Check the ../certs/ folder within the app - and the permissions for the folder/files
  4. Output from the web_service.log reference the troubleshoot section of the linked doco page
0 Karma
Reply

lnhquang1993
New Member
‎12-17-2017 06:41 PM

Hi lmaclean,
Thanks for your help. And yes i recognize my fault. It a standalone enviroment so both Log Server IP and Mgt Server IP is the same - 192.168.20.1 right ? But i still get error :
External handler failed with code '1' and output: 'REST ERROR[400]: Bad Request - The referred entity does not exist in the Certificate Authority. Make sure you have provided the right application name and one-time password'. See splunkd.log for stderr output.

I pretty sure that i has type the right application name and one-time password.
Here is the application that i create on CP :
name = splunk-lea OTP = 123
and i use it to pull-cert from CP to Splunk :
./pull-cert.sh 192.168.20.1 splunk-lea 123 splunk.pl2
and out show that Certifiacte success written to ../certs/splunk.pl2.

so the application name and OTP can't be wrong right ?

0 Karma
Reply

kalaiarasu
Explorer
‎05-20-2018 06:51 PM

Hi,

Have you resolved the issue ? currently i'm facing the same issue.

0 Karma
Reply

lmaclean
Path Finder
‎12-17-2017 07:03 PM

Might be worth looking at the opseclea_connection.conf file in the ../local/ folder and seeing if the settings match what you have configured in Check Point.

Also remember they are case sensitive; password cannot contain certain special characters; reapply the password in Check Point after each failed attempt incase after the first failed try it blocks it out; and that all the other settings in the file match your environment as well.

https://docs.splunk.com/Documentation/AddOns/released/OPSEC-LEA/Configureinputs

Edit: Oh and on the end of the cert script it is a number one (1) right not an l (L) that you are running??

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...