All Apps and Add-ons

Splunk Add-on for Check Point LEA OPSEC Linux: Logs are getting indexed, but why am I getting no results from searches?

rafaelqueiroz
Explorer

Hello I am using the Add-on for Check Point OPSEC LEA Linux, but I'm having problems searchin on the indexed logs in Splunk. The data is indexed, the license and indexing report is showing activity, but when searching this data, I cannot get results.

I'm seeing the following errors in Splunk:

10-30-2014 14: 57: 19,532 ERROR -0200 ExecProcessor - message from "/opt/splunk/etc/apps/Splunk_TA_opseclea_linux22/bin/lea-loggrabber.sh --configentity SplunkLEA" / bin / sh: / opt / splunk /etc/apps/Splunk_TA_opseclea_linux22/bin/lea-loggrabber.sh: No such file or directory

10-30-2014 14: 57: 19,532 ERROR -0200 ExecProcessor - message from "/opt/splunk/etc/apps/Splunk_TA_opseclea_linux22/bin/lea-loggrabber.sh --configentity SplunkLEA" / bin / sh: / opt / splunk /etc/apps/Splunk_TA_opseclea_linux22/bin/lea-loggrabber.sh: No such file or directory

10-31-2014 09: 20: 49,216 ERROR -0200 ExecProcessor - message from "/opt/splunk/etc/apps/Splunk_TA_opseclea_linux22/bin/lea-loggrabber.sh --configentity SplunkLEA" sh:! [CDATA [1386266990 @ SplunkLEA : No such file or directory

The variable $ SPLUNK_HOME is working properly.

tskinnerivsec
Contributor

If this scripted input isn't working, then the data in question is not in the index = checkpoint_lea, so it is not indexed yet. Is the certificate from the checkpoint management station in the path ./certs ? and named SplunkLEA.p12? Can you test network communication on port 18185 between the splunk server and the management station? You should be able to look on the checkpoint management station and verify that you see successful logons from Splunk. you need to verify that you have the correct opsec_entity_sic_name and opsec_sic_name. I remember their being some library dependencies that the script required as well. You can manually run the script from the operating system of the splunk server to verify the it operates correctly. You should also verify that the /etc/apps/Splunk_TA_opseclea_linux22/bin/lea-loggrabber.sh file exists or not, because that is what this error is complaining about.

0 Karma

Chubbybunny
Splunk Employee
Splunk Employee

Perhaps an issue with the script or conf settings.

Can you post the contents of $splunk_home/etc/apps/Splunk_TA_opseclea_linux22/local/inputs.conf and $splunk_home/etc/apps/Splunk_TA_opseclea_linux22/local/opsec.conf,

rafaelqueiroz
Explorer

]# cat $SPLUNK_HOME/etc/apps/Splunk_TA_opseclea_linux22/local/inputs.conf
[script:///opt/splunk/etc/apps/Splunk_TA_opseclea_linux22/bin/lea-loggrabber.sh --configentity SplunkLEA]
disabled = 0
interval = 30
passAuth = splunk-system-user
sourcetype = opsec
index = checkpoint_lea

cat /opt/splunk/etc/apps/Splunk_TA_opseclea_linux22/local/opsec.conf
[SplunkLEA]
collect_audit = 0
fw_version = 75.4
is_disabled = 0
lea_server_auth_port = 18185
lea_server_auth_type = sslca
lea_server_ip = x.x.x.x
no_resolve = 1
opsec_entity_sic_name = cn=cp_mgmt,o=EGFWD01..zmib56
opsec_sic_name = CN=SplunkLEA,O=EGFWD01..zmib56
opsec_sslca_file = ../certs/SplunkLEA.p12
disabled = 0

0 Karma

Chubbybunny
Splunk Employee
Splunk Employee

both appear to be properly configured, please open a Support case and provide a diag for further analysis.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...