Archive

Splunk Add-on for Check Point OPSEC LEA "ERROR: unable to get splunk lea config arguments(get_fw1_logfiles)"

Engager

Hi!

This works:

./lea-loggrabber-debug.sh  --configentity CP

This does not:

./lea-loggrabber.sh --configentity CP

Message:

ERROR: unable to get splunk lea config arguments(get_fw1_logfiles)

In Splunk GUI the "last connection" state will never show anything else than Never Connected.

This is running on a minimal Centos 7 host with indexer clustering.

Here is the opsec.conf file:

[CP]
fw_version = 77
is_disabled = 0
lea_server_auth_port = 18184
lea_server_auth_type = sslca
lea_server_ip = 10.10.102.12
mode = fw
online_mode = 1
#some parts are left out here, I know they work though. 

opsec.log:

2015-10-17 21:58:09,963 [INFO] [<string>] remoteRequestHandler: params: {'output_mode': u'json', '': u'servicesNS/admin/Splunk_TA_opseclea_linux22/configs/conf-inputs/script:///opt/splunk/etc/apps/Splunk_TA_opseclea_linux2
2/bin/lea-loggrabber.sh --configentity MFACP', '_': u'1445111873118', 'targetHost': u'localhost'}
2015-10-17 21:58:09,963 [INFO] [<string>] remoteRequestHandler: qs: output_mode=json&targetHost=localhost&_=1445111873118
2015-10-17 21:58:09,963 [INFO] [<string>] remoteRequestHandler: qs: output_mode=json&targetHost=localhost&_=1445111873118
2015-10-17 21:58:09,963 [INFO] [<string>] query arg:output_mode
2015-10-17 21:58:09,963 [INFO] [<string>] query arg:_
2015-10-17 21:58:09,963 [INFO] [<string>] query arg:targetHost
2015-10-17 21:58:09,963 [INFO] [<string>] query args dict: {'output_mode': 'json', 'targetHost': 'localhost'}
2015-10-17 21:58:09,963 [INFO] [<string>] remote_request: no_cache: False
2015-10-17 21:58:09,964 [INFO] [<string>] remote_request: qs: {'output_mode': 'json', 'targetHost': 'localhost'}
2015-10-17 21:58:09,964 [INFO] [<string>] remote_request: postargs: None
2015-10-17 21:58:09,964 [INFO] [<string>] remote: fetch all uri: /servicesNS/admin/Splunk_TA_opseclea_linux22/configs/conf-inputs/script%3A%252F%252F%252Fopt%252Fsplunk%252Fetc%252Fapps%252FSplunk_TA_opseclea_linux22%252Fbin%252Flea-loggrabber.sh%20--configentity%20MFACP?output_mode=json&count=0&sort_mode=natural&offset=0
2015-10-17 21:58:09,964 [INFO] [<string>] remote_request: targetHost: localhost
2015-10-17 21:58:09,964 [INFO] [<string>] Requesting from peers: ['localhost']
2015-10-17 21:58:09,964 [INFO] [cached.py] cache key: ('eAfSfXA3274WMz^C_ARN8w224QnRKJmTx5A2sjhXLfboyNtCMeNfEFHS^x49BIvpllQsi_uCyx0hTLNKqkQAZ2CTbm25LCiWuS5XpM5iPsDxqq5Ns6ivYM_AXe21LFIc6gZXY8L', ('/servicesNS/admin/Splunk_TA_opseclea_linux22/configs/conf-inputs/script%3A%252F%252F%252Fopt%252Fsplunk%252Fetc%252Fapps%252FSplunk_TA_opseclea_linux22%252Fbin%252Flea-loggrabber.sh%20--configentity%20MFACP?output_mode=json&count=0&sort_mode=natural&offset=0', 'localhost', True))
2015-10-17 21:58:09,964 [INFO] [cached.py] caching data (cache miss)
2015-10-17 21:58:09,964 [INFO] [peer.py] peer: uri: /servicesNS/admin/Splunk_TA_opseclea_linux22/configs/conf-inputs/script%3A%252F%252F%252Fopt%252Fsplunk%252Fetc%252Fapps%252FSplunk_TA_opseclea_linux22%252Fbin%252Flea-loggrabber.sh%20--configentity%20MFACP?output_mode=json&count=0&sort_mode=natural&offset=0
2015-10-17 21:58:09,964 [INFO] [peer.py] peer: postargs: None
2015-10-17 21:58:09,964 [INFO] [peer.py] peer: body: None
2015-10-17 21:58:09,964 [INFO] [peer.py] peer: method: GET
2015-10-17 21:58:09,970 [INFO] [peer.py] peer: nEntries: 1
2015-10-17 21:58:09,971 [INFO] [<string>] sort params {'output_mode': 'json'}
2015-10-17 21:58:09,971 [INFO] [<string>] sorting by name
2015-10-17 21:58:09,971 [INFO] [<string>] 1 entries
2015-10-17 21:58:09,971 [INFO] [<string>] start: 0, end: 30
2015-10-17 21:58:09,979 [INFO] [<string>] remoteRequestHandler: params: {'output_mode': u'json', 'host': u'osludfw01', 'passAuth': u'splunk-system-user', 'index': u'CP', '': u'servicesNS/admin/Splunk_TA_opseclea_linux22/configs/conf-inputs/script:///opt/splunk/etc/apps/Splunk_TA_opseclea_linux22/bin/lea-loggrabber.sh --configentity MFACP', 'interval': u'30', 'sourcetype': u'opsec', 'disabled': u'1', 'targetHost': u'localhost'}
2015-10-17 21:58:09,980 [INFO] [<string>] remoteRequestHandler: qs:
2015-10-17 21:58:09,980 [INFO] [<string>] remote_request: no_cache: False
2015-10-17 21:58:09,980 [INFO] [<string>] remote_request: qs: {'output_mode': 'json'}
2015-10-17 21:58:09,980 [INFO] [<string>] remote_request: postargs: {'host': 'osludfw01', 'passAuth': 'splunk-system-user', 'index': 'CP', 'interval': '30', 'sourcetype': 'opsec', 'disabled': '1', 'targetHost': 'localhost'}
2015-10-17 21:58:09,980 [INFO] [<string>] remote: fetch all uri: /servicesNS/admin/Splunk_TA_opseclea_linux22/configs/conf-inputs/script%3A%252F%252F%252Fopt%252Fsplunk%252Fetc%252Fapps%252FSplunk_TA_opseclea_linux22%252Fbin%252Flea-loggrabber.sh%20--configentity%20MFACP?output_mode=json&count=0&sort_mode=natural&offset=0
2015-10-17 21:58:09,980 [INFO] [<string>] remote_request: targetHost: localhost
2015-10-17 21:58:09,980 [INFO] [<string>] Requesting from peers: ['localhost']
2015-10-17 21:58:09,980 [INFO] [<string>] flush cache
2015-10-17 21:58:09,980 [INFO] [peer.py] flushPeer: localhost
2015-10-17 21:58:09,980 [INFO] [peer.py] done flushing peer
2015-10-17 21:58:09,980 [INFO] [cached.py] Not using cache
2015-10-17 21:58:09,981 [INFO] [peer.py] peer: uri: /servicesNS/admin/Splunk_TA_opseclea_linux22/configs/conf-inputs/script%3A%252F%252F%252Fopt%252Fsplunk%252Fetc%252Fapps%252FSplunk_TA_opseclea_linux22%252Fbin%252Flea-loggrabber.sh%20--configentity%20MFACP?output_mode=json&count=0&sort_mode=natural&offset=0
2015-10-17 21:58:09,981 [INFO] [peer.py] peer: postargs: {'host': 'osludfw01', 'interval': '30', 'passAuth': 'splunk-system-user', 'index': 'CP', 'sourcetype': 'opsec', 'disabled': '1'}
2015-10-17 21:58:09,981 [INFO] [peer.py] peer: body: None
2015-10-17 21:58:09,981 [INFO] [peer.py] peer: method: POST
2015-10-17 21:58:09,988 [INFO] [peer.py] peer: nEntries: 1
2015-10-17 21:58:09,998 [INFO] [<string>] remoteRequestHandler: params: {'output_mode': u'json', '': u'servicesNS/admin/Splunk_TA_opseclea_linux22/data/inputs/script/_reload', 'targetHost': u'localhost'}
2015-10-17 21:58:09,998 [INFO] [<string>] remoteRequestHandler: qs:
2015-10-17 21:58:09,998 [INFO] [<string>] remote_request: no_cache: False
2015-10-17 21:58:09,998 [INFO] [<string>] remote_request: qs: {'output_mode': 'json'}
2015-10-17 21:58:09,998 [INFO] [<string>] remote_request: postargs: {'targetHost': 'localhost'}
2015-10-17 21:58:09,998 [INFO] [<string>] remote: fetch all uri: /servicesNS/admin/Splunk_TA_opseclea_linux22/data/inputs/script/_reload?output_mode=json&count=0&sort_mode=natural&offset=0
2015-10-17 21:58:09,998 [INFO] [<string>] remote_request: targetHost: localhost
2015-10-17 21:58:09,998 [INFO] [<string>] Requesting from peers: ['localhost']
2015-10-17 21:58:09,999 [INFO] [<string>] flush cache
2015-10-17 21:58:09,999 [INFO] [peer.py] flushPeer: localhost
2015-10-17 21:58:09,999 [INFO] [peer.py] done flushing peer
2015-10-17 21:58:09,999 [INFO] [cached.py] Not using cache
2015-10-17 21:58:09,999 [INFO] [peer.py] peer: uri: /servicesNS/admin/Splunk_TA_opseclea_linux22/data/inputs/script/_reload?output_mode=json&count=0&sort_mode=natural&offset=0
2015-10-17 21:58:09,999 [INFO] [peer.py] peer: postargs: {}
2015-10-17 21:58:09,999 [INFO] [peer.py] peer: body: None
2015-10-17 21:58:09,999 [INFO] [peer.py] peer: method: POST
2015-10-17 21:58:10,011 [INFO] [peer.py] peer: nEntries: 0
2015-10-17 21:58:10,011 [INFO] [<string>] 0 entries
2015-10-17 21:58:10,011 [INFO] [<string>] start: 0, end: 30
2015-10-17 21:58:10,529 [INFO] [<string>] remoteRequestHandler: params: {'output_mode': u'json', 'count': u'-1', '_': u'1445111890178', '': u'servicesNS/admin/Splunk_TA_opseclea_linux22/opsec/getScriptedInputPath'}
2015-10-17 21:58:10,530 [INFO] [<string>] remoteRequestHandler: qs: output_mode=json&count=-1&_=1445111890178
2015-10-17 21:58:10,530 [INFO] [<string>] remoteRequestHandler: qs: output_mode=json&count=-1&_=1445111890178
2015-10-17 21:58:10,530 [INFO] [<string>] query arg:output_mode
2015-10-17 21:58:10,530 [INFO] [<string>] query arg:count
2015-10-17 21:58:10,530 [INFO] [<string>] query arg:_
2015-10-17 21:58:10,530 [INFO] [<string>] query args dict: {'output_mode': 'json', 'count': '-1'}
2015-10-17 21:58:10,530 [INFO] [<string>] remote_request: no_cache: False
2015-10-17 21:58:10,530 [INFO] [<string>] remote_request: qs: {'output_mode': 'json', 'count': '-1'}
2015-10-17 21:58:10,530 [INFO] [<string>] remote_request: postargs: None
2015-10-17 21:58:10,530 [INFO] [<string>] remote: fetch all uri: /servicesNS/admin/Splunk_TA_opseclea_linux22/opsec/getScriptedInputPath?output_mode=json&count=0&sort_mode=natural&offset=0
2015-10-17 21:58:10,539 [INFO] [<string>] Requesting from peers: ['localhost']
2015-10-17 21:58:10,540 [INFO] [cached.py] cache key: ('eAfSfXA3274WMz^C_ARN8w224QnRKJmTx5A2sjhXLfboyNtCMeNfEFHS^x49BIvpllQsi_uCyx0hTLNKqkQAZ2CTbm25LCiWuS5XpM5iPsDxqq5Ns6ivYM_AXe21LFIc6gZXY8L', ('/servicesNS/admin/Splunk_TA_opseclea_linux22/opsec/getScriptedInputPath?output_mode=json&count=0&sort_mode=natural&offset=0', 'localhost', True))
2015-10-17 21:58:10,540 [INFO] [cached.py] caching data (cache miss)
2015-10-17 21:58:10,540 [INFO] [peer.py] peer: uri: /servicesNS/admin/Splunk_TA_opseclea_linux22/opsec/getScriptedInputPath?output_mode=json&count=0&sort_mode=natural&offset=0
2015-10-17 21:58:10,540 [INFO] [peer.py] peer: postargs: None
2015-10-17 21:58:10,540 [INFO] [peer.py] peer: body: None
2015-10-17 21:58:10,540 [INFO] [peer.py] peer: method: GET
2015-10-17 21:58:10,707 [INFO] [peer.py] peer: nEntries: 1
2015-10-17 21:58:10,708 [INFO] [<string>] sort params {'output_mode': 'json', 'count': '-1'}
2015-10-17 21:58:10,708 [INFO] [<string>] sorting by name
2015-10-17 21:58:10,708 [INFO] [<string>] 1 entries
2015-10-17 21:58:10,708 [INFO] [<string>] start: 0, end: -1
2015-10-17 21:58:10,708 [INFO] [<string>] cannot paginate this endpoint
2015-10-17 21:58:10,806 [INFO] [<string>] remoteRequestHandler: params: {'output_mode': u'json', 'count': u'-1', '_': u'1445111890198', 'search': u'name=*configentity*', '': u'servicesNS/admin/Splunk_TA_opseclea_linux22/configs/conf-inputs'}
2015-10-17 21:58:10,806 [INFO] [<string>] remoteRequestHandler: qs: output_mode=json&count=-1&search=name%3D*configentity*&_=1445111890198
2015-10-17 21:58:10,806 [INFO] [<string>] remoteRequestHandler: qs: output_mode=json&count=-1&search=name%3D*configentity*&_=1445111890198
2015-10-17 21:58:10,806 [INFO] [<string>] query arg:output_mode
2015-10-17 21:58:10,807 [INFO] [<string>] query arg:count
2015-10-17 21:58:10,807 [INFO] [<string>] query arg:_
2015-10-17 21:58:10,807 [INFO] [<string>] query arg:search
2015-10-17 21:58:10,807 [INFO] [<string>] query args dict: {'output_mode': 'json', 'count': '-1', 'search': 'name=*configentity*'}

Engager

I'm working with Splunk support right now to figure this out. I will let you know what I figure out.

0 Karma

Splunk Employee
Splunk Employee

if the add-on can't get configuration from the splunk server, that's highly likely to be permissions or timeout, with name resolution as a distant third. If you can rule those three out, it might be worth a support ticket.

0 Karma

Engager

I'm in the same boat on this one. The interesting thing is that using the debug version of the lea-loggrabber, it connects fine and I can see events that it is pulling. But when i try to run the normal version of lea-loggrabber, it gives me that specific error you were getting:
ERROR: unable to get splunk lea config arguments(getfw1logfiles)
I've been unable to figure out what the difference is between the debug version and the normal version that would cause this.

0 Karma

Communicator

Hi, Have you found a solution, I got exactly the same error ,
Thank's.

Olivier.

0 Karma

Path Finder

How did u resolve the issue?

0 Karma