Archive

checkpoint lea-loggrabber app not working most of the time

Engager

The lea-loggrabber app doesn't work most of the time where in it let the connection to be created but on the final step of the submit button doesn't seem to work i.e. some time the final submit button most of the time would become un-clickable or if clicked would not create the connection, the connection window would still be blank and asking to create a new connection. When checked on the App on the server just an opsec.conf will be created under /local but with no other file and further the same connection will also not let you create a new connection with the same name.
Also some times the connection does show up after pressing the Submit button but connection always stays as 'Last Connected' as 'UNKNOWN'.
There are some serious issues with this App and becomes a lot frustrating while trying to setup a checkpoint connection. Highly disappointed with this App.

0 Karma

Splunk Employee
Splunk Employee

It sounds like you may not have completed all of the setup steps. The documentation here lists steps that must be completed on the Checkpoint itself. If you had in fact completed those steps, read on.

I've found in my personal experience that the Checkpoint is very twitchy about the case of the options used when connecting. The DN string in particular has to match exactly the case established at the Checkpoint.

Another thing that you can check is whether or not the Checkpoint reports that it has established a trust connection with the Splunk instance. If so, this means that you've been able to retrieve the Checkpoint's cert with the one-time password. The "last connected" showing "UNKNOWN" could further corroborate the wrong case (or wrong password) issue.

I've found that I had to restart Splunk after making changes to the opsec.conf, in order to get the REST-based configs to update properly.

Finally, consider trying the -debug version of the shell scripts. It can go a long way to help you in triaging connection problems with the Checkpoint.

Splunk Employee
Splunk Employee

Sorry to hear that. Have you considered working with Splunk support to help you through these issues?

0 Karma