Deployment Architecture

LEA Client doesn't connect to Check Point OPSEC LEA Server


I am getting the errors below when i try to made a new connection to a checkpoint log server

my opsec.log
2015-06-25 03:25:04,408 [ERROR] [] params: {'model': u'{"opsec_host":"","conn_name":"tcxf2-lon_primary","opsec_app_name":"SplunkLea","opsec_key":"$91u^k15"}'}
2015-06-25 03:25:27,508 [ERROR] [] params: {'model': u'{"opsec_host":"","conn_name":"tcxf2-lon_primary","opsec_app_name":"SplunkLea","opsec_key":"$91u^k15"}'}

i went through the system requirement and installed the latest pam and glibc but that did not resolve my issue. not sure what am i missing

[splunk@pucu-spf-44 bin]$ /opt/splunk/etc/apps/Splunk_TA_opseclea_linux22/bin/
unknown parameter ../certs/

CheckPoint 2001. Getting an object's certificate. Works once per certificate.

Usage: opsec_pull_cert -h host -n object-name -p passwd [-o cert_file] [-od dn_file]
-p is the one-time-password given in the SmartDashboard when defining this entity.
-o is for the output certificate file. default is "($OPSECDIR/)opsec.p12".
-od is for the output sic name (one line text file).
A relative path filename will be concatenated to OPSECDIR env variable (if exists).

0 Karma

Splunk Employee
Splunk Employee

had a similar issue the other week, and was able to resolve it by installing the Check Point database after creating the SplunkLEA OPSEC app.

0 Karma


Did u provide the below details correctly, to pull a certificate

  1. Type the OPSEC App Name, for example SplunkLEA
  2. Type the One-time Password
  3. Type the Management Server IP address.

Connection name : LEA10.95.3.6
Log Server IP :
Log Server Port ; 18184
Verion : choose you device version

Once , pulled the certificate, it is stored under the .p12 file.

Note: If you receive an error message, this might be because you are attempting to pull the same certificate for the same Connection Name, using an invalid password or IP address, or the connection to the server is down. For additional error details, see $SPLUNK_HOME/var/log/splunk/web_service.log.

0 Karma


Hope , you are using heavy forwarder installed with "Splunk add-on for checkpoint OPSEC lea"

are you able to successfully create a new connection entry in the app "Splunk add-on for checkpoint OPSEC lea" ?

Provide the SIC Name & Entity SIC name correctly , while you add a new connection instance. On successful creation , you will see the Last Updated column getting populated with latest time

0 Karma


yes, heavy forwarder for sure

this is the error when i try to create new connection- it does not even create the connection sucessfully. i use "i need to get new certificates" so i am not being asked to enter SIC Name & Entity SIC name

0 Karma
Get Updates on the Splunk Community!

Ready, Set, SOAR: How Utility Apps Can Up Level Your Playbooks!

 WATCH NOW Powering your capabilities has never been so easy with ready-made Splunk® SOAR Utility Apps. Parse ...

DevSecOps: Why You Should Care and How To Get Started

 WATCH NOW In this Tech Talk we will talk about what people mean by DevSecOps and deep dive into the different ...

Introducing Ingest Actions: Filter, Mask, Route, Repeat

WATCH NOW Ingest Actions (IA) is the best new way to easily filter, mask and route your data in Splunk® ...