- Splunk Answers
- :
- Splunk Administration
- :
- Deployment Architecture
- :
- Re: LEA Client doesn't connect to Check Point OPSE...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
LEA Client doesn't connect to Check Point OPSEC LEA Server
I am getting the errors below when i try to made a new connection to a checkpoint log server
my opsec.log
2015-06-25 03:25:04,408 [ERROR] [] params: {'model': u'{"opsec_host":"10.95.3.6","conn_name":"tcxf2-lon_primary","opsec_app_name":"SplunkLea","opsec_key":"$91u^k15"}'}
2015-06-25 03:25:27,508 [ERROR] [] params: {'model': u'{"opsec_host":"10.95.3.6","conn_name":"tcxf2-lon_primary","opsec_app_name":"SplunkLea","opsec_key":"$91u^k15"}'}
i went through the system requirement and installed the latest pam and glibc but that did not resolve my issue. not sure what am i missing
http://docs.splunk.com/Documentation/OPSEC-LEA/3.0.0/Install/Systemrequirements
[splunk@pucu-spf-44 bin]$ /opt/splunk/etc/apps/Splunk_TA_opseclea_linux22/bin/pull-cert.sh
unknown parameter ../certs/
CheckPoint 2001. Getting an object's certificate. Works once per certificate.
Usage: opsec_pull_cert -h host -n object-name -p passwd [-o cert_file] [-od dn_file]
-p is the one-time-password given in the SmartDashboard when defining this entity.
-o is for the output certificate file. default is "($OPSECDIR/)opsec.p12".
-od is for the output sic name (one line text file).
A relative path filename will be concatenated to OPSECDIR env variable (if exists).
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
had a similar issue the other week, and was able to resolve it by installing the Check Point database after creating the SplunkLEA OPSEC app.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Did u provide the below details correctly, to pull a certificate
- Type the OPSEC App Name, for example SplunkLEA
- Type the One-time Password
- Type the Management Server IP address.
eg:
Connection name : LEA10.95.3.6
Log Server IP : 10.95.3.6
Log Server Port ; 18184
Verion : choose you device version
Once , pulled the certificate, it is stored under the .p12 file.
Note: If you receive an error message, this might be because you are attempting to pull the same certificate for the same Connection Name, using an invalid password or IP address, or the connection to the server is down. For additional error details, see $SPLUNK_HOME/var/log/splunk/web_service.log.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hope , you are using heavy forwarder installed with "Splunk add-on for checkpoint OPSEC lea"
are you able to successfully create a new connection entry in the app "Splunk add-on for checkpoint OPSEC lea" ?
Provide the SIC Name & Entity SIC name correctly , while you add a new connection instance. On successful creation , you will see the Last Updated column getting populated with latest time
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
yes, heavy forwarder for sure
this is the error when i try to create new connection- it does not even create the connection sucessfully. i use "i need to get new certificates" so i am not being asked to enter SIC Name & Entity SIC name
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics!
New in Observability Cloud - Explicit Bucket Histograms
