Deployment Architecture

Splunk App for Check Point OPSEC LEA - Could not look up HOME variable. Auth tokens cannot be cached

lmyrefelt
Builder

Hi I have just installed the "new" Splunk App for CheckPoint OPSEC LEA but i am running into some errors ... or at least what i think is an error.

2-11-2013 15:02:12.598 +0100 ERROR ExecProcessor - message from "/opt/splunk/etc/apps/splunk_opseclea/bin/lea-loggrabber.sh --configentity Checkpoint_management_Server" Could not look up HOME variable. Auth tokens cannot be cached.
02-11-2013 15:02:12.998 +0100 ERROR ExecProcessor - message from "/opt/splunk/etc/apps/splunk_opseclea/bin/lea-loggrabber.sh --configentity Checkpoint_management_Server" Could not look up HOME variable. Auth tokens cannot be cached.
02-11-2013 15:02:13.214 +0100 ERROR ExecProcessor - message from "/opt/splunk/etc/apps/splunk_opseclea/bin/lea-loggrabber.sh --configentity Checkpoint_management_Server" splunkd request failed, 404:
02-11-2013 15:02:13.214 +0100 ERROR ExecProcessor - message from "/opt/splunk/etc/apps/splunk_opseclea/bin/lea-loggrabber.sh --configentity Checkpoint_management_Server" $SPLUNK_HOME/bin/splunk _internal call /servicesNS/nobody/splunk_opseclea/opsec/log_status/1@Checkpoint_management_Server
02-11-2013 15:02:13.214 +0100 ERROR ExecProcessor - message from "/opt/splunk/etc/apps/splunk_opseclea/bin/lea-loggrabber.sh --configentity Checkpoint_management_Server" QUERYING: 'https://127.0.0.1:8089/servicesNS/nobody/splunk_opseclea/opsec/log_status/1@Checkpoint_management_Se...'
02-11-2013 15:02:13.214 +0100 ERROR ExecProcessor - message from "/opt/splunk/etc/apps/splunk_opseclea/bin/lea-loggrabber.sh --configentity Checkpoint_management_Server" FAILED: 'HTTP/1.1 404 Not Found'
02-11-2013 15:02:13.214 +0100 ERROR ExecProcessor - message from "/opt/splunk/etc/apps/splunk_opseclea/bin/lea-loggrabber.sh --configentity Checkpoint_management_Server" Content:
02-11-2013 15:02:13.214 +0100 ERROR ExecProcessor - message from "/opt/splunk/etc/apps/splunk_opseclea/bin/lea-loggrabber.sh --configentity Checkpoint_management_Server" <?xml version="1.0" encoding="UTF-8"?>
02-11-2013 15:02:13.214 +0100 ERROR ExecProcessor - message from "/opt/splunk/etc/apps/splunk_opseclea/bin/lea-loggrabber.sh --configentity Checkpoint_management_Server"
02-11-2013 15:02:13.214 +0100 ERROR ExecProcessor - message from "/opt/splunk/etc/apps/splunk_opseclea/bin/lea-loggrabber.sh --configentity Checkpoint_management_Server"
02-11-2013 15:02:13.214 +0100 ERROR ExecProcessor - message from "/opt/splunk/etc/apps/splunk_opseclea/bin/lea-loggrabber.sh --configentity Checkpoint_management_Server" In handler 'log_status': Could not find object id=1@Checkpoint_management_Server
02-11-2013 15:02:13.214 +0100 ERROR ExecProcessor - message from "/opt/splunk/etc/apps/splunk_opseclea/bin/lea-loggrabber.sh --configentity Checkpoint_management_Server"

02-11-2013 15:02:13.214 +0100 ERROR ExecProcessor - message from "/opt/splunk/etc/apps/splunk_opseclea/bin/lea-loggrabber.sh --configentity Checkpoint_management_Server"

2-11-2013 15:12:46.121 +0100 ERROR ExecProcessor - message from "/opt/splunk/etc/apps/splunk_opseclea/bin/lea-loggrabber.sh --configentity Checkpoint_management_Server" Could not look up HOME variable. Auth tokens cannot be cached.

Anyone who can point me in the right direction ? 🙂

0 Karma
1 Solution

yoho
Contributor

Cause of this problem is probably different from user to user.
I had the same issue and the cause was a bad configuration on my check point server (configured opsec_ssl instead of sslca connection type)

To troubleshoot :
1) View $SPLUNK_HOME/etc/apps/splunk_opseclea/local/opesec-entity-health.conf. If is_connected value is 0, then something is wrong with your connection to the checkpoint. You can try to telnet to port 18184 to your Check Point management server.
2) Try to run lea-loggrabber manually. The documentation is not explicit about this but I found a way :
2.1) Make sure $SPLUNK_HOME env variable is set correctly
2.2) Run $SPLUNK_HOME/bin/splunk login
2.3) Copy (in your clipboard) the key (only letters & digits) which is generated in $HOME/.splunk/ directory
2.4) Type "yes [paste the key] | $SPLUNK_HOME/etc/apps/splunk_opseclea/bin/lea-loggrabber.sh"
3) You can also browse the app runtime variables using the REST API :
https://serverip:8089/servicesNS/nobody/splunk_opseclea/opsec/log_status

View solution in original post

yoho
Contributor

Cause of this problem is probably different from user to user.
I had the same issue and the cause was a bad configuration on my check point server (configured opsec_ssl instead of sslca connection type)

To troubleshoot :
1) View $SPLUNK_HOME/etc/apps/splunk_opseclea/local/opesec-entity-health.conf. If is_connected value is 0, then something is wrong with your connection to the checkpoint. You can try to telnet to port 18184 to your Check Point management server.
2) Try to run lea-loggrabber manually. The documentation is not explicit about this but I found a way :
2.1) Make sure $SPLUNK_HOME env variable is set correctly
2.2) Run $SPLUNK_HOME/bin/splunk login
2.3) Copy (in your clipboard) the key (only letters & digits) which is generated in $HOME/.splunk/ directory
2.4) Type "yes [paste the key] | $SPLUNK_HOME/etc/apps/splunk_opseclea/bin/lea-loggrabber.sh"
3) You can also browse the app runtime variables using the REST API :
https://serverip:8089/servicesNS/nobody/splunk_opseclea/opsec/log_status

View solution in original post

Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!