Deployment Architecture

Splunk App for Check Point OPSEC LEA - Could not look up HOME variable. Auth tokens cannot be cached

lmyrefelt
Builder

Hi I have just installed the "new" Splunk App for CheckPoint OPSEC LEA but i am running into some errors ... or at least what i think is an error.

2-11-2013 15:02:12.598 +0100 ERROR ExecProcessor - message from "/opt/splunk/etc/apps/splunk_opseclea/bin/lea-loggrabber.sh --configentity Checkpoint_management_Server" Could not look up HOME variable. Auth tokens cannot be cached.
02-11-2013 15:02:12.998 +0100 ERROR ExecProcessor - message from "/opt/splunk/etc/apps/splunk_opseclea/bin/lea-loggrabber.sh --configentity Checkpoint_management_Server" Could not look up HOME variable. Auth tokens cannot be cached.
02-11-2013 15:02:13.214 +0100 ERROR ExecProcessor - message from "/opt/splunk/etc/apps/splunk_opseclea/bin/lea-loggrabber.sh --configentity Checkpoint_management_Server" splunkd request failed, 404:
02-11-2013 15:02:13.214 +0100 ERROR ExecProcessor - message from "/opt/splunk/etc/apps/splunk_opseclea/bin/lea-loggrabber.sh --configentity Checkpoint_management_Server" $SPLUNK_HOME/bin/splunk _internal call /servicesNS/nobody/splunk_opseclea/opsec/log_status/1@Checkpoint_management_Server
02-11-2013 15:02:13.214 +0100 ERROR ExecProcessor - message from "/opt/splunk/etc/apps/splunk_opseclea/bin/lea-loggrabber.sh --configentity Checkpoint_management_Server" QUERYING: 'https://127.0.0.1:8089/servicesNS/nobody/splunk_opseclea/opsec/log_status/1@Checkpoint_management_Se...'
02-11-2013 15:02:13.214 +0100 ERROR ExecProcessor - message from "/opt/splunk/etc/apps/splunk_opseclea/bin/lea-loggrabber.sh --configentity Checkpoint_management_Server" FAILED: 'HTTP/1.1 404 Not Found'
02-11-2013 15:02:13.214 +0100 ERROR ExecProcessor - message from "/opt/splunk/etc/apps/splunk_opseclea/bin/lea-loggrabber.sh --configentity Checkpoint_management_Server" Content:
02-11-2013 15:02:13.214 +0100 ERROR ExecProcessor - message from "/opt/splunk/etc/apps/splunk_opseclea/bin/lea-loggrabber.sh --configentity Checkpoint_management_Server" <?xml version="1.0" encoding="UTF-8"?>
02-11-2013 15:02:13.214 +0100 ERROR ExecProcessor - message from "/opt/splunk/etc/apps/splunk_opseclea/bin/lea-loggrabber.sh --configentity Checkpoint_management_Server"
02-11-2013 15:02:13.214 +0100 ERROR ExecProcessor - message from "/opt/splunk/etc/apps/splunk_opseclea/bin/lea-loggrabber.sh --configentity Checkpoint_management_Server"
02-11-2013 15:02:13.214 +0100 ERROR ExecProcessor - message from "/opt/splunk/etc/apps/splunk_opseclea/bin/lea-loggrabber.sh --configentity Checkpoint_management_Server" In handler 'log_status': Could not find object id=1@Checkpoint_management_Server
02-11-2013 15:02:13.214 +0100 ERROR ExecProcessor - message from "/opt/splunk/etc/apps/splunk_opseclea/bin/lea-loggrabber.sh --configentity Checkpoint_management_Server"

02-11-2013 15:02:13.214 +0100 ERROR ExecProcessor - message from "/opt/splunk/etc/apps/splunk_opseclea/bin/lea-loggrabber.sh --configentity Checkpoint_management_Server"

2-11-2013 15:12:46.121 +0100 ERROR ExecProcessor - message from "/opt/splunk/etc/apps/splunk_opseclea/bin/lea-loggrabber.sh --configentity Checkpoint_management_Server" Could not look up HOME variable. Auth tokens cannot be cached.

Anyone who can point me in the right direction ? 🙂

0 Karma
1 Solution

yoho
Contributor

Cause of this problem is probably different from user to user.
I had the same issue and the cause was a bad configuration on my check point server (configured opsec_ssl instead of sslca connection type)

To troubleshoot :
1) View $SPLUNK_HOME/etc/apps/splunk_opseclea/local/opesec-entity-health.conf. If is_connected value is 0, then something is wrong with your connection to the checkpoint. You can try to telnet to port 18184 to your Check Point management server.
2) Try to run lea-loggrabber manually. The documentation is not explicit about this but I found a way :
2.1) Make sure $SPLUNK_HOME env variable is set correctly
2.2) Run $SPLUNK_HOME/bin/splunk login
2.3) Copy (in your clipboard) the key (only letters & digits) which is generated in $HOME/.splunk/ directory
2.4) Type "yes [paste the key] | $SPLUNK_HOME/etc/apps/splunk_opseclea/bin/lea-loggrabber.sh"
3) You can also browse the app runtime variables using the REST API :
https://serverip:8089/servicesNS/nobody/splunk_opseclea/opsec/log_status

View solution in original post

yoho
Contributor

Cause of this problem is probably different from user to user.
I had the same issue and the cause was a bad configuration on my check point server (configured opsec_ssl instead of sslca connection type)

To troubleshoot :
1) View $SPLUNK_HOME/etc/apps/splunk_opseclea/local/opesec-entity-health.conf. If is_connected value is 0, then something is wrong with your connection to the checkpoint. You can try to telnet to port 18184 to your Check Point management server.
2) Try to run lea-loggrabber manually. The documentation is not explicit about this but I found a way :
2.1) Make sure $SPLUNK_HOME env variable is set correctly
2.2) Run $SPLUNK_HOME/bin/splunk login
2.3) Copy (in your clipboard) the key (only letters & digits) which is generated in $HOME/.splunk/ directory
2.4) Type "yes [paste the key] | $SPLUNK_HOME/etc/apps/splunk_opseclea/bin/lea-loggrabber.sh"
3) You can also browse the app runtime variables using the REST API :
https://serverip:8089/servicesNS/nobody/splunk_opseclea/opsec/log_status

Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...