Deployment Architecture
Highlighted

Splunk App for Check Point OPSEC LEA - Could not look up HOME variable. Auth tokens cannot be cached

Builder

Hi I have just installed the "new" Splunk App for CheckPoint OPSEC LEA but i am running into some errors ... or at least what i think is an error.

2-11-2013 15:02:12.598 +0100 ERROR ExecProcessor - message from "/opt/splunk/etc/apps/splunkopseclea/bin/lea-loggrabber.sh --configentity CheckpointmanagementServer" Could not look up HOME variable. Auth tokens cannot be cached.
02-11-2013 15:02:12.998 +0100 ERROR ExecProcessor - message from "/opt/splunk/etc/apps/splunk
opseclea/bin/lea-loggrabber.sh --configentity CheckpointmanagementServer" Could not look up HOME variable. Auth tokens cannot be cached.
02-11-2013 15:02:13.214 +0100 ERROR ExecProcessor - message from "/opt/splunk/etc/apps/splunkopseclea/bin/lea-loggrabber.sh --configentity CheckpointmanagementServer" splunkd request failed, 404:
02-11-2013 15:02:13.214 +0100 ERROR ExecProcessor - message from "/opt/splunk/etc/apps/splunk
opseclea/bin/lea-loggrabber.sh --configentity CheckpointmanagementServer" $SPLUNKHOME/bin/splunk _internal call /servicesNS/nobody/splunkopseclea/opsec/logstatus/1@CheckpointmanagementServer
02-11-2013 15:02:13.214 +0100 ERROR ExecProcessor - message from "/opt/splunk/etc/apps/splunk
opseclea/bin/lea-loggrabber.sh --configentity CheckpointmanagementServer" QUERYING: 'https://127.0.0.1:8089/servicesNS/nobody/splunk_opseclea/opsec/log_status/1@Checkpoint_management_Se...'
02-11-2013 15:02:13.214 +0100 ERROR ExecProcessor - message from "/opt/splunk/etc/apps/splunkopseclea/bin/lea-loggrabber.sh --configentity CheckpointmanagementServer" FAILED: 'HTTP/1.1 404 Not Found'
02-11-2013 15:02:13.214 +0100 ERROR ExecProcessor - message from "/opt/splunk/etc/apps/splunk
opseclea/bin/lea-loggrabber.sh --configentity CheckpointmanagementServer" Content:
02-11-2013 15:02:13.214 +0100 ERROR ExecProcessor - message from "/opt/splunk/etc/apps/splunkopseclea/bin/lea-loggrabber.sh --configentity CheckpointmanagementServer" <?xml version="1.0" encoding="UTF-8"?>
02-11-2013 15:02:13.214 +0100 ERROR ExecProcessor - message from "/opt/splunk/etc/apps/splunk
opseclea/bin/lea-loggrabber.sh --configentity CheckpointmanagementServer"
02-11-2013 15:02:13.214 +0100 ERROR ExecProcessor - message from "/opt/splunk/etc/apps/splunkopseclea/bin/lea-loggrabber.sh --configentity CheckpointmanagementServer"
02-11-2013 15:02:13.214 +0100 ERROR ExecProcessor - message from "/opt/splunk/etc/apps/splunk
opseclea/bin/lea-loggrabber.sh --configentity CheckpointmanagementServer" In handler 'logstatus': Could not find object id=1@CheckpointmanagementServer
02-11-2013 15:02:13.214 +0100 ERROR ExecProcessor - message from "/opt/splunk/etc/apps/splunkopseclea/bin/lea-loggrabber.sh --configentity CheckpointmanagementServer"

02-11-2013 15:02:13.214 +0100 ERROR ExecProcessor - message from "/opt/splunk/etc/apps/splunkopseclea/bin/lea-loggrabber.sh --configentity Checkpointmanagement_Server"

2-11-2013 15:12:46.121 +0100 ERROR ExecProcessor - message from "/opt/splunk/etc/apps/splunkopseclea/bin/lea-loggrabber.sh --configentity Checkpointmanagement_Server" Could not look up HOME variable. Auth tokens cannot be cached.

Anyone who can point me in the right direction ? 🙂

0 Karma
Highlighted

Re: Splunk App for Check Point OPSEC LEA - Could not look up HOME variable. Auth tokens cannot be cached

Contributor

Cause of this problem is probably different from user to user.
I had the same issue and the cause was a bad configuration on my check point server (configured opsec_ssl instead of sslca connection type)

To troubleshoot :
1) View $SPLUNKHOME/etc/apps/splunkopseclea/local/opesec-entity-health.conf. If isconnected value is 0, then something is wrong with your connection to the checkpoint. You can try to telnet to port 18184 to your Check Point management server.
2) Try to run lea-loggrabber manually. The documentation is not explicit about this but I found a way :
2.1) Make sure $SPLUNK
HOME env variable is set correctly
2.2) Run $SPLUNKHOME/bin/splunk login
2.3) Copy (in your clipboard) the key (only letters & digits) which is generated in $HOME/.splunk/ directory
2.4) Type "yes [paste the key] | $SPLUNK
HOME/etc/apps/splunkopseclea/bin/lea-loggrabber.sh"
3) You can also browse the app runtime variables using the REST API :
https://serverip:8089/servicesNS/nobody/splunk
opseclea/opsec/log_status

View solution in original post