Getting Data In

Checkpoint OPSEC LEA client script

nickstone
Path Finder

Ok, its late and its been a fight up until this point so please forgive me for missing something basic.

I have been following the instructions to integration Check Points OPSEC LEA logs into Splunk via the standard Splunk documentation. When I get to the Configuring LEA Client portion, the following error is generated on this script:

./opsec_pull_cert -h 1.1.1.1 -n SplunkLEA -p lameplaintextpw -o newcert.p12 

``(obviously not the real IP or password 😛 )

-su: ./opsec_pull_cert: No such file or directory

and a similar error when I run through the connection wizard on the GUI:

/opt/splunk/etc/apps/Splunk_TA_opseclea_linux22/bin/pull-cert.sh: line 7: ../opsec-tools/opsec_pull_cert: No such file or directory

if I run the same script as sudo, it appears to run without error, however there is no cert generated.

any insight is much appreciated...

Tags (1)
0 Karma

rebecque
New Member

For RedHat the package names would be glibc.i686 and pam.i686

0 Karma

Jason
Motivator

You're probably running Ubuntu/Debian 64-bit. The app requires 32-bit libraries, but the Splunk docs only tell you how to get them on Red Hat based systems. Try these to get the libraries below. Then you have to symlink a crusty old library (which thankfully the TA supplies) into /lib just to get the thing to run!

apt-get install libc6:i386 libpam0g:i386
ln -s /opt/splunk/etc/apps/Splunk_TA_opseclea_linux22/bin/libcpc++-libc6.1-2.so.3 /lib/libcpc++-libc6.1-2.so.3

Evidently this has been causing issues for over 12 years, if that makes you feel any better. Thanks for the crap binary, checkpoint. https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

ejahnke
Explorer

As of today this answer was still needed, thanks.

0 Karma

araitz
Splunk Employee
Splunk Employee

Do you have your SPLUNK_ENV set? Have you logged in to Splunk?

 $SPLUNK_HOME/bin/splunk login
 $SPLUNK_HOME/bin/splunk cmd ./opsec_pull_cert

See the troubleshooting section of the docs as well:

http://docs.splunk.com/Documentation/OPSEC-LEA/latest/Install/Runlea-loggrabbermanually

0 Karma

dariusjs
New Member

Hi Nick,

What you seem to be doing is running the script from the location. Find out where that script is installed and then run it.

A nice thing if you install this on centos you get the locate utility which will find the script for you if your index is up today. I am also trying to install this today but am having connectivity issues between the splunk server and my checkpoints for now.

[root@centos-control linux22]# locate opsec_pull_cert
/opt/splunk/etc/apps/lea-loggrabber-splunk/opsec-tools/linux22/opsec_pull_cert
[root@centos-control linux22]# ./opsec_putkey -ssl -port 18184 10.1.1.1
Please enter secret key:
Please enter secret key again:

Failed to initialize authentication with 10.1.1.1

[root@centos-control linux22]#

0 Karma

nickstone
Path Finder

ok 32-bit forwarder has helped and I am now stuck with Failed to initialize authentication with...

dariusjs, did you get any futher on this?

0 Karma

nickstone
Path Finder

Sorry dariusjs,

I forgot to mention, I am already in the same directory as the script.
ie: root@spk01:/opt/splunk/etc/apps/lea-loggrabber-splunk/opsec-tools/linux22#

ls -a:
. .. opsec_pull_cert opsec_putkey

0 Karma
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...