Re: Checkpoint OPSEC LEA client script

nickstone · ‎04-06-2013

Ok, its late and its been a fight up until this point so please forgive me for missing something basic.

I have been following the instructions to integration Check Points OPSEC LEA logs into Splunk via the standard Splunk documentation. When I get to the Configuring LEA Client portion, the following error is generated on this script:

./opsec_pull_cert -h 1.1.1.1 -n SplunkLEA -p lameplaintextpw -o newcert.p12

``(obviously not the real IP or password 😛 )

-su: ./opsec_pull_cert: No such file or directory

and a similar error when I run through the connection wizard on the GUI:

/opt/splunk/etc/apps/Splunk_TA_opseclea_linux22/bin/pull-cert.sh: line 7: ../opsec-tools/opsec_pull_cert: No such file or directory

if I run the same script as sudo, it appears to run without error, however there is no cert generated.

any insight is much appreciated...

rebecque · ‎11-15-2013

For RedHat the package names would be glibc.i686 and pam.i686

Jason · ‎10-22-2013

You're probably running Ubuntu/Debian 64-bit. The app requires 32-bit libraries, but the Splunk docs only tell you how to get them on Red Hat based systems. Try these to get the libraries below. Then you have to symlink a crusty old library (which thankfully the TA supplies) into /lib just to get the thing to run!

apt-get install libc6:i386 libpam0g:i386
ln -s /opt/splunk/etc/apps/Splunk_TA_opseclea_linux22/bin/libcpc++-libc6.1-2.so.3 /lib/libcpc++-libc6.1-2.so.3

Evidently this has been causing issues for over 12 years, if that makes you feel any better. Thanks for the crap binary, checkpoint. https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

ejahnke · ‎02-20-2018

As of today this answer was still needed, thanks.

araitz · ‎04-09-2013

Do you have your SPLUNK_ENV set? Have you logged in to Splunk?

 $SPLUNK_HOME/bin/splunk login
 $SPLUNK_HOME/bin/splunk cmd ./opsec_pull_cert

See the troubleshooting section of the docs as well:

http://docs.splunk.com/Documentation/OPSEC-LEA/latest/Install/Runlea-loggrabbermanually

dariusjs · ‎04-06-2013

Hi Nick,

What you seem to be doing is running the script from the location. Find out where that script is installed and then run it.

A nice thing if you install this on centos you get the locate utility which will find the script for you if your index is up today. I am also trying to install this today but am having connectivity issues between the splunk server and my checkpoints for now.

[root@centos-control linux22]# locate opsec_pull_cert
/opt/splunk/etc/apps/lea-loggrabber-splunk/opsec-tools/linux22/opsec_pull_cert
[root@centos-control linux22]# ./opsec_putkey -ssl -port 18184 10.1.1.1
Please enter secret key:
Please enter secret key again:

Failed to initialize authentication with 10.1.1.1

[root@centos-control linux22]#

nickstone · ‎04-06-2013

ok 32-bit forwarder has helped and I am now stuck with Failed to initialize authentication with...

dariusjs, did you get any futher on this?

nickstone · ‎04-06-2013

Sorry dariusjs,

I forgot to mention, I am already in the same directory as the script.
ie: root@spk01:/opt/splunk/etc/apps/lea-loggrabber-splunk/opsec-tools/linux22#

ls -a:
. .. opsec_pull_cert opsec_putkey

Checkpoint OPSEC LEA client script

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Build the Future of Agentic AI: Join the Splunk Agentic Ops Hackathon

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Splunk Community Badges!

Join the Conversation