All I see in the log is:
log_level=2 file:lea_loggrabber.cpp func_name:get_fw1_logfiles code_line_no:2506 :INFO: Successfully create opsec environment
log_level=2 file:lea_loggrabber.cpp func_name:get_fw1_logfiles code_line_no:2535 :INFO: Successfully initialize client/server-pair
log_level=2 file:lea_loggrabber.cpp func_name:get_fw1_logfiles code_line_no:2553 :INFO: Successfully create session
[ 161687680][25 Mar 14:30:54] get_pkxld_path: cpshared_filename failed
log_level=2 file:lea_loggrabber.cpp func_name:get_fw1_logfiles_dict code_line_no:2596 :INFO: lea_get_first_file_info returned 4
log_level=2 file:lea_loggrabber.cpp func_name:get_fw1_logfiles_dict code_line_no:2597 :INFO: Available FW-1 Logfiles
log_level=2 file:lea_loggrabber.cpp func_name:get_fw1_logfiles_dict code_line_no:2601 :INFO: - purged nID 1399793794 aID 1399793794
log_level=2 file:lea_loggrabber.cpp func_name:get_fw1_logfiles_dict code_line_no:2601 :INFO: - purged nID 1399814080 aID 1399814080
log_level=2 file:lea_loggrabber.cpp func_name:get_fw1_logfiles_dict code_line_no:2601 :INFO: - purged nID 1399829518 aID 1399829518
log_level=2 file:lea_loggrabber.cpp func_name:get_fw1_logfiles_dict code_line_no:2601 :INFO: - purged nID 1399841761 aID 1399841761
log_level=2 file:lea_loggrabber.cpp func_name:get_fw1_logfiles_dict code_line_no:2601 :INFO: - purged nID 1399852792 aID 1399852792
I eventually just deleted all and installed from the Wen Interface. It works fine.
I eventually just deleted all and installed from the Wen Interface. It works fine.
 
					
				
		
 
		
		
		
		
		
	
			
		
		
			
					
		@splunk0 If your problem is resolved, please accept an answer to help future readers.
 
					
				
		
We need more info about this. What were you trying to ingest? Can you search the internal indexes or the log you are showing is from a tail in the command line?
What is your environment, standalone, distributed?
I just followed this guide:
https://docs.splunk.com/Documentation/AddOns/released/OPSEC-LEA/Troubleshoot
The logs in the original post are from splunk_ta_checkpoint-opseclea_modinput.log
just continues with the same type of message:
log_level=2 file:lea_loggrabber.cpp func_name:get_fw1_logfiles_dict code_line_no:2601 :INFO: - purged nID aID 
countless of times but nothing gets logged to index=opsec
The beginning of the file shows: get_pkxld_path: cpshared_filename failed
Maybe that is an indecation for something?
Does it matter if its standalone or not? I don't think it matters.
 
					
				
		
Do you manage this checkpoint device ?
check this link for the error message
The HKLM_registry.data file is corrupted.
I eventually just deleted all and installed from the Wen Interface. It works fine.
