Getting Data In

OPSEC LEA Linux App - does not connect

coonsmatthew
Explorer

I am using Splunk 5.03 installed on Ubuntu. I installed the OPSEC LEA App for Checkpoint log analysis. I was able to establish a connection with our Checkpoint firewall, but now the connection is showing "Never Connected" under the "last connection" field.

I used nc to verify that port 18184 is accessible from my workstation, and was able to initiate a 3 way handshake with the checkpoint server.

I am using wireshark to analyse traffic going to port 18184 and I don't see that the Splunk App is even trying to connect to the checkpoint server.

I tried restarting the splunk server, but I still don't see any connection to the checkpoint server.

What am I missing?

Thanks.

0 Karma

Chubbybunny
Splunk Employee
Splunk Employee

'err=8' seems to indicate a problem communicating with the LEA Server for some reason per:

https://forums.checkpoint.com/forums/thread.jspa?threadID=13321

use NETCAT to test the lea server on ports 18184/tcp | pullcert 18210/tcp for an open connection
if any, restart the mgmt server???

coonsmatthew
Explorer

Yep, I bet we need to restart the checkpoint server...it's gonna be a while before that happens though. I will check back here if that does not fix the issue.

0 Karma

coonsmatthew
Explorer

[ 5835 3075970752]@ubuntu[2 Jul 9:30:39] opsec_auth_client_connected: connect failed (119)
[ 5835 3075970752]@ubuntu[2 Jul 9:30:39] opsec_auth_client_connected: SIC Error for lea: Client could not choose an authentication method for service lea
[ 5835 3075970752]@ubuntu[2 Jul 9:30:39] opsec_auth_client_connected:conn=(nil) opaque=0x87fe120 err=0 comm=0x87eb440
[ 5835 3075970752]@ubuntu[2 Jul 9:30:39] comm failed to connect 0x87eb440
[ 5835 3075970752]@ubuntu[2 Jul 9:30:39] OPSEC_SET_ERRNO: err = 8 Comm is not connected/Unable to connect (pre = 0)

0 Karma

coonsmatthew
Explorer

I ran in debug mode, I keep on getting these errors:

0 Karma

Chubbybunny
Splunk Employee
Splunk Employee
0 Karma

coonsmatthew
Explorer

Even though I am seeing packets being sent to checkpoint from Splunk and vice versa, the app is still showing "never connected." There does not seem to be any data being indexed as well...if I "follow TCP Stream" in wireshark, I get this output: Y......EY.......local_sic_name.....local_sic_name.....local_sic_name.........cp_local.

0 Karma

Chubbybunny
Splunk Employee
Splunk Employee

coonsmatthew
Explorer

I'm actually getting SEQ/ACK packets between the checkpoint application and the Splunk server now. I'm not getting the "failed to create session error any more, now I'm getting this error in the splunkd.log file

07-02-2013 09:00:12.632 -0700 ERROR ExecProcessor - message from "/opt/splunk/etc/apps/Splunk_TA_opseclea_linux22/bin/lea-loggrabber.sh --configentity Owens_cc" WARNING: Illegal entry in configuration file: SHOW_FIELDNAMES="yes"

0 Karma

coonsmatthew
Explorer

Also, I was able to pull up the splunkd.log file and it shows this error many times over.

07-02-2013 07:46:14.868 -0700 ERROR ExecProcessor - message from "/opt/splunk/etc/apps/Splunk_TA_opseclea_linux22/bin/lea-loggrabber.sh --configentity CC" ERROR: failed to create session (Argument is NULL or lacks some data)

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...