Re: OPSEC LEA Linux App - does not connect

coonsmatthew · ‎07-02-2013

I am using Splunk 5.03 installed on Ubuntu. I installed the OPSEC LEA App for Checkpoint log analysis. I was able to establish a connection with our Checkpoint firewall, but now the connection is showing "Never Connected" under the "last connection" field.

I used nc to verify that port 18184 is accessible from my workstation, and was able to initiate a 3 way handshake with the checkpoint server.

I am using wireshark to analyse traffic going to port 18184 and I don't see that the Splunk App is even trying to connect to the checkpoint server.

I tried restarting the splunk server, but I still don't see any connection to the checkpoint server.

What am I missing?

Thanks.

Chubbybunny · ‎07-02-2013

'err=8' seems to indicate a problem communicating with the LEA Server for some reason per:

https://forums.checkpoint.com/forums/thread.jspa?threadID=13321

use NETCAT to test the lea server on ports 18184/tcp | pullcert 18210/tcp for an open connection
if any, restart the mgmt server???

coonsmatthew · ‎07-02-2013

Yep, I bet we need to restart the checkpoint server...it's gonna be a while before that happens though. I will check back here if that does not fix the issue.

coonsmatthew · ‎07-02-2013

[ 5835 3075970752]@ubuntu[2 Jul 9:30:39] opsec_auth_client_connected: connect failed (119)
[ 5835 3075970752]@ubuntu[2 Jul 9:30:39] opsec_auth_client_connected: SIC Error for lea: Client could not choose an authentication method for service lea
[ 5835 3075970752]@ubuntu[2 Jul 9:30:39] opsec_auth_client_connected:conn=(nil) opaque=0x87fe120 err=0 comm=0x87eb440
[ 5835 3075970752]@ubuntu[2 Jul 9:30:39] comm failed to connect 0x87eb440
[ 5835 3075970752]@ubuntu[2 Jul 9:30:39] OPSEC_SET_ERRNO: err = 8 Comm is not connected/Unable to connect (pre = 0)

coonsmatthew · ‎07-02-2013

I ran in debug mode, I keep on getting these errors:

Chubbybunny · ‎07-02-2013

would it all be possible to run the APP in debug mode?

http://splunk-base.splunk.com/answers/89743/what-is-the-easiest-way-to-debug-the-check-point-opsec-l...

coonsmatthew · ‎07-02-2013

Even though I am seeing packets being sent to checkpoint from Splunk and vice versa, the app is still showing "never connected." There does not seem to be any data being indexed as well...if I "follow TCP Stream" in wireshark, I get this output: Y......EY.......local_sic_name.....local_sic_name.....local_sic_name.........cp_local.

Chubbybunny · ‎07-02-2013

bug ID and workaround posted by Chubbybunny

http://splunk-base.splunk.com/answers/89683/warning-illegal-entry-in-configuration-file-show_fieldna...

coonsmatthew · ‎07-02-2013

I'm actually getting SEQ/ACK packets between the checkpoint application and the Splunk server now. I'm not getting the "failed to create session error any more, now I'm getting this error in the splunkd.log file

07-02-2013 09:00:12.632 -0700 ERROR ExecProcessor - message from "/opt/splunk/etc/apps/Splunk_TA_opseclea_linux22/bin/lea-loggrabber.sh --configentity Owens_cc" WARNING: Illegal entry in configuration file: SHOW_FIELDNAMES="yes"

coonsmatthew · ‎07-02-2013

Also, I was able to pull up the splunkd.log file and it shows this error many times over.

07-02-2013 07:46:14.868 -0700 ERROR ExecProcessor - message from "/opt/splunk/etc/apps/Splunk_TA_opseclea_linux22/bin/lea-loggrabber.sh --configentity CC" ERROR: failed to create session (Argument is NULL or lacks some data)

OPSEC LEA Linux App - does not connect

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?