Getting Data In

SIC Certificate issue

Shark2112
Communicator

Hey guys.

After i made new connection and pull new certificate from check point, it's not in list of existing certificates, but file at /etc/apps/Splunk_TA_checkpoint-opseclea/certs/ was added.

Any ideas?

0 Karma

horsefez
SplunkTrust
SplunkTrust

Hi Shark2112,

this is correct.
The cert does not get filed in /opt/splunk/etc/auth/.

You have to reference this certificate file in your opseclea_connection.conf:

    [Checkpoint_OPSECLEA]
    cert_name = Checkpoint_OPSECLEA_12389352.p12
    ...

Regards,
pyro_wood

0 Karma

Shark2112
Communicator

Yes, i have "cert_name = BronkaCP_2937532815.p12" in opseclea_connection.conf, but input dont work and index is empty.

0 Karma

horsefez
SplunkTrust
SplunkTrust

Would you mind posting your configuration files?
Luckily I did configure this OPSEC config two weeks ago, I had problems too.

0 Karma

Shark2112
Communicator

opseclea_connection.conf
[BronkaCP]
cert_name = BronkaCP_2937532815.p12
fw_version = R77
lea_app_name = OPSEC_LEA
lea_server_auth_port = 18184
lea_server_auth_type = sslca
lea_server_ip = 10.161.14.2
lea_server_type = primary
management_server_ip = 10.161.14.2
opsec_entity_sic_name = CN=cp_mgmt,O=GW1.mydomain.ru.r9xrhm
opsec_sic_name = CN=OPSEC_LEA,O=GW1.mydomain.ru.r9xrhm
disabled = 0

opseclea_inputs.conf
[inpcp]
connection = BronkaCP
data = non_audit
index = cp
interval = 30
mode = offline
noresolve = 0
starttime =
disabled = 0
host =

0 Karma

horsefez
SplunkTrust
SplunkTrust

Mine look like this:

[0] $ cat opseclea_connection.conf
[Checkpoint_OPSECLEA]
cert_name = Checkpoint_OPSECLEA_126464732.p12
fw_version = R77
lea_app_name = SplunkLEA
lea_server_auth_port = 18184
lea_server_auth_type = sslca
lea_server_ip = <firewall-ip>
lea_server_type = primary
opsec_entity_sic_name = CN=cp_mgmt,O=<somehostanddomain>.xokrso
opsec_sic_name = CN=SplunkLEA,O=<somehostanddomain>.xokrso


[0] $ cat opseclea_inputs.conf
[checkpoint_audit]
connection = Checkpoint_OPSECLEA
data = audit
index = checkpoint_firewall
interval = 60
mode = online
noresolve = 0


[0] $ cat opseclea_settings.conf
[logging]
level = INFO
disabled = 0
0 Karma

horsefez
SplunkTrust
SplunkTrust

Difference is the:
"mode = online"

Lets do more troubleshooting.... maybe show me something from splunkd.log.
Are there any ERRORS/WARNINGS?

0 Karma

Shark2112
Communicator

11-24-2016 17:20:45.794 +0300 WARN DateParserVerbose - Failed to parse timestamp. Defaulting to timestamp of previous event (Thu Nov 24 14:35:10 2016). Context: FileClassifier /opt/splunk/var/log/splunk/splunk_ta_checkpoint-opseclea_modinput.log.1
11-24-2016 16:25:00.180 +0300 INFO SpecFiles - Found external scheme definition for stanza "checkpoint_opseclea://" with 1 parameters: description
11-24-2016 16:25:00.283 +0300 INFO ModularInputs - Introspection setup completed for scheme "checkpoint_opseclea".
11-24-2016 16:25:00.836 +0300 INFO SpecFiles - Found external scheme definition for stanza "checkpoint_opseclea://" with 1 parameters: description
11-24-2016 16:25:00.928 +0300 INFO ModularInputs - No stanzas found for scheme "checkpoint_opseclea" in inputs.conf at script (re)start.
11-24-2016 16:25:00.928 +0300 INFO ExecProcessor - New scheduled exec process: python /opt/splunk/etc/apps/Splunk_TA_checkpoint-opseclea/bin/checkpoint_opseclea.py
11-24-2016 16:25:01.273 +0300 INFO WatchedFile - File too small to check seekcrc, probably truncated. Will re-read entire file='/opt/splunk/var/log/splunk/splunk_ta_checkpoint-opseclea_util.log'.
11-24-2016 18:05:27.591 +0300 INFO ModularInputs - No stanzas found for scheme "checkpoint_opseclea" in inputs.conf at script (re)start.
11-24-2016 18:05:27.592 +0300 INFO ExecProcessor - New scheduled exec process: python /opt/splunk/etc/apps/Splunk_TA_checkpoint-opseclea/bin/checkpoint_opseclea.py
11-24-2016 18:05:29.905 +0300 INFO SpecFiles - Found external scheme definition for stanza "checkpoint_opseclea://" with 1 parameters: description

0 Karma

horsefez
SplunkTrust
SplunkTrust

Hi,

4-2016 17:20:45.794 +0300 WARN DateParserVerbose - Failed to parse timestamp. Defaulting to timestamp of previous event (Thu Nov 24 14:35:10 2016). Context: FileClassifier /opt/splunk/var/log/splunk/splunk_ta_checkpoint-opseclea_modinput.log.1

This DateParserVerbose is something I experienced as an identificator for not seeing any data getting indexed from a log source. (but not from checkpoint)

Do you have any configuration in /opt/splunk/etc/system/local/ ?


JUST ASKING:
your opseclea_inputs.conf and the two other files are stored in /opt/splunk/etc/apps/Splunk_TA.../local/ right?

0 Karma

Shark2112
Communicator

Hi!

your opseclea_inputs.conf and the two other files are stored in /opt/splunk/etc/apps/Splunk_TA.../local/ right?
right

i find new errors at logs:
2016-11-25 10:10:57,435 +0000 log_level=ERROR, pid=27069, tid=Thread-115, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=62 | [input_name="cp" connection="BroCP2" data="fw"]log_level=0 file:lea_loggrabber.cpp func_name:check_session_end_reason code_line_no:2159 :Session end reason: SIC ERROR 302 - SIC Error for ssl_opsec: peer name wasn't found in authentication files

2016-11-25 10:10:57,434 +0000 log_level=INFO, pid=27069, tid=Thread-115, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=62 | [input_name="cp" connection="BroCP2" data="fw"][ 32278 4152089408]@srv-splunk.msccbronka.ru[25 Nov 13:10:57] Error opening file ./sslauthkeys.C:: No such file or directory

what is that? and do i need use /opsec_putkey -ssl -port 18184 ???

0 Karma

horsefez
SplunkTrust
SplunkTrust

This really gets strange and odd.

I can tell you about my experience with the OPSEC_LEA app:
As I was implementing it via CLI first, it somehow didn't work. Then I backuped all the configuration I had so far and deleted it from the system. I then used the web frontend to configure the connection and everything was working fine after that.
Me and my colleague never found any real difference between the configuration we did before via CLI and the config that got generated via web.

I'm not a fan of configuring inputs via web, but somehow it only worked after doing it that way.

If you are going to try it out, you should not forget to set a new one-time-password on your checkpoint firewall.

0 Karma

Shark2112
Communicator

Hi,

we note one thing: in manual for Chek Point $FWDIR/conf/fwopsec.conf
lea_server auth_port 18184
lea_server auth_type ssl_opsec

but Splunk after taking certificate in conf file auth type setting sslca.

Can you show your Check Point config?

0 Karma

horsefez
SplunkTrust
SplunkTrust

Hi Shark,

sadly I can't show our Checkpoint Configuration, I don't have any access to it.
Are you any further on resolving this issue?

0 Karma

horsefez
SplunkTrust
SplunkTrust

Hi Shark,

sadly I can't show you our Checkpoint-Config. I don't have access to it.
Are you any further into solving this?

0 Karma

Shark2112
Communicator

ok, now we can make it work, just set "lea_server auth_type sslopsec" in $FWDIR/conf/fwopsec.conf

can you answer please, do you use opsec_putkey?

0 Karma

Shark2112
Communicator

seems the same, did you use opsec_putkey? i'm yes but it's doesn't help

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...