Splunk Add-on for Check Point OPSEC Lea: ERROR: SI...

olanandkate · ‎08-13-2015

I'm new to the CheckPoint OPSEC Lea Application and the connection to our management station has never worked. I get the following error from the lea-loggrabber-debug.sh script:

ERROR: SIC ERROR 325 - SIC Error for lea: Could not retrieve CRL.

I've checked firewall logs and I don't see any drops, but it does state in these debugs that it can't connect. Anyone experienced this issue before or know what port it might be trying to connect to? I tried opening 18264 which dropped on the firewall logs. I just find it interesting that our other OPSEC objects work fine and are able to pull logs except for splunk.

[ 29346 4151769904]@splunkfwd2[13 Aug  8:22:18] fwFetchCRL_e_With_Reason: FWD_ENV is not g_env, can't use fetchers
[ 29346 4151769904]@splunkfwd2[13 Aug  8:22:18] fwCert_ValCerts: Could not retrieve CRL.CN=cp_mgmt,O=fwmgmtstation..8frg3r
[ 29346 4151769904]@splunkfwd2[13 Aug  8:22:18] validate_callback: rc = -986 
[ 29346 4151769904]@splunkfwd2[13 Aug  8:22:18] sic_client_end_handler: for conn id = 10
[ 29346 4151769904]@splunkfwd2[13 Aug  8:22:18] opsec_auth_client_connected: connect failed (325)
[ 29346 4151769904]@splunkfwd2[13 Aug  8:22:18] opsec_auth_client_connected: SIC Error for lea: Could not retrieve CRL.
[ 29346 4151769904]@splunkfwd2[13 Aug  8:22:18] opsec_auth_client_connected:conn=(nil) opaque=0x934fc60 err=0 comm=0x93819f0
[ 29346 4151769904]@splunkfwd2[13 Aug  8:22:18] comm failed to connect 0x93819f0
[ 29346 4151769904]@splunkfwd2[13 Aug  8:22:18] OPSEC_SET_ERRNO: err =  8  Comm is not connected/Unable to connect (pre =  8)
[ 29346 4151769904]@splunkfwd2[13 Aug  8:22:18] COM 0x93819f0 got signal 131075
[ 29346 4151769904]@splunkfwd2[13 Aug  8:22:18] destroying comm 0x93819f0
[ 29346 4151769904]@splunkfwd2[13 Aug  8:22:18] Destroying comm 0x93819f0 with 1 active sessions
[ 29346 4151769904]@splunkfwd2[13 Aug  8:22:18] Destroying session (93554d0) id 3 (ent=934f550) reason=SIC_FAILURE
[ 29346 4151769904]@splunkfwd2[13 Aug  8:22:18] SESSION ID:3 is sending DG_TYPE=3

DEBUG: OPSEC_SESSION_END_HANDLER called
ERROR: SIC ERROR 325 - SIC Error for lea: Could not retrieve CRL.
ERROR: Received error when trying to obtain last record number: function call lea_get_record_possplunk internal call command: $SPLUNK_HOME/bin/splunk _internal call /servicesNS/nobody/Splunk_TA_opseclea_linux22/opsec/entity_health/fwmgmtstation

magnusmolbach · ‎09-13-2016

I downgraded the cp (by a web interface) to use older certificates.
Then i pulled a new certificate and it worked
then i changed the cp settings again to what it was.
still works.

magnusmolbach · ‎12-21-2015

I'm having issues here as well!
Any solutions? ,I'm also having this problem.
Running centos with the right dependencies installed.
Where you able to fix the issue?

olanandkate · ‎12-28-2015

Sadly I don't have a fix for this issue. It just started working one day. But now I'm in a new issue as I had to build a new server to replace this one and it works using the lea-loggrabber-debug.sh file, but if you try to run it normally it won't connect.

kchanana · ‎09-13-2016

Any fix for this issue? I am facing the same. Thanks

jcoates_splunk · ‎09-19-2015

just guessing, but did you install the 32 bit libraries mentioned here? http://docs.splunk.com/Documentation/OPSEC-LEA/3.1.0/Install/Systemrequirements

olanandkate · ‎09-21-2015

I'm quite positive we followed this to the letter. Do you know the best way to verify which version we are running? Here are the few things I was able to dig up on the internet to determine that.

Requirement 1 - Redhat 6.x
[user@server ~]$ more /etc/*-release
::::::::::::::
/etc/lsb-release
::::::::::::::
LSB_VERSION=base-4.0-amd64:base-4.0-noarch:core-4.0-amd64:core-4.0-noarch:graphics-4.0-amd64:graphics-4.0-noarch:printing-4.0-amd64:printing-4.0-noarc
h
::::::::::::::
/etc/redhat-release
::::::::::::::
Red Hat Enterprise Linux Server release 6.6 (Santiago)
::::::::::::::
/etc/system-release
::::::::::::::
Red Hat Enterprise Linux Server release 6.6 (Santiago)

Requirement 2 - Linux Kernel 2.6.x
[user@server ~]$ uname -a
Linux server 2.6.32-504.el6.x86_64 #1 SMP Tue Sep 16 01:56:35 EDT 2014 x86_64 x86_64 x86_64 GNU/Linux

Requirement 3 - Bash version 3 or higher
[user@server ~]$ bash -version
GNU bash, version 4.1.2(1)-release (x86_64-redhat-linux-gnu)
Copyright (C) 2009 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later

This is free software; you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Requirement 4 - GNU C Lib 32 bit
[user@server ~]$ ldd --version
ldd (GNU libc) 2.12
Copyright (C) 2010 Free Software Foundation, Inc.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Written by Roland McGrath and Ulrich Drepper.

I do not see where it states which version it's running (32bit or 64bit)

Requirement 5 - PAM Shared libraries 32 bit
I was unable to find out how to check this version.

olanandkate · ‎12-28-2015

Yes all of the requirements were met for this to function. Oddly it just started working one day. I'm guessing it was something that had to do with the management stations as the Splunk forwarder hadn't been touched during the time it started working. Right now I'm working on a different issue. I had to build a new server for this and while starting from scratch it will start pulling logs in debug mode, but when it tries to run in normal mode it won't work.

Splunk Add-on for Check Point OPSEC Lea: ERROR: SIC ERROR 325 - SIC Error for lea: Could not retrieve CRL.

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes