Security

Why am I getting connection errors after configuring Add-on for Check Point OPSEC LEA Linux?

felipe_tvrs
Explorer

Hello there guys, I configured the OPSEC LEA client, and everything seems to be fine, but into the "Last Connection" I can see "Not Connected".

Following are the debug information, I hope somebody can help me, as I already searched a lot.

Inside the splunkd.log I get the following information:

Opsec.conf


[root@hostname Splunk_TA_opseclea_linux22]# cat local/opsec.conf
[Checkpoint]
collect_audit = 0
fw_version = 77
is_disabled = 0
lea_server_auth_port = 18184
lea_server_auth_type = sslca
lea_server_ip = 172.25.2.174
opsec_entity_sic_name = "DN=cp_mgmt,O=bespx2103..8onvkt"
opsec_sic_name = "DN=SplunkLEA,O=bespx2103..8onvkt"
opsec_sslca_file = ../certs/opsec.p12
disabled = 0

Splunkd.log:

09-03-2014 15:38:41.145 -0300 ERROR ExecProcessor - message from "/opt/splunk/etc/apps/Splunk_TA_opseclea_linux22/bin/lea-loggrabber.sh --configentity Checkpoint" ERROR: failed to create session (Argument is NULL or lacks some data)
09-03-2014 15:38:57.807 -0300 ERROR ExecProcessor - message from "/opt/splunk/etc/apps/Splunk_TA_opseclea_linux22/bin/lea-loggrabber.sh --configentity Checkpoint" ERROR: failed to create session (Argument is NULL or lacks some data)
09-03-2014 15:39:14.474 -0300 ERROR ExecProcessor - message from "/opt/splunk/etc/apps/Splunk_TA_opseclea_linux22/bin/lea-loggrabber.sh --configentity Checkpoint" ERROR: failed to create session (Argument is NULL or lacks some data)
09-03-2014 15:39:31.177 -0300 ERROR ExecProcessor - message from "/opt/splunk/etc/apps/Splunk_TA_opseclea_linux22/bin/lea-loggrabber.sh --configentity Checkpoint" ERROR: failed to create session (Argument is NULL or lacks some data)

And this is the output of loggrabber debug mode:


/opt/splunk/etc/apps/Splunk_TA_opseclea_linux22/bin/lea-loggrabber-debug.sh --configentity Checkpoint --debug-level 3
Using Splunk instance: /opt/splunk/, app name Splunk_TA_opseclea_linux22
Splunk username: admin
Password:
DEBUG: LOGGRABBER configuration file is: /opt/splunk/etc/apps/Splunk_TA_opseclea_linux22/bin/fw1-loggrabber.conf
DEBUG: function logging_init_env
DEBUG: function open_screen
DEBUG: Open connection to screen.
DEBUG: Logfilename : fw.log
DEBUG: Record Separator : |
DEBUG: Resolve Addresses: No
DEBUG: Show Filenames : No
DEBUG: FW1-2000 : No
DEBUG: Online-Mode : No
DEBUG: Audit-Log : No
DEBUG: Show Fieldnames : Yes
DEBUG: function get_fw1_logfiles
splunk internal call command: $SPLUNK_HOME/bin/splunk _internal call /servicesNS/nobody/Splunk_TA_opseclea_linux22/opsec/opsec_conf/Checkpoint
splunk output: QUERYING: 'servicesNS/nobody/Splunk_TA_opseclea_linux22/opsec/opsec_conf/Checkpoint'
xxxx Status: 200.
Content:
<?xml version="1.0" encoding="UTF-8"?>
<!--This is to override browser formatting; see server.conf[xxxxServer] to disable. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .-->
<?xml-stylesheet type="text/xml" href="/static/atom.xsl"?>


servicesNS/nobody/Splunk_TA_opseclea_linux22/opsec/opsec_conf
2014-09-03T15:41:07-03:00


Splunk


opensearch:totalResults1/opensearch:totalResults
opensearch:itemsPerPage30/opensearch:itemsPerPage
opensearch:startIndex0/opensearch:startIndex


Checkpoint
xxxxs://127.0.0.1:8089/servicesNS/nobody/Splunk_TA_opseclea_linux22/opsec/opsec_conf/Checkpoint
2014-09-03T15:41:07-03:00


admin






0/s:key
0/s:key


Splunk_TA_opseclea_linux22/s:key
1/s:key
1/s:key
1/s:key
1/s:key
1/s:key
1/s:key
1/s:key
admin/s:key




admin/s:item
/s:list
/s:key


admin/s:item
/s:list
/s:key
/s:dict
/s:key
1/s:key
app/s:key
/s:dict
/s:key
Splunk_TA_opseclea_linux22/s:key




collect_audit/s:item
conn_buf_size/s:item
is_cma/s:item
is_disabled/s:item
is_provider/s:item
lea_server_port/s:item
no_nagle/s:item
no_resolve/s:item
online_mode/s:item
/s:list
/s:key


fw_version/s:item
lea_server_auth_port/s:item
lea_server_auth_type/s:item
lea_server_ip/s:item
opsec_entity_sic_name/s:item
opsec_sic_name/s:item
opsec_sslca_file/s:item
/s:list
/s:key


/s:key
/s:dict
/s:key
nobody/s:key
77/s:key
0/s:key
18184/s:key
sslca/s:key
172.25.2.174/s:key
DN=cp_mgmt,O=bespx2103..8onvkt/s:key
DN=SplunkLEA,O=bespx2103..8onvkt/s:key
../certs/opsec.p12/s:key
/s:dict


-v opsec_sic_name DN=SplunkLEA,O=bespx2103..8onvkt -v opsec_sslca_file ../certs/opsec.p12 -v lea_server ip 172.25.2.174 -v lea_server auth_port 18184 -v lea_server auth_type sslca -v lea_server opsec_entity_sic_name DN=cp_mgmt,O=bespx2103..8onvkt
[ 19929 4150278960]@hostname.bs.br.bsch[3 Sep 15:41:07] Env Configuration:
(
:type (opsec_info)
:lea_server (
:opsec_entity_sic_name ("DN=cp_mgmt,O=bespx2103..8onvkt")
:auth_type (sslca)
:auth_port (18184)
:ip (172.25.2.174)
)
:opsec_sslca_file ("../certs/opsec.p12")
:opsec_sic_name ("DN=SplunkLEA,O=bespx2103..8onvkt")
)

[ 19929 4150278960]@hostname.bs.br.bsch[3 Sep 15:41:07] Could not find info for ...opsec_shared_local_path...
[ 19929 4150278960]@hostname.bs.br.bsch[3 Sep 15:41:07] Could not find info for ...opsec_sic_policy_file...
[ 19929 4150278960]@hostname.bs.br.bsch[3 Sep 15:41:07] Could not find info for ...opsec_mt...
[ 19929 4150278960]@hostname.bs.br.bsch[3 Sep 15:41:07] opsec_init: multithread safety is not initialized
[ 19929 4150278960]@hostname.bs.br.bsch[3 Sep 15:41:07] cpprng_opsec_initialize: path is not initialized - will initialize
[ 19929 4150278960]@hostname.bs.br.bsch[3 Sep 15:41:07] cpprng_opsec_initialize: full file name is ops_prng
[ 19929 4150278960]@hostname.bs.br.bsch[3 Sep 15:41:07] cpprng_opsec_initialize: dev_urandom_poll returned 0
[ 19929 4150278960]@hostname.bs.br.bsch[3 Sep 15:41:07] opsec_file_is_intialized: seed is initialized
[ 19929 4150278960]@hostname.bs.br.bsch[3 Sep 15:41:07] cpprng_opsec_initialize: seed init for opsec succeeded
[ 19929 4150278960]@hostname.bs.br.bsch[3 Sep 15:41:07] PM_policy_create: version 5301.
[ 19929 4150278960]@hostname.bs.br.bsch[3 Sep 15:41:07] PM_policy_add_name_to_group: finished successfully.
[ 19929 4150278960]@hostname.bs.br.bsch[3 Sep 15:41:07] PM_policy_set_local_names: () names. finished successfully.
[ 19929 4150278960]@hostname.bs.br.bsch[3 Sep 15:41:07] PM_policy_create: finished successfully.
[ 19929 4150278960]@hostname.bs.br.bsch[3 Sep 15:41:07] PM_policy_add_name_to_group: finished successfully.
[ 19929 4150278960]@hostname.bs.br.bsch[3 Sep 15:41:07] PM_policy_set_local_names: (local_sic_name) names. finished successfully.
[ 19929 4150278960]@hostname.bs.br.bsch[3 Sep 15:41:07] PM_policy_add_name_to_group: finished successfully.
[ 19929 4150278960]@hostname.bs.br.bsch[3 Sep 15:41:07] PM_policy_set_local_names: (127.0.0.1) names. finished successfully.
[ 19929 4150278960]@hostname.bs.br.bsch[3 Sep 15:41:07] PM_policy_add_name_to_group: finished successfully.
[ 19929 4150278960]@hostname.bs.br.bsch[3 Sep 15:41:07] PM_policy_set_local_names: ("DN=SplunkLEA,O=bespx2103..8onvkt") names. finished successfully.
[ 19929 4150278960]@hostname.bs.br.bsch[3 Sep 15:41:07] PM_apply_default_dn: finished successfully.
[ 19929 4150278960]@hostname.bs.br.bsch[3 Sep 15:41:07] get_my_fwca_password: error in name
[ 19929 4150278960]@hostname.bs.br.bsch[3 Sep 15:41:07] sslcaInitCP_Ex:failed to get password form pkcs12
[ 19929 4150278960]@hostname.bs.br.bsch[3 Sep 15:41:07] opsec_init_sslca: no key holder - symmetric SSLCA not started
[ 19929 4150278960]@hostname.bs.br.bsch[3 Sep 15:41:07] sslcaInitCP_Ex: using asym client without ca cert
[ 19929 4150278960]@hostname.bs.br.bsch[3 Sep 15:41:07] ckpSSLctx_New: prefs = 12
[ 19929 4150278960]@hostname.bs.br.bsch[3 Sep 15:41:07] CkpRegDir: Environment variable CPDIR is not set.
[ 19929 4150278960]@hostname.bs.br.bsch[3 Sep 15:41:07] GenerateGlobalEntry: Unable to get registry path
[ 19929 4150278960]@hostname.bs.br.bsch[3 Sep 15:41:07] sslcaInitCP_Ex: using asym client without ca cert
[ 19929 4150278960]@hostname.bs.br.bsch[3 Sep 15:41:07] ckpSSLctx_New: prefs = 32
[ 19929 4150278960]@hostname.bs.br.bsch[3 Sep 15:41:07] sslcaInitCP_Ex: using asym client without ca cert
[ 19929 4150278960]@hostname.bs.br.bsch[3 Sep 15:41:07] ckpSSLctx_New: prefs = 11
[ 19929 4150278960]@hostname.bs.br.bsch[3 Sep 15:41:07] sslcaInitCP_Ex: using asym client without ca cert
[ 19929 4150278960]@hostname.bs.br.bsch[3 Sep 15:41:07] ckpSSLctx_New: prefs = 31
[ 19929 4150278960]@hostname.bs.br.bsch[3 Sep 15:41:07] opsec_init_sic_id_internal: Added sic id (ctx id = 0)
DEBUG: OPSEC LEA conf file is lea.conf
DEBUG: Authentication mode has been used.
DEBUG: Server-IP : 172.25.2.174
DEBUG: Server-Port : 18184
DEBUG: Authentication type: sslca
DEBUG: OPSEC sic certificate file name : ../certs/opsec.p12
DEBUG: Server DN (sic name) : DN=cp_mgmt,O=bespx2103..8onvkt
DEBUG: OPSEC LEA client DN (sic name) : DN=SplunkLEA,O=bespx2103..8onvkt
[ 19929 4150278960]@hostname.bs.br.bsch[3 Sep 15:41:07] opsec_init_entity_sic: called for the client side
[ 19929 4150278960]@hostname.bs.br.bsch[3 Sep 15:41:07] Configuring entity lea_server
[ 19929 4150278960]@hostname.bs.br.bsch[3 Sep 15:41:07] Could not find info for ...conn_buf_size...
[ 19929 4150278960]@hostname.bs.br.bsch[3 Sep 15:41:07] Could not find info for ...no_nagle...
[ 19929 4150278960]@hostname.bs.br.bsch[3 Sep 15:41:07] Could not find info for ...port...
[ 19929 4150278960]@hostname.bs.br.bsch[3 Sep 15:41:07] opsec_entity_add_sic_rule: adding rules: apply_to: ME, peer: DN=cp_mgmt,O=bespx2103..8onvkt, d_ip: NULL, dport 18184, svc: lea, method: sslca
[ 19929 4150278960]@hostname.bs.br.bsch[3 Sep 15:41:07] opsec_entity_add_sic_rule: adding INBOUND rule
[ 19929 4150278960]@hostname.bs.br.bsch[3 Sep 15:41:07] opsec_entity_add_sic_rule: adding OUTBOUND rule
[ 19929 4150278960]@hostname.bs.br.bsch[3 Sep 15:41:07] opsec_get_comm: creating comm for ent=9b78dc8 peer=9b6ff00 passive=0 key=2 info=0
[ 19929 4150278960]@hostname.bs.br.bsch[3 Sep 15:41:07] c=0x9b78dc8 s=0x9b6ff00 comm_type=4

[ 19929 4150278960]@hostname.bs.br.bsch[3 Sep 15:41:07] Could not find info for ...opsec_client...
[ 19929 4150278960]@hostname.bs.br.bsch[3 Sep 15:41:07] opsec_get_comm: Creating session hash (size=256)
[ 19929 4150278960]@hostname.bs.br.bsch[3 Sep 15:41:07] opsec_get_comm: ADDING comm=0x9b7b7e8 to ent=0x9b78dc8 with key=2
[ 19929 4150278960]@hostname.bs.br.bsch[3 Sep 15:41:07] opsec_env_get_context_id_by_peer_sic_name: illegal DN of sic name: DN=cp_mgmt,O=bespx2103..8onvkt
[ 19929 4150278960]@hostname.bs.br.bsch[3 Sep 15:41:07] OPSEC_SET_ERRNO: err = 4 Argument is NULL or lacks some data (pre = 0)
[ 19929 4150278960]@hostname.bs.br.bsch[3 Sep 15:41:07] opsec_sic_connect: failed to get context id for connection
[ 19929 4150278960]@hostname.bs.br.bsch[3 Sep 15:41:07] opsec_get_comm: error in opsec_sic_connect
[ 19929 4150278960]@hostname.bs.br.bsch[3 Sep 15:41:07] destroying comm 0x9b7b7e8
[ 19929 4150278960]@hostname.bs.br.bsch[3 Sep 15:41:07] Destroying comm 0x9b7b7e8 with 0 active sessions
[ 19929 4150278960]@hostname.bs.br.bsch[3 Sep 15:41:07] pulling dgtype=ffffffff len=-1 to list=0x9b7b804
[ 19929 4150278960]@hostname.bs.br.bsch[3 Sep 15:41:07] REMOVING comm=0x9b7b7e8 from ent=0x9b78dc8 with key=2
[ 19929 4150278960]@hostname.bs.br.bsch[3 Sep 15:41:07] Unable to make session
ERROR: failed to create session (Argument is NULL or lacks some data)
DEBUG: function cleanup_fw1_environment
[ 19929 4150278960]@hostname.bs.br.bsch[3 Sep 15:41:07] Destroying entity 1 with 0 active comms
[ 19929 4150278960]@hostname.bs.br.bsch[3 Sep 15:41:07] opsec_destroy_entity_sic: deleting sic rules for entity 0x9b78dc8
[ 19929 4150278960]@hostname.bs.br.bsch[3 Sep 15:41:07] Destroying entity 2 with 0 active comms
[ 19929 4150278960]@hostname.bs.br.bsch[3 Sep 15:41:07] opsec_destroy_entity_sic: deleting sic rules for entity 0x9b6ff00
[ 19929 4150278960]@hostname.bs.br.bsch[3 Sep 15:41:07] IpcUnMapFile: unmapping file (handle=0x9b6f858)
[ 19929 4150278960]@hostname.bs.br.bsch[3 Sep 15:41:07] IpcUnMapFile: unmapping file (handle=0x9b6fbb0)
[ 19929 4150278960]@hostname.bs.br.bsch[3 Sep 15:41:07] IpcUnMapFile: unmapping file (handle=0x9b6fc30)
[ 19929 4150278960]@hostname.bs.br.bsch[3 Sep 15:41:07] IpcUnMapFile: unmapping file (handle=0x9b6fcd0)
[ 19929 4150278960]@hostname.bs.br.bsch[3 Sep 15:41:07] IpcUnMapFile: unmapping file (handle=0x9b6fd50)
[ 19929 4150278960]@hostname.bs.br.bsch[3 Sep 15:41:07] PM_policy_destroy: finished successfully.
[ 19929 4150278960]@hostname.bs.br.bsch[3 Sep 15:41:07] opsec_destroy_sic_id_internal: Destroyed sic id (ctx id=0)
[ 19929 4150278960]@hostname.bs.br.bsch[3 Sep 15:41:07] opsec_env_destroy_sic_id_hash: Destroyed sic id hash
[ 19929 4150278960]@hostname.bs.br.bsch[3 Sep 15:41:07] fwd_env_destroy: env 0x9b530e8 (alloced = 1)
[ 19929 4150278960]@hostname.bs.br.bsch[3 Sep 15:41:07] T_env_destroy: env 0x9b530e8
[ 19929 4150278960]@hostname.bs.br.bsch[3 Sep 15:41:07] do_fwd_env_destroy: really destroy 0x9b530e8
splunk internal call command: $SPLUNK_HOME/bin/splunk _internal call /servicesNS/nobody/Splunk_TA_opseclea_linux22/opsec/entity_health/Checkpoint
splunk output: QUERYING: 'xxxxs://127.0.0.1:8089/servicesNS/nobody/Splunk_TA_opseclea_linux22/opsec/entity_health/Checkpoint'
xxxx Status: 200.
Content:
<?xml version="1.0" encoding="UTF-8"?>
<!--This is to override browser formatting; see server.conf[xxxxServer] to disable. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .-->
<?xml-stylesheet type="text/xml" href="/static/atom.xsl"?>


xxxxs://127.0.0.1:8089/servicesNS/nobody/Splunk_TA_opseclea_linux22/opsec/entity_health
2014-09-03T15:41:08-03:00


Splunk


opensearch:totalResults1/opensearch:totalResults
opensearch:itemsPerPage30/opensearch:itemsPerPage
opensearch:startIndex0/opensearch:startIndex


Checkpoint
xxxxs://127.0.0.1:8089/servicesNS/nobody/Splunk_TA_opseclea_linux22/opsec/entity_health/Checkpoint
2014-09-03T15:41:08-03:00


admin






0/s:key


Splunk_TA_opseclea_linux22/s:key
1/s:key
1/s:key
1/s:key
1/s:key
1/s:key
1/s:key
1/s:key
admin/s:key




admin/s:item
/s:list
/s:key


admin/s:item
/s:list
/s:key
/s:dict
/s:key
1/s:key
app/s:key
/s:dict
/s:key
Splunk_TA_opseclea_linux22/s:key




last_connection_timestamp/s:item
/s:list
/s:key


is_connected/s:item
/s:list
/s:key


/s:key
/s:dict
/s:key
nobody/s:key
0/s:key
/s:dict


splunk internal call command: $SPLUNK_HOME/bin/splunk _internal call /servicesNS/nobody/Splunk_TA_opseclea_linux22/opsec/entity_health/ -post:name Checkpoint -post:is_connected 0 -post:last_connection_timestamp
splunk output: QUERYING: 'xxxxs://127.0.0.1:8089/servicesNS/nobody/Splunk_TA_opseclea_linux22/opsec/entity_health/Checkpoint'
xxxx Status: 200.
Content:
<?xml version="1.0" encoding="UTF-8"?>
<!--This is to override browser formatting; see server.conf[xxxxServer] to disable. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .-->
<?xml-stylesheet type="text/xml" href="/static/atom.xsl"?>


xxxxs://127.0.0.1:8089/servicesNS/nobody/Splunk_TA_opseclea_linux22/opsec/entity_health
2014-09-03T15:41:08-03:00


Splunk


opensearch:totalResults1/opensearch:totalResults
opensearch:itemsPerPage30/opensearch:itemsPerPage
opensearch:startIndex0/opensearch:startIndex


Checkpoint
xxxxs://127.0.0.1:8089/servicesNS/nobody/Splunk_TA_opseclea_linux22/opsec/entity_health/Checkpoint
2014-09-03T15:41:08-03:00


admin






0/s:key


Splunk_TA_opseclea_linux22/s:key
1/s:key
1/s:key
1/s:key
1/s:key
1/s:key
1/s:key
1/s:key
admin/s:key




admin/s:item
/s:list
/s:key


admin/s:item
/s:list
/s:key
/s:dict
/s:key
1/s:key
app/s:key
/s:dict
/s:key
Splunk_TA_opseclea_linux22/s:key




last_connection_timestamp/s:item
/s:list
/s:key


is_connected/s:item
/s:list
/s:key


/s:key
/s:dict
/s:key
nobody/s:key
0/s:key
/s:dict


QUERYING: 'xxxxs://127.0.0.1:8089/servicesNS/nobody/Splunk_TA_opseclea_linux22/opsec/entity_health/'
xxxx Status: 201.
Content:
<?xml version="1.0" encoding="UTF-8"?>
<!--This is to override browser formatting; see server.conf[xxxxServer] to disable. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .-->
<?xml-stylesheet type="text/xml" href="/static/atom.xsl"?>


xxxxs://127.0.0.1:8089/servicesNS/nobody/Splunk_TA_opseclea_linux22/opsec/entity_health
2014-09-03T15:41:09-03:00


Splunk


opensearch:totalResults1/opensearch:totalResults
opensearch:itemsPerPage30/opensearch:itemsPerPage
opensearch:startIndex0/opensearch:startIndex


Checkpoint
xxxxs://127.0.0.1:8089/servicesNS/nobody/Splunk_TA_opseclea_linux22/opsec/entity_health/Checkpoint
2014-09-03T15:41:09-03:00


admin






0/s:key


Splunk_TA_opseclea_linux22/s:key
1/s:key
1/s:key
1/s:key
1/s:key
1/s:key
1/s:key
1/s:key
admin/s:key




admin/s:item
/s:list
/s:key


admin/s:item
/s:list
/s:key
/s:dict
/s:key
1/s:key
app/s:key
/s:dict
/s:key
Splunk_TA_opseclea_linux22/s:key
{'wildcardFields': ['.*'], 'optionalFields': [], 'requiredFields': []}/s:key
nobody/s:key
0/s:key
/s:dict


DEBUG: function exit_loggrabber
DEBUG: function free_lfield_arrays
DEBUG: function free_afield_arrays
DEBUG: function free_lfield_arrays
DEBUG: function free_afield_arrays

1 Solution

Chubbybunny
Splunk Employee
Splunk Employee

Possible condition:

 [ 19929 4150278960]@bsbrsp4252.bs.br.bsch[3 Sep 15:41:07] opsec_env_get_context_id_by_peer_sic_name: illegal DN of sic name: DN=cp_mgmt,O=bespx2103..8onvkt
[ 19929 4150278960]@bsbrsp4252.bs.br.bsch[3 Sep 15:41:07] OPSEC_SET_ERRNO: err =  4  Argument is NULL or lacks some data (pre =  0)

The configured opsec_entity_sic_name is incorrect.
To verify the Entity SIC Name:

  1. Open GuiDBedit (the Check Point Database Tool).
  2. Go to Tables > Network Objects > network object (at left). A list of network objects opens (at right).
  3. Click the network object (for example, opsec-fw1-r7540) in the list. A list of object attributes appears (at bottom).
  4. Scroll down the list to find the sic_name field (near the end of the list), or search for the sic_name field. The sic name will look similar to this: CN=cn=cp_mgmt,o=opsec-p1-r7540-test-env-domain1_management_server..pj7ux4.

View solution in original post

Chubbybunny
Splunk Employee
Splunk Employee

Possible condition:

 [ 19929 4150278960]@bsbrsp4252.bs.br.bsch[3 Sep 15:41:07] opsec_env_get_context_id_by_peer_sic_name: illegal DN of sic name: DN=cp_mgmt,O=bespx2103..8onvkt
[ 19929 4150278960]@bsbrsp4252.bs.br.bsch[3 Sep 15:41:07] OPSEC_SET_ERRNO: err =  4  Argument is NULL or lacks some data (pre =  0)

The configured opsec_entity_sic_name is incorrect.
To verify the Entity SIC Name:

  1. Open GuiDBedit (the Check Point Database Tool).
  2. Go to Tables > Network Objects > network object (at left). A list of network objects opens (at right).
  3. Click the network object (for example, opsec-fw1-r7540) in the list. A list of object attributes appears (at bottom).
  4. Scroll down the list to find the sic_name field (near the end of the list), or search for the sic_name field. The sic name will look similar to this: CN=cn=cp_mgmt,o=opsec-p1-r7540-test-env-domain1_management_server..pj7ux4.

ppablo
Retired

Awesome work @Chubbybunny! thumbs up and glad you got your problem solved @felipe_tvrs 🙂

0 Karma

felipe_tvrs
Explorer

Hello there @Chubbybunny. I finally managed to put it to work!
I needed to configure to change the "DN" from the SIC name to "CN", and it finally worked! Now I'm with tons of events to work on filtering.
Thank you for the help.

jareddavis1
New Member

Hello - I am having this issue as well. Can you please clarify what you mean be changing the DN from the SIC name to "CN"? ie can you give an example of what you changed? Thanks

0 Karma

felipe_tvrs
Explorer

Hello There @Chubbybunny!
Thank you, I could get the opsec_entity_sic_name (CN=cp_mgmt_FW-01,O=bespx2103..8onvkt), but when trying to connect, I received this:


SIC ERROR 111 - SIC Error for lea: Peer sent wrong DN: cn=cp_mgmt,o=mds-01..tng23o

As if the entity sic name used was wrong and, if I try with this new sic_name, the problem turns to a third one:

SIC ERROR 147 - SIC Error for lea: Authentication error

I'm doing some searches to see if I get any advances.

Thank you so far!

0 Karma
Get Updates on the Splunk Community!

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Get Inspired! We’ve Got Validation that Your Hard Work is Paying Off

We love our Splunk Community and want you to feel inspired by all your hard work! Eric Fusilero, our VP of ...