Splunk Search

Checkpoint OPSEC LEA is not working

apezuela
Explorer

Hi,

Mi Checkpoint OPSEC LEA is working.

I get next splunk log:

index=_internal host="MOL18107" ( source="*splunkd.log" ) ( log_level="ERROR" ) * | cluster | search _raw="03-13-2014 18:47:08.508 +0100 ERROR ExecProcessor - message from \\"/opt/splunk/etc/apps/Splunk_TA_opseclea_linux22/bin/lea-loggrabber.sh --configentity CheckpointSecureManagement\\" ERROR: failed to create session (NO Error)"

If I exec: $SPLUNK_HOME/etc/apps/Splunk_TA_opseclea_linux22/bin/lea-loggrabber-debug.sh, I get next log:

[splunk@MOL18107 ~]$ $SPLUNK_HOME/etc/apps/Splunk_TA_opseclea_linux22/bin/lea-loggrabber-debug.sh
Using Splunk instance: /opt/splunk, app name Splunk_TA_opseclea_linux22
DEBUG: LOGGRABBER configuration file is: /opt/splunk/etc/apps/Splunk_TA_opseclea_linux22/bin/fw1-loggrabber.conf
DEBUG: function logging_init_env
DEBUG: function open_screen
DEBUG: Open connection to screen.
DEBUG: Logfilename : fw.log
DEBUG: Record Separator : |
DEBUG: Resolve Addresses: No
DEBUG: Show Filenames : No
DEBUG: FW1-2000 : No
DEBUG: Online-Mode : No
DEBUG: Audit-Log : No
DEBUG: Show Fieldnames : Yes
DEBUG: function get_fw1_logfiles
splunk internal call command: $SPLUNK_HOME/bin/splunk _internal call /servicesNS/nobody/Splunk_TA_opseclea_linux22/opsec/opsec_conf/
splunk output: QUERYING: 'https://127.0.0.1:8089/servicesNS/nobody/Splunk_TA_opseclea_linux22/opsec/opsec_conf/'
HTTP Status: 200.
Content:
<?xml version="1.0" encoding="UTF-8"?>
<!--This is to override browser formatting; see server.conf[httpServer] to disable. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
-v opsec_sic_name CN=SplunkLEA,O=MOLFSC01.enagas.eng.jrd7zd -v opsec_sslca_file ../certs/CheckpointSecureManagement.p12 -v lea_server ip MOLFSC01.enagas.eng -v lea_server auth_port 18184 -v lea_server auth_type sslca -v lea_server opsec_entity_sic_name cn=cp_mgmt,o=MOLFSC01.enagas.eng.jrd7zd
[ 3046 4160468672]@MOL18107[13 Mar 18:38:12] Env Configuration:
(
:type (opsec_info)
:lea_server (
:opsec_entity_sic_name ("cn=cp_mgmt,o=MOLFSC01.enagas.eng.jrd7zd")
:auth_type (sslca)
:auth_port (18184)
:ip (MOLFSC01.enagas.eng)
)
:opsec_sslca_file ("../certs/CheckpointSecureManagement.p12")
:opsec_sic_name ("CN=SplunkLEA,O=MOLFSC01.enagas.eng.jrd7zd")
)

[ 3046 4160468672]@MOL18107[13 Mar 18:38:12] Could not find info for ...opsec_shared_local_path...
[ 3046 4160468672]@MOL18107[13 Mar 18:38:12] Could not find info for ...opsec_sic_policy_file...
[ 3046 4160468672]@MOL18107[13 Mar 18:38:12] Could not find info for ...opsec_mt...
[ 3046 4160468672]@MOL18107[13 Mar 18:38:12] opsec_init: multithread safety is not initialized
[ 3046 4160468672]@MOL18107[13 Mar 18:38:12] cpprng_opsec_initialize: path is not initialized - will initialize
[ 3046 4160468672]@MOL18107[13 Mar 18:38:12] cpprng_opsec_initialize: full file name is ops_prng
[ 3046 4160468672]@MOL18107[13 Mar 18:38:12] cpprng_opsec_initialize: dev_urandom_poll returned 0
[ 3046 4160468672]@MOL18107[13 Mar 18:38:12] opsec_file_is_intialized: seed is initialized
[ 3046 4160468672]@MOL18107[13 Mar 18:38:12] cpprng_opsec_initialize: seed init for opsec succeeded
[ 3046 4160468672]@MOL18107[13 Mar 18:38:12] PM_policy_create: version 5301.
[ 3046 4160468672]@MOL18107[13 Mar 18:38:12] PM_policy_add_name_to_group: finished successfully.
[ 3046 4160468672]@MOL18107[13 Mar 18:38:12] PM_policy_set_local_names: () names. finished successfully.
[ 3046 4160468672]@MOL18107[13 Mar 18:38:12] PM_policy_create: finished successfully.
[ 3046 4160468672]@MOL18107[13 Mar 18:38:12] PM_policy_add_name_to_group: finished successfully.
[ 3046 4160468672]@MOL18107[13 Mar 18:38:12] PM_policy_set_local_names: (local_sic_name) names. finished successfully.
[ 3046 4160468672]@MOL18107[13 Mar 18:38:12] PM_policy_add_name_to_group: finished successfully.
[ 3046 4160468672]@MOL18107[13 Mar 18:38:12] PM_policy_set_local_names: (127.0.0.1) names. finished successfully.
[ 3046 4160468672]@MOL18107[13 Mar 18:38:12] PM_policy_add_name_to_group: finished successfully.
[ 3046 4160468672]@MOL18107[13 Mar 18:38:12] PM_policy_set_local_names: ("CN=SplunkLEA,O=MOLFSC01.enagas.eng.jrd7zd") names. finished successfully.
[ 3046 4160468672]@MOL18107[13 Mar 18:38:12] PM_apply_default_dn: ca_dn = [O=MOLFSC01.enagas.eng.jrd7zd].
[ 3046 4160468672]@MOL18107[13 Mar 18:38:12] PM_apply_default_dn: calling PM_policy_DN_conversion ..
[ 3046 4160468672]@MOL18107[13 Mar 18:38:12] PM_apply_default_dn: finished successfully.
[ 3046 4160468672]@MOL18107[13 Mar 18:38:12] ckpSSLctx_New: prefs = 12
[ 3046 4160468672]@MOL18107[13 Mar 18:38:12] CkpRegDir: Environment variable CPDIR is not set.
[ 3046 4160468672]@MOL18107[13 Mar 18:38:12] GenerateGlobalEntry: Unable to get registry path
[ 3046 4160468672]@MOL18107[13 Mar 18:38:12] ckpSSLctx_New: prefs = 12
[ 3046 4160468672]@MOL18107[13 Mar 18:38:12] ckpSSLctx_New: prefs = 32
[ 3046 4160468672]@MOL18107[13 Mar 18:38:12] ckpSSLctx_New: prefs = 11
[ 3046 4160468672]@MOL18107[13 Mar 18:38:12] ckpSSLctx_New: prefs = 31
[ 3046 4160468672]@MOL18107[13 Mar 18:38:12] ckpSSLctx_New: prefs = 12
[ 3046 4160468672]@MOL18107[13 Mar 18:38:12] sslcaInitCP_Ex: using asym client without ca cert
[ 3046 4160468672]@MOL18107[13 Mar 18:38:12] ckpSSLctx_New: prefs = 12
[ 3046 4160468672]@MOL18107[13 Mar 18:38:12] ckpSSLctx_New: prefs = 12
[ 3046 4160468672]@MOL18107[13 Mar 18:38:12] sslcaInitCP_Ex: using asym client without ca cert
[ 3046 4160468672]@MOL18107[13 Mar 18:38:12] ckpSSLctx_New: prefs = 32
[ 3046 4160468672]@MOL18107[13 Mar 18:38:12] ckpSSLctx_New: prefs = 32
[ 3046 4160468672]@MOL18107[13 Mar 18:38:12] sslcaInitCP_Ex: using asym client without ca cert
[ 3046 4160468672]@MOL18107[13 Mar 18:38:12] ckpSSLctx_New: prefs = 11
[ 3046 4160468672]@MOL18107[13 Mar 18:38:12] ckpSSLctx_New: prefs = 11
[ 3046 4160468672]@MOL18107[13 Mar 18:38:12] sslcaInitCP_Ex: using asym client without ca cert
[ 3046 4160468672]@MOL18107[13 Mar 18:38:12] ckpSSLctx_New: prefs = 31
[ 3046 4160468672]@MOL18107[13 Mar 18:38:12] ckpSSLctx_New: prefs = 31
[ 3046 4160468672]@MOL18107[13 Mar 18:38:12] opsec_init_sic_id_internal: Added sic id (ctx id = 0)
DEBUG: OPSEC LEA conf file is lea.conf
DEBUG: Authentication mode has been used.
DEBUG: Server-IP : MOLFSC01.enagas.eng
DEBUG: Server-Port : 18184
DEBUG: Authentication type: sslca
DEBUG: OPSEC sic certificate file name : ../certs/CheckpointSecureManagement.p12
DEBUG: Server DN (sic name) : cn=cp_mgmt,o=MOLFSC01.enagas.eng.jrd7zd
DEBUG: OPSEC LEA client DN (sic name) : CN=SplunkLEA,O=MOLFSC01.enagas.eng.jrd7zd
[ 3046 4160468672]@MOL18107[13 Mar 18:38:12] opsec_init_entity_sic: called for the client side
[ 3046 4160468672]@MOL18107[13 Mar 18:38:12] Configuring entity lea_server
[ 3046 4160468672]@MOL18107[13 Mar 18:38:12] Could not find info for ...conn_buf_size...
[ 3046 4160468672]@MOL18107[13 Mar 18:38:12] Could not find info for ...no_nagle...
[ 3046 4160468672]@MOL18107[13 Mar 18:38:12] Could not find info for ...port...
[ 3046 4160468672]@MOL18107[13 Mar 18:38:12] opsec_entity_add_sic_rule: adding rules: apply_to: ME, peer: cn=cp_mgmt,o=MOLFSC01.enagas.eng.jrd7zd, d_ip: NULL, dport 18184, svc: lea, method: sslca
[ 3046 4160468672]@MOL18107[13 Mar 18:38:12] opsec_entity_add_sic_rule: adding INBOUND rule
[ 3046 4160468672]@MOL18107[13 Mar 18:38:12] opsec_entity_add_sic_rule: adding OUTBOUND rule
[ 3046 4160468672]@MOL18107[13 Mar 18:38:12] opsec_get_comm: creating comm for ent=8dff368 peer=8dfe9a0 passive=0 key=2 info=0
[ 3046 4160468672]@MOL18107[13 Mar 18:38:12] c=0x8dff368 s=0x8dfe9a0 comm_type=4

[ 3046 4160468672]@MOL18107[13 Mar 18:38:12] Could not find info for ...opsec_client...
[ 3046 4160468672]@MOL18107[13 Mar 18:38:12] opsec_get_comm: Creating session hash (size=256)
[ 3046 4160468672]@MOL18107[13 Mar 18:38:12] opsec_get_comm: ADDING comm=0x8df4e48 to ent=0x8dff368 with key=2
[ 3046 4160468672]@MOL18107[13 Mar 18:38:12] opsec_env_get_context_id_by_peer_sic_name: found context id=0 for peer sic name=cn=cp_mgmt,o=MOLFSC01.enagas.eng.jrd7zd
[ 3046 4160468672]@MOL18107[13 Mar 18:38:12] opsec_env_get_sic_handle_by_context_id: found sic handle (ctx id=0)
[ 3046 4160468672]@MOL18107[13 Mar 18:38:12] opsec_sic_connect: connecting... (ctx id=0)
[ 3046 4160468672]@MOL18107[13 Mar 18:38:12] opsec_get_comm: error in opsec_sic_connect
[ 3046 4160468672]@MOL18107[13 Mar 18:38:12] destroying comm 0x8df4e48
[ 3046 4160468672]@MOL18107[13 Mar 18:38:12] Destroying comm 0x8df4e48 with 0 active sessions
[ 3046 4160468672]@MOL18107[13 Mar 18:38:12] pulling dgtype=ffffffff len=-1 to list=0x8df4e64
[ 3046 4160468672]@MOL18107[13 Mar 18:38:12] REMOVING comm=0x8df4e48 from ent=0x8dff368 with key=2
[ 3046 4160468672]@MOL18107[13 Mar 18:38:12] Unable to make session
ERROR: failed to create session (NO Error)
DEBUG: function cleanup_fw1_environment
[ 3046 4160468672]@MOL18107[13 Mar 18:38:12] Destroying entity 1 with 0 active comms
[ 3046 4160468672]@MOL18107[13 Mar 18:38:12] opsec_destroy_entity_sic: deleting sic rules for entity 0x8dff368
[ 3046 4160468672]@MOL18107[13 Mar 18:38:12] Destroying entity 2 with 0 active comms
[ 3046 4160468672]@MOL18107[13 Mar 18:38:12] opsec_destroy_entity_sic: deleting sic rules for entity 0x8dfe9a0
[ 3046 4160468672]@MOL18107[13 Mar 18:38:12] IpcUnMapFile: unmapping file (handle=0x8df46a8)
[ 3046 4160468672]@MOL18107[13 Mar 18:38:12] IpcUnMapFile: unmapping file (handle=0x8df4790)
[ 3046 4160468672]@MOL18107[13 Mar 18:38:12] IpcUnMapFile: unmapping file (handle=0x8df4810)
[ 3046 4160468672]@MOL18107[13 Mar 18:38:12] IpcUnMapFile: unmapping file (handle=0x8df48b0)
[ 3046 4160468672]@MOL18107[13 Mar 18:38:12] IpcUnMapFile: unmapping file (handle=0x8df4930)
[ 3046 4160468672]@MOL18107[13 Mar 18:38:12] PM_policy_destroy: finished successfully.
[ 3046 4160468672]@MOL18107[13 Mar 18:38:12] opsec_destroy_sic_id_internal: Destroyed sic id (ctx id=0)
[ 3046 4160468672]@MOL18107[13 Mar 18:38:12] opsec_env_destroy_sic_id_hash: Destroyed sic id hash
[ 3046 4160468672]@MOL18107[13 Mar 18:38:12] fwd_env_destroy: env 0x8dd7f40 (alloced = 1)
[ 3046 4160468672]@MOL18107[13 Mar 18:38:12] T_env_destroy: env 0x8dd7f40
[ 3046 4160468672]@MOL18107[13 Mar 18:38:12] do_fwd_env_destroy: really destroy 0x8dd7f40
DEBUG: function exit_loggrabber
DEBUG: function free_lfield_arrays
DEBUG: function free_afield_arrays
DEBUG: function free_lfield_arrays
DEBUG: function free_afield_arrays
[splunk@MOL18107 ~]$

1 Solution

rroussev_splunk
Splunk Employee
Splunk Employee

Could you substitute MOLFSC01.enagas.eng with its IP address? If that doesn't work it might be easier to file a support ticket.

View solution in original post

rroussev_splunk
Splunk Employee
Splunk Employee

Could you substitute MOLFSC01.enagas.eng with its IP address? If that doesn't work it might be easier to file a support ticket.

Get Updates on the Splunk Community!

Platform Newsletter Highlights | March 2023

 March 2023 | Check out the latest and greatestIntroducing Splunk Edge Processor, simplified data ...

Enterprise Security Content Updates (ESCU) - New Releases

In the last month, the Splunk Threat Research Team (STRT) has had 3 releases of new content via the Enterprise ...

Thought Leaders are Validating Your Hard Work and Training Rigor

As a Splunk enthusiast and member of the Splunk Community, you are one of thousands who recognize the value of ...