Splunk Search

Checkpoint OPSEC LEA is not working

apezuela
Explorer

Hi,

Mi Checkpoint OPSEC LEA is working.

I get next splunk log:

index=_internal host="MOL18107" ( source="*splunkd.log" ) ( log_level="ERROR" ) * | cluster | search _raw="03-13-2014 18:47:08.508 +0100 ERROR ExecProcessor - message from \\"/opt/splunk/etc/apps/Splunk_TA_opseclea_linux22/bin/lea-loggrabber.sh --configentity CheckpointSecureManagement\\" ERROR: failed to create session (NO Error)"

If I exec: $SPLUNK_HOME/etc/apps/Splunk_TA_opseclea_linux22/bin/lea-loggrabber-debug.sh, I get next log:

[splunk@MOL18107 ~]$ $SPLUNK_HOME/etc/apps/Splunk_TA_opseclea_linux22/bin/lea-loggrabber-debug.sh
Using Splunk instance: /opt/splunk, app name Splunk_TA_opseclea_linux22
DEBUG: LOGGRABBER configuration file is: /opt/splunk/etc/apps/Splunk_TA_opseclea_linux22/bin/fw1-loggrabber.conf
DEBUG: function logging_init_env
DEBUG: function open_screen
DEBUG: Open connection to screen.
DEBUG: Logfilename : fw.log
DEBUG: Record Separator : |
DEBUG: Resolve Addresses: No
DEBUG: Show Filenames : No
DEBUG: FW1-2000 : No
DEBUG: Online-Mode : No
DEBUG: Audit-Log : No
DEBUG: Show Fieldnames : Yes
DEBUG: function get_fw1_logfiles
splunk internal call command: $SPLUNK_HOME/bin/splunk _internal call /servicesNS/nobody/Splunk_TA_opseclea_linux22/opsec/opsec_conf/
splunk output: QUERYING: 'https://127.0.0.1:8089/servicesNS/nobody/Splunk_TA_opseclea_linux22/opsec/opsec_conf/'
HTTP Status: 200.
Content:
<?xml version="1.0" encoding="UTF-8"?>
<!--This is to override browser formatting; see server.conf[httpServer] to disable. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
-v opsec_sic_name CN=SplunkLEA,O=MOLFSC01.enagas.eng.jrd7zd -v opsec_sslca_file ../certs/CheckpointSecureManagement.p12 -v lea_server ip MOLFSC01.enagas.eng -v lea_server auth_port 18184 -v lea_server auth_type sslca -v lea_server opsec_entity_sic_name cn=cp_mgmt,o=MOLFSC01.enagas.eng.jrd7zd
[ 3046 4160468672]@MOL18107[13 Mar 18:38:12] Env Configuration:
(
:type (opsec_info)
:lea_server (
:opsec_entity_sic_name ("cn=cp_mgmt,o=MOLFSC01.enagas.eng.jrd7zd")
:auth_type (sslca)
:auth_port (18184)
:ip (MOLFSC01.enagas.eng)
)
:opsec_sslca_file ("../certs/CheckpointSecureManagement.p12")
:opsec_sic_name ("CN=SplunkLEA,O=MOLFSC01.enagas.eng.jrd7zd")
)

[ 3046 4160468672]@MOL18107[13 Mar 18:38:12] Could not find info for ...opsec_shared_local_path...
[ 3046 4160468672]@MOL18107[13 Mar 18:38:12] Could not find info for ...opsec_sic_policy_file...
[ 3046 4160468672]@MOL18107[13 Mar 18:38:12] Could not find info for ...opsec_mt...
[ 3046 4160468672]@MOL18107[13 Mar 18:38:12] opsec_init: multithread safety is not initialized
[ 3046 4160468672]@MOL18107[13 Mar 18:38:12] cpprng_opsec_initialize: path is not initialized - will initialize
[ 3046 4160468672]@MOL18107[13 Mar 18:38:12] cpprng_opsec_initialize: full file name is ops_prng
[ 3046 4160468672]@MOL18107[13 Mar 18:38:12] cpprng_opsec_initialize: dev_urandom_poll returned 0
[ 3046 4160468672]@MOL18107[13 Mar 18:38:12] opsec_file_is_intialized: seed is initialized
[ 3046 4160468672]@MOL18107[13 Mar 18:38:12] cpprng_opsec_initialize: seed init for opsec succeeded
[ 3046 4160468672]@MOL18107[13 Mar 18:38:12] PM_policy_create: version 5301.
[ 3046 4160468672]@MOL18107[13 Mar 18:38:12] PM_policy_add_name_to_group: finished successfully.
[ 3046 4160468672]@MOL18107[13 Mar 18:38:12] PM_policy_set_local_names: () names. finished successfully.
[ 3046 4160468672]@MOL18107[13 Mar 18:38:12] PM_policy_create: finished successfully.
[ 3046 4160468672]@MOL18107[13 Mar 18:38:12] PM_policy_add_name_to_group: finished successfully.
[ 3046 4160468672]@MOL18107[13 Mar 18:38:12] PM_policy_set_local_names: (local_sic_name) names. finished successfully.
[ 3046 4160468672]@MOL18107[13 Mar 18:38:12] PM_policy_add_name_to_group: finished successfully.
[ 3046 4160468672]@MOL18107[13 Mar 18:38:12] PM_policy_set_local_names: (127.0.0.1) names. finished successfully.
[ 3046 4160468672]@MOL18107[13 Mar 18:38:12] PM_policy_add_name_to_group: finished successfully.
[ 3046 4160468672]@MOL18107[13 Mar 18:38:12] PM_policy_set_local_names: ("CN=SplunkLEA,O=MOLFSC01.enagas.eng.jrd7zd") names. finished successfully.
[ 3046 4160468672]@MOL18107[13 Mar 18:38:12] PM_apply_default_dn: ca_dn = [O=MOLFSC01.enagas.eng.jrd7zd].
[ 3046 4160468672]@MOL18107[13 Mar 18:38:12] PM_apply_default_dn: calling PM_policy_DN_conversion ..
[ 3046 4160468672]@MOL18107[13 Mar 18:38:12] PM_apply_default_dn: finished successfully.
[ 3046 4160468672]@MOL18107[13 Mar 18:38:12] ckpSSLctx_New: prefs = 12
[ 3046 4160468672]@MOL18107[13 Mar 18:38:12] CkpRegDir: Environment variable CPDIR is not set.
[ 3046 4160468672]@MOL18107[13 Mar 18:38:12] GenerateGlobalEntry: Unable to get registry path
[ 3046 4160468672]@MOL18107[13 Mar 18:38:12] ckpSSLctx_New: prefs = 12
[ 3046 4160468672]@MOL18107[13 Mar 18:38:12] ckpSSLctx_New: prefs = 32
[ 3046 4160468672]@MOL18107[13 Mar 18:38:12] ckpSSLctx_New: prefs = 11
[ 3046 4160468672]@MOL18107[13 Mar 18:38:12] ckpSSLctx_New: prefs = 31
[ 3046 4160468672]@MOL18107[13 Mar 18:38:12] ckpSSLctx_New: prefs = 12
[ 3046 4160468672]@MOL18107[13 Mar 18:38:12] sslcaInitCP_Ex: using asym client without ca cert
[ 3046 4160468672]@MOL18107[13 Mar 18:38:12] ckpSSLctx_New: prefs = 12
[ 3046 4160468672]@MOL18107[13 Mar 18:38:12] ckpSSLctx_New: prefs = 12
[ 3046 4160468672]@MOL18107[13 Mar 18:38:12] sslcaInitCP_Ex: using asym client without ca cert
[ 3046 4160468672]@MOL18107[13 Mar 18:38:12] ckpSSLctx_New: prefs = 32
[ 3046 4160468672]@MOL18107[13 Mar 18:38:12] ckpSSLctx_New: prefs = 32
[ 3046 4160468672]@MOL18107[13 Mar 18:38:12] sslcaInitCP_Ex: using asym client without ca cert
[ 3046 4160468672]@MOL18107[13 Mar 18:38:12] ckpSSLctx_New: prefs = 11
[ 3046 4160468672]@MOL18107[13 Mar 18:38:12] ckpSSLctx_New: prefs = 11
[ 3046 4160468672]@MOL18107[13 Mar 18:38:12] sslcaInitCP_Ex: using asym client without ca cert
[ 3046 4160468672]@MOL18107[13 Mar 18:38:12] ckpSSLctx_New: prefs = 31
[ 3046 4160468672]@MOL18107[13 Mar 18:38:12] ckpSSLctx_New: prefs = 31
[ 3046 4160468672]@MOL18107[13 Mar 18:38:12] opsec_init_sic_id_internal: Added sic id (ctx id = 0)
DEBUG: OPSEC LEA conf file is lea.conf
DEBUG: Authentication mode has been used.
DEBUG: Server-IP : MOLFSC01.enagas.eng
DEBUG: Server-Port : 18184
DEBUG: Authentication type: sslca
DEBUG: OPSEC sic certificate file name : ../certs/CheckpointSecureManagement.p12
DEBUG: Server DN (sic name) : cn=cp_mgmt,o=MOLFSC01.enagas.eng.jrd7zd
DEBUG: OPSEC LEA client DN (sic name) : CN=SplunkLEA,O=MOLFSC01.enagas.eng.jrd7zd
[ 3046 4160468672]@MOL18107[13 Mar 18:38:12] opsec_init_entity_sic: called for the client side
[ 3046 4160468672]@MOL18107[13 Mar 18:38:12] Configuring entity lea_server
[ 3046 4160468672]@MOL18107[13 Mar 18:38:12] Could not find info for ...conn_buf_size...
[ 3046 4160468672]@MOL18107[13 Mar 18:38:12] Could not find info for ...no_nagle...
[ 3046 4160468672]@MOL18107[13 Mar 18:38:12] Could not find info for ...port...
[ 3046 4160468672]@MOL18107[13 Mar 18:38:12] opsec_entity_add_sic_rule: adding rules: apply_to: ME, peer: cn=cp_mgmt,o=MOLFSC01.enagas.eng.jrd7zd, d_ip: NULL, dport 18184, svc: lea, method: sslca
[ 3046 4160468672]@MOL18107[13 Mar 18:38:12] opsec_entity_add_sic_rule: adding INBOUND rule
[ 3046 4160468672]@MOL18107[13 Mar 18:38:12] opsec_entity_add_sic_rule: adding OUTBOUND rule
[ 3046 4160468672]@MOL18107[13 Mar 18:38:12] opsec_get_comm: creating comm for ent=8dff368 peer=8dfe9a0 passive=0 key=2 info=0
[ 3046 4160468672]@MOL18107[13 Mar 18:38:12] c=0x8dff368 s=0x8dfe9a0 comm_type=4

[ 3046 4160468672]@MOL18107[13 Mar 18:38:12] Could not find info for ...opsec_client...
[ 3046 4160468672]@MOL18107[13 Mar 18:38:12] opsec_get_comm: Creating session hash (size=256)
[ 3046 4160468672]@MOL18107[13 Mar 18:38:12] opsec_get_comm: ADDING comm=0x8df4e48 to ent=0x8dff368 with key=2
[ 3046 4160468672]@MOL18107[13 Mar 18:38:12] opsec_env_get_context_id_by_peer_sic_name: found context id=0 for peer sic name=cn=cp_mgmt,o=MOLFSC01.enagas.eng.jrd7zd
[ 3046 4160468672]@MOL18107[13 Mar 18:38:12] opsec_env_get_sic_handle_by_context_id: found sic handle (ctx id=0)
[ 3046 4160468672]@MOL18107[13 Mar 18:38:12] opsec_sic_connect: connecting... (ctx id=0)
[ 3046 4160468672]@MOL18107[13 Mar 18:38:12] opsec_get_comm: error in opsec_sic_connect
[ 3046 4160468672]@MOL18107[13 Mar 18:38:12] destroying comm 0x8df4e48
[ 3046 4160468672]@MOL18107[13 Mar 18:38:12] Destroying comm 0x8df4e48 with 0 active sessions
[ 3046 4160468672]@MOL18107[13 Mar 18:38:12] pulling dgtype=ffffffff len=-1 to list=0x8df4e64
[ 3046 4160468672]@MOL18107[13 Mar 18:38:12] REMOVING comm=0x8df4e48 from ent=0x8dff368 with key=2
[ 3046 4160468672]@MOL18107[13 Mar 18:38:12] Unable to make session
ERROR: failed to create session (NO Error)
DEBUG: function cleanup_fw1_environment
[ 3046 4160468672]@MOL18107[13 Mar 18:38:12] Destroying entity 1 with 0 active comms
[ 3046 4160468672]@MOL18107[13 Mar 18:38:12] opsec_destroy_entity_sic: deleting sic rules for entity 0x8dff368
[ 3046 4160468672]@MOL18107[13 Mar 18:38:12] Destroying entity 2 with 0 active comms
[ 3046 4160468672]@MOL18107[13 Mar 18:38:12] opsec_destroy_entity_sic: deleting sic rules for entity 0x8dfe9a0
[ 3046 4160468672]@MOL18107[13 Mar 18:38:12] IpcUnMapFile: unmapping file (handle=0x8df46a8)
[ 3046 4160468672]@MOL18107[13 Mar 18:38:12] IpcUnMapFile: unmapping file (handle=0x8df4790)
[ 3046 4160468672]@MOL18107[13 Mar 18:38:12] IpcUnMapFile: unmapping file (handle=0x8df4810)
[ 3046 4160468672]@MOL18107[13 Mar 18:38:12] IpcUnMapFile: unmapping file (handle=0x8df48b0)
[ 3046 4160468672]@MOL18107[13 Mar 18:38:12] IpcUnMapFile: unmapping file (handle=0x8df4930)
[ 3046 4160468672]@MOL18107[13 Mar 18:38:12] PM_policy_destroy: finished successfully.
[ 3046 4160468672]@MOL18107[13 Mar 18:38:12] opsec_destroy_sic_id_internal: Destroyed sic id (ctx id=0)
[ 3046 4160468672]@MOL18107[13 Mar 18:38:12] opsec_env_destroy_sic_id_hash: Destroyed sic id hash
[ 3046 4160468672]@MOL18107[13 Mar 18:38:12] fwd_env_destroy: env 0x8dd7f40 (alloced = 1)
[ 3046 4160468672]@MOL18107[13 Mar 18:38:12] T_env_destroy: env 0x8dd7f40
[ 3046 4160468672]@MOL18107[13 Mar 18:38:12] do_fwd_env_destroy: really destroy 0x8dd7f40
DEBUG: function exit_loggrabber
DEBUG: function free_lfield_arrays
DEBUG: function free_afield_arrays
DEBUG: function free_lfield_arrays
DEBUG: function free_afield_arrays
[splunk@MOL18107 ~]$

1 Solution

rroussev_splunk
Splunk Employee
Splunk Employee

Could you substitute MOLFSC01.enagas.eng with its IP address? If that doesn't work it might be easier to file a support ticket.

View solution in original post

rroussev_splunk
Splunk Employee
Splunk Employee

Could you substitute MOLFSC01.enagas.eng with its IP address? If that doesn't work it might be easier to file a support ticket.

Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...