About mreynov_splunk

mreynov_splunk · ‎10-21-2016

Here is the migration guide from 3.1 to 4 for reference: http://docs.splunk.com/Documentation/AddOns/released/OPSEC-LEA/Releasehistory#Migration_guide Ensure appropriate starttime is set for a smoother transition!

mreynov_splunk · ‎10-21-2016

Here is the migration guide from 3.1 to 4 for reference: http://docs.splunk.com/Documentation/AddOns/released/OPSEC-LEA/Releasehistory#Migration_guide Ensure appropriate starttime is set for a smoother transition!

mreynov_splunk · ‎10-05-2016

Reproduced the problem and filed a bug with dev. It's going to take a while, but we will address this. I will update this thread with any news.

mreynov_splunk · ‎09-19-2016

To test this, I need a sample of the file you are using, not a paste. Email mreynov [at] splunk.com

mreynov_splunk · ‎09-16-2016

You are not using the sourcetype the addon expects, the link you provided recommends extending existing sourcetype You are using indexed_extractions, which are an index time setting, so once your data is indexed, there is nothing you can do to fix it, you would need to re-ingest. But before you do that, try to start by setting your sourcetype to aws:cloudwatch.

mreynov_splunk · ‎09-15-2016

Which version are you on? What does your data look like? I appreciate the sentiment, but this addon is working fine for many customers, so this must be an edge case. Our addons go through compehensive testing, but we cannot catch everything. We do love our customers, so we are here to help.

mreynov_splunk · ‎07-05-2016

Should not be a problem.

mreynov_splunk · ‎06-29-2016

yay, great news! can you just clarify what validation was done and did you have to update your addon configs?

mreynov_splunk · ‎06-29-2016

I confirmed CN setting logic in the addon based on the server type and all looks right there. We only do it once when pulling the cert. Your input is correct based on that logic. Upon further research, this may be an issue on the OPSEC side: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk110514 Do we know that the OPSEC server is thinking of itself as dedicated? Might it be configured as primary?

mreynov_splunk · ‎06-29-2016

Let's be careful with these assumptions, cn name depends on type of server. Please note, the addon was revamped for 4.0, so assumptions from previous versions may be dangerous.

mreynov_splunk · ‎06-29-2016

Your config looks right, but the fact that it tries to connect to cn=cp_mgmt means the code thinks you are working with Primary Management Server vs a dedicated server. See section 2 for more detail: http://docs.splunk.com/Documentation/AddOns/released/OPSEC-LEA/Troubleshoot Did you change Log Server Type at any point?

mreynov_splunk · ‎06-29-2016

This error means that the addon does not have the certificate which needs to be downloaded from OPSEC side in order to establish secure communication. In OPSEC LEA addon v 4 this should happen automatically as part of the install. Did you upgrade from an older version? Did you follow the installation steps here: http://docs.splunk.com/Documentation/AddOns/released/OPSEC-LEA/Setup2? Note: upgrade will not work, addon needs to be installed fresh

mreynov_splunk · ‎06-28-2016

You need to get the cert from OPSEC to establish SIC.

mreynov_splunk · ‎06-28-2016

What version of the addon are you working with? Did you do the pull cert step?

mreynov_splunk · ‎06-27-2016

This looks like an issue with file encoding and/or moving file between systems. Is this how the file looks like on the source machine as well? Is your SEP admin doing some weird copy/paste? If this is indeed how your data will end up looking like, I suggest creating a local copy of transforms.conf and adding to each space delimiter in REGEXes and optional match for null. Something like this: [\s*|null]

mreynov_splunk · ‎06-27-2016

The improvements are in performance and error handling as well as reducing configuration problems by removing direct loggrabber configuration access. There are ways to filter out data, see below. Additional filtering options will be available down the road.

mreynov_splunk · ‎06-27-2016

You can select the type of data you want downloaded from the checkpoint device - when configuring an input: In the Data menu, choose the data you want to collect for the input. Non-Audit: Collects all event types except audit events. Firewall Events: Collects firewall events only. Firewall Audit:Collects audit events only. SmartDefense (Smart Defense): Collects Smart Defense events only. VPN (Virtual Private Network): Collects VPN events only.

mreynov_splunk · ‎06-01-2016

we are actually working on an upgrade, but feel free to use indexed_extractions instead by setting sourcetype to bluecoat:proxysg:access:file

mreynov_splunk · ‎05-03-2016

sounds like you were using bluecoat:proxysg:access:file sourcetype to leverage INDEXED_EXTRACTIONS. is that correct? if so, you can try to use sourcetype bluecoat:proxysg:access:syslog with the recommended log format configured (default bcereportermain_v1) on the bluecoat side: http://docs.splunk.com/Documentation/AddOns/latest/BlueCoatProxySG/Sourcetypes

mreynov_splunk · ‎04-22-2016

Thanks for the feedback! We will work on integrating the fix into our codebase.

mreynov_splunk · ‎04-21-2016

yes, you need to edit outputs.conf on your forwarder: http://docs.splunk.com/Documentation/Forwarder/6.4.0/Forwarder/Configureforwardingwithoutputs.conf

mreynov_splunk · ‎04-04-2016

can you try the same with iiop or rmi type of entry? I've had issues with "Use URL Directly" option before.

mreynov_splunk · ‎03-11-2016

what else do you have installed on the system? What other apps, addons?

mreynov_splunk · ‎02-26-2016

try this: - go to splunk/bin directory - ./splunk cmd btool outputs list --debug

mreynov_splunk · ‎02-26-2016

some more reading on this error: https://answers.splunk.com/answers/5590/could-not-send-data-to-the-output-queue.html https://answers.splunk.com/answers/7582/tailingprocessor-could-not-send-data-to-output-queue-parsingqueue-retrying.html

Posts	141
Solutions	12
Karma Given	63
Karma Received	69
Member Since	‎01-07-2015

Online Status	Offline
Date Last Visited	‎06-05-2020 02:04 AM

Re: Check Point opsec lea upgrade v3.1 to v4.1

Re: Check Point opsec lea upgrade v3.1 to v4.1

Re: Splunk Add on for Amazon Web Services Bug: clo...

Re: Splunk Add on for Amazon Web Services Bug: clo...

Re: Splunk Add on for Amazon Web Services Bug: clo...

Re: Splunk Add on for Amazon Web Services Bug: clo...

Re: SEP Dashboards?

Re: Splunk Add-on for Check Point OPSEC LEA 4.0: W...

Re: Splunk Add-on for Check Point OPSEC LEA 4.0: W...

Re: Splunk Add-on for Check Point OPSEC LEA 4.0: W...

Re: Splunk Add-on for Check Point OPSEC LEA 4.0: W...

Re: Splunk Add-on for Check Point OPSEC LEA 4.0: W...

Re: Splunk Add-on for Check Point OPSEC LEA: Unabl...

Re: Splunk Add-on for Check Point OPSEC LEA: Unabl...

Re: Has anyone seen the word 'null' in SEP logs ra...

Re: Splunk Add-on for Check Point OPSEC LEA 4.0.0:...

Re: Splunk Add-on for Check Point OPSEC LEA 4.0.0:...

Re: Splunk Add-on for Blue Coat ProxySG: Has anyon...

Re: Why is the Splunk Add-on for Blue Coat ProxySG...

Re: Splunk Add-on for Box not timezone offsetting ...

Re: Bit9 Security Platform: How to troubleshoot wh...

Re: Splunk Add-on for Java Management Extensions: ...

Re: Why is bro index so big?

Re: Bit9 Security Platform: How to troubleshoot wh...

Re: Bit9 Security Platform: How to troubleshoot wh...

Join the Conversation