Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
- Find Answers
- :
- About mikaelbje
mikaelbje
Motivator
Member since:
09-05-2012
06-05-2020
Community Statistics
| Posts | 443 |
| Solutions | 40 |
| Karma Given | 216 |
| Karma Received | 153 |
| Member Since | 09-05-2012 |
Activity Feed
- Got Karma for Re: Is there a way to specify the Splunk search Schedule Window defaults?. 03-10-2023 03:23 AM
- Got Karma for Re: How can I change the location of accelerated data model summary data?. 12-01-2022 01:31 AM
- Got Karma for Re: Indexer Cluster and Search Head Cluster with Datamodel Acceleration. 07-20-2022 09:18 AM
- Got Karma for Re: Why would the source type cisco:ios not be getting created? Can I add it manually?. 02-13-2022 06:35 PM
- Got Karma for Re: Forwarding logs from Windows Event Collector. 08-29-2020 02:56 AM
- Got Karma for Re: How would one correctly configure DATETIME_CONFIG for an app that could be installed in either an indexer cluster or standalone splunk?. 07-21-2020 01:47 AM
- Karma Re: Syslog events not matching IOS XR regex to transform for rphillips_splk. 06-05-2020 12:49 AM
- Got Karma for Re: Cisco ESA Combine logs. 06-05-2020 12:49 AM
- Got Karma for Re: Cisco ESA Combine logs. 06-05-2020 12:49 AM
- Got Karma for Re: Cisco Firepower Systems (FTD) . Any ready made addons/TA available?. 06-05-2020 12:49 AM
- Karma Is there a Splunk App or Add-on that will help read and comprehend ADFS 3.0 authentication logs? for mgrulke. 06-05-2020 12:48 AM
- Karma Update of Splunk WSA Plugin to support WSA 10.x for tmayer. 06-05-2020 12:48 AM
- Karma How to set a token with eval? for jamesmarlowww. 06-05-2020 12:48 AM
- Karma Getting Cisco Ironport ESA data into the Common Information Model for kalifehj. 06-05-2020 12:48 AM
- Karma Re: Getting Cisco Ironport ESA data into the Common Information Model for kalifehj. 06-05-2020 12:48 AM
- Karma Why are searches stuck at "finalizing job" after upgrade to 6.5.0? for varad_joshi. 06-05-2020 12:48 AM
- Karma Re: Why are searches stuck at "finalizing job" after upgrade to 6.5.0? for sgarvin55. 06-05-2020 12:48 AM
- Karma Re: How to search for fields that cross correlate with a specified field? for jeffland. 06-05-2020 12:48 AM
- Karma Is it possible to do a "dry-run" of a serverclass configuration to see how it will actually deploy? for reedmohn. 06-05-2020 12:48 AM
- Karma Re: How to use my LDAP strategy to add all users in a domain to Splunk? for DalJeanis. 06-05-2020 12:48 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 1 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 1 |
09-05-2016
03:40 AM
Re jamesarmitage's answer:
log_level=3 file:lea_loggrabber.cpp func_name:open_screen code_line_no:5612 :Open connection to screen.
log_level=3 file:lea_loggrabber.cpp func_name:main_worker code_line_no:1160 :Logfilename : fw.log
log_level=3 file:lea_loggrabber.cpp func_name:main_worker code_line_no:1161 :Record Separator : |
log_level=3 file:lea_loggrabber.cpp func_name:main_worker code_line_no:1162 :Resolve Addresses: No
log_level=3 file:lea_loggrabber.cpp func_name:main_worker code_line_no:1163 :Show Filenames : No
log_level=3 file:lea_loggrabber.cpp func_name:main_worker code_line_no:1164 :FW1-2000 : No
log_level=3 file:lea_loggrabber.cpp func_name:main_worker code_line_no:1165 :Online-Mode : No
log_level=3 file:lea_loggrabber.cpp func_name:main_worker code_line_no:1166 :Audit-Log : Yes
log_level=3 file:lea_loggrabber.cpp func_name:main_worker code_line_no:1167 :Show Fieldnames : Yes
log_level=3 file:lea_loggrabber.cpp func_name:get_fw1_logfiles code_line_no:2255 :Enter
log_level=3 file:lea_loggrabber.cpp func_name:getSplunkLeaConfigArgs code_line_no:517 :lea arg: -v
log_level=3 file:lea_loggrabber.cpp func_name:getSplunkLeaConfigArgs code_line_no:517 :lea arg: opsec_sic_name
log_level=3 file:lea_loggrabber.cpp func_name:getSplunkLeaConfigArgs code_line_no:517 :lea arg: CN=SplunkLEA,O=cpserver.example.com..abab9q
log_level=3 file:lea_loggrabber.cpp func_name:getSplunkLeaConfigArgs code_line_no:517 :lea arg: -v
log_level=3 file:lea_loggrabber.cpp func_name:getSplunkLeaConfigArgs code_line_no:517 :lea arg: opsec_sslca_file
log_level=3 file:lea_loggrabber.cpp func_name:getSplunkLeaConfigArgs code_line_no:517 :lea arg: /opt/2014/splunk/etc/apps/Splunk_TA_checkpoint-opseclea/certs/opsec_logs_1496239478.p12
log_level=3 file:lea_loggrabber.cpp func_name:getSplunkLeaConfigArgs code_line_no:517 :lea arg: -v
log_level=3 file:lea_loggrabber.cpp func_name:getSplunkLeaConfigArgs code_line_no:517 :lea arg: lea_server
log_level=3 file:lea_loggrabber.cpp func_name:getSplunkLeaConfigArgs code_line_no:517 :lea arg: ip
log_level=3 file:lea_loggrabber.cpp func_name:getSplunkLeaConfigArgs code_line_no:517 :lea arg: 1.1.1.1
log_level=3 file:lea_loggrabber.cpp func_name:getSplunkLeaConfigArgs code_line_no:517 :lea arg: -v
log_level=3 file:lea_loggrabber.cpp func_name:getSplunkLeaConfigArgs code_line_no:517 :lea arg: lea_server
log_level=3 file:lea_loggrabber.cpp func_name:getSplunkLeaConfigArgs code_line_no:517 :lea arg: auth_port
log_level=3 file:lea_loggrabber.cpp func_name:getSplunkLeaConfigArgs code_line_no:517 :lea arg: 18184
log_level=3 file:lea_loggrabber.cpp func_name:getSplunkLeaConfigArgs code_line_no:517 :lea arg: -v
log_level=3 file:lea_loggrabber.cpp func_name:getSplunkLeaConfigArgs code_line_no:517 :lea arg: lea_server
log_level=3 file:lea_loggrabber.cpp func_name:getSplunkLeaConfigArgs code_line_no:517 :lea arg: auth_type
log_level=3 file:lea_loggrabber.cpp func_name:getSplunkLeaConfigArgs code_line_no:517 :lea arg: sslca
log_level=3 file:lea_loggrabber.cpp func_name:getSplunkLeaConfigArgs code_line_no:517 :lea arg: -v
log_level=3 file:lea_loggrabber.cpp func_name:getSplunkLeaConfigArgs code_line_no:517 :lea arg: lea_server
log_level=3 file:lea_loggrabber.cpp func_name:getSplunkLeaConfigArgs code_line_no:517 :lea arg: opsec_entity_sic_name
log_level=3 file:lea_loggrabber.cpp func_name:getSplunkLeaConfigArgs code_line_no:517 :lea arg: CN=cp_mgmt,O=cpserver.example.com..abab9q
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:10] Env Configuration:
(
:type (opsec_info)
:lea_server (
:opsec_entity_sic_name ("CN=cp_mgmt,O=cpserver.example.com..abab9q")
:auth_type (sslca)
:auth_port (18184)
:ip (1.1.1.1)
)
:opsec_sslca_file ("/opt/2014/splunk/etc/apps/Splunk_TA_checkpoint-opseclea/certs/opsec_logs_1496239478.p12")
:opsec_sic_name ("CN=SplunkLEA,O=cpserver.example.com..abab9q")
)
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:10] Could not find info for ...opsec_shared_local_path...
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:10] Could not find info for ...opsec_sic_policy_file...
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:10] Could not find info for ...opsec_mt...
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:10] opsec_init: multithread safety is not initialized
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:10] cpprng_opsec_initialize: path is not initialized - will initialize
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:10] cpprng_opsec_initialize: full file name is ops_prng
log_level=3 file:lea_loggrabber.cpp func_name:main code_line_no:1107 :Current pid=54515 parent_pid=52671, Sleeping 1 sec
log_level=3 file:lea_loggrabber.cpp func_name:main code_line_no:1107 :Current pid=54515 parent_pid=52671, Sleeping 1 sec
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:12] cpprng_opsec_initialize: dev_urandom_poll returned 0
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:12] opsec_file_is_intialized: seed is initialized
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:12] cpprng_opsec_initialize: seed init for opsec succeeded
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:12] PM_policy_create: version 5301.
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:12] PM_policy_add_name_to_group: finished successfully.
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:12] PM_policy_set_local_names: () names. finished successfully.
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:12] PM_policy_create: finished successfully.
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:12] PM_policy_add_name_to_group: finished successfully.
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:12] PM_policy_set_local_names: (local_sic_name) names. finished successfully.
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:12] PM_policy_add_name_to_group: finished successfully.
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:12] PM_policy_set_local_names: (127.0.0.1) names. finished successfully.
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:12] PM_policy_add_name_to_group: finished successfully.
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:12] PM_policy_set_local_names: ("CN=SplunkLEA,O=cpserver.example.com..abab9q") names. finished successfully.
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:12] CkpRegDir: Environment variable CPDIR is not set.
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:12] GenerateGlobalEntry: Unable to get registry path
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:12] get_bc_ds_choiceID: Failed to open registry; using default
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:12] PM_apply_default_dn: ca_dn = [O=cpserver.example.com..abab9q].
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:12] PM_apply_default_dn: calling PM_policy_DN_conversion ..
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:12] PM_apply_default_dn: finished successfully.
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:12] fwPubKeyfromPKCS8: decoding RSA key
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:12] ckpSSLctx_New: prefs = 12
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:12] CkpRegDir: Environment variable CPDIR is not set.
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:12] GenerateGlobalEntry: Unable to get registry path
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:12] CkpRegDir: Environment variable CPDIR is not set.
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:12] GenerateGlobalEntry: Unable to get registry path
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:12] cpcrypto_get_registry_value: could not find key 'Get_Disable_RC4' in registry path 'SOFTWARE\CheckPoint\FW1'.
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:12] ckpSSLctx_New: prefs = 12
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:12] CkpRegDir: Environment variable CPDIR is not set.
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:12] GenerateGlobalEntry: Unable to get registry path
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:12] cpcrypto_get_registry_value: could not find key 'Get_Disable_RC4' in registry path 'SOFTWARE\CheckPoint\FW1'.
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:12] opsec_init_sslca: calling sic_set_auth_handler_save_opaque, server_opaque - defs = 0xf6c16f80, client_opaque - defs = 0xf6c16f80
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:12] ckpSSLctx_New: prefs = 32
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:12] CkpRegDir: Environment variable CPDIR is not set.
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:12] GenerateGlobalEntry: Unable to get registry path
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:12] cpcrypto_get_registry_value: could not find key 'Get_Disable_RC4' in registry path 'SOFTWARE\CheckPoint\FW1'.
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:12] opsec_init_sslca: calling sic_set_auth_handler_save_opaque, server_opaque - defs = 0xf6c18060, client_opaque - defs = 0xf6c18060
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:12] ckpSSLctx_New: prefs = 11
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:12] CkpRegDir: Environment variable CPDIR is not set.
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:12] GenerateGlobalEntry: Unable to get registry path
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:12] cpcrypto_get_registry_value: could not find key 'Get_Disable_RC4' in registry path 'SOFTWARE\CheckPoint\FW1'.
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:12] opsec_init_sslca: calling sic_set_auth_handler_save_opaque, server_opaque - defs = 0xf6c19238, client_opaque - defs = 0xf6c19238
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:12] ckpSSLctx_New: prefs = 31
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:12] CkpRegDir: Environment variable CPDIR is not set.
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:12] GenerateGlobalEntry: Unable to get registry path
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:12] cpcrypto_get_registry_value: could not find key 'Get_Disable_RC4' in registry path 'SOFTWARE\CheckPoint\FW1'.
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:12] opsec_init_sslca: calling sic_set_auth_handler_save_opaque, server_opaque - defs = 0xf6c1a3f8, client_opaque - defs = 0xf6c1a3f8
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:12] ckpSSLctx_New: prefs = 12
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:12] CkpRegDir: Environment variable CPDIR is not set.
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:12] GenerateGlobalEntry: Unable to get registry path
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:12] cpcrypto_get_registry_value: could not find key 'Get_Disable_RC4' in registry path 'SOFTWARE\CheckPoint\FW1'.
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:12] opsec_init_sslca: calling sic_set_auth_handler_save_opaque, server_opaque - defs = 0xf6c1b5b8, client_opaque - defs = 0xf6c1b5b8
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:12] sslcaInitCP_Ex: using asym client without ca cert
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:12] ckpSSLctx_New: prefs = 12
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:12] CkpRegDir: Environment variable CPDIR is not set.
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:12] GenerateGlobalEntry: Unable to get registry path
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:12] cpcrypto_get_registry_value: could not find key 'Get_Disable_RC4' in registry path 'SOFTWARE\CheckPoint\FW1'.
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:12] ckpSSLctx_New: prefs = 12
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:12] CkpRegDir: Environment variable CPDIR is not set.
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:12] GenerateGlobalEntry: Unable to get registry path
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:12] cpcrypto_get_registry_value: could not find key 'Get_Disable_RC4' in registry path 'SOFTWARE\CheckPoint\FW1'.
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:12] opsec_init_sslca: calling sic_set_auth_handler_save_opaque, server_opaque - defs = 0xf6c1d348, client_opaque - defs = 0xf6c1bee0
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:12] sslcaInitCP_Ex: using asym client without ca cert
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:12] ckpSSLctx_New: prefs = 32
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:12] CkpRegDir: Environment variable CPDIR is not set.
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:12] GenerateGlobalEntry: Unable to get registry path
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:12] cpcrypto_get_registry_value: could not find key 'Get_Disable_RC4' in registry path 'SOFTWARE\CheckPoint\FW1'.
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:12] ckpSSLctx_New: prefs = 32
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:12] CkpRegDir: Environment variable CPDIR is not set.
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:12] GenerateGlobalEntry: Unable to get registry path
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:12] cpcrypto_get_registry_value: could not find key 'Get_Disable_RC4' in registry path 'SOFTWARE\CheckPoint\FW1'.
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:12] opsec_init_sslca: calling sic_set_auth_handler_save_opaque, server_opaque - defs = 0xf6c1f0e8, client_opaque - defs = 0xf6c1dc88
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:12] sslcaInitCP_Ex: using asym client without ca cert
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:12] ckpSSLctx_New: prefs = 11
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:12] CkpRegDir: Environment variable CPDIR is not set.
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:12] GenerateGlobalEntry: Unable to get registry path
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:12] cpcrypto_get_registry_value: could not find key 'Get_Disable_RC4' in registry path 'SOFTWARE\CheckPoint\FW1'.
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:12] ckpSSLctx_New: prefs = 11
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:12] CkpRegDir: Environment variable CPDIR is not set.
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:12] GenerateGlobalEntry: Unable to get registry path
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:12] cpcrypto_get_registry_value: could not find key 'Get_Disable_RC4' in registry path 'SOFTWARE\CheckPoint\FW1'.
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:12] opsec_init_sslca: calling sic_set_auth_handler_save_opaque, server_opaque - defs = 0xf6c20e68, client_opaque - defs = 0xf6c1fa08
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:12] sslcaInitCP_Ex: using asym client without ca cert
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:12] ckpSSLctx_New: prefs = 31
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:12] CkpRegDir: Environment variable CPDIR is not set.
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:12] GenerateGlobalEntry: Unable to get registry path
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:12] cpcrypto_get_registry_value: could not find key 'Get_Disable_RC4' in registry path 'SOFTWARE\CheckPoint\FW1'.
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:12] ckpSSLctx_New: prefs = 31
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:12] CkpRegDir: Environment variable CPDIR is not set.
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:12] GenerateGlobalEntry: Unable to get registry path
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:12] cpcrypto_get_registry_value: could not find key 'Get_Disable_RC4' in registry path 'SOFTWARE\CheckPoint\FW1'.
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:12] opsec_init_sslca: calling sic_set_auth_handler_save_opaque, server_opaque - defs = 0xf6c22bb8, client_opaque - defs = 0xf6c21750
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:12] sic_sslca_Free: defs = 0xf6c16680, references = 0
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:12] opsec_init_sic_id_internal: Added sic id (ctx id = 0)
log_level=2 file:lea_loggrabber.cpp func_name:get_fw1_logfiles code_line_no:2274 :Successfully create opsec environment
log_level=3 file:lea_loggrabber.cpp func_name:get_fw1_logfiles code_line_no:2277 :OPSEC LEA conf file is lea.conf
log_level=3 file:lea_loggrabber.cpp func_name:get_fw1_logfiles code_line_no:2304 :Authentication mode has been used.
log_level=3 file:lea_loggrabber.cpp func_name:get_fw1_logfiles code_line_no:2305 :Server-IP : 1.1.1.1
log_level=3 file:lea_loggrabber.cpp func_name:get_fw1_logfiles code_line_no:2306 :Server-Port : 18184
log_level=3 file:lea_loggrabber.cpp func_name:get_fw1_logfiles code_line_no:2307 :Authentication type: sslca
log_level=3 file:lea_loggrabber.cpp func_name:get_fw1_logfiles code_line_no:2309 :OPSEC sic certificate file name : /opt/2014/splunk/etc/apps/Splunk_TA_checkpoint-opseclea/certs/opsec_logs_1496239478.p12
log_level=3 file:lea_loggrabber.cpp func_name:get_fw1_logfiles code_line_no:2310 :Server DN (sic name) : CN=cp_mgmt,O=cpserver.example.com..abab9q
log_level=3 file:lea_loggrabber.cpp func_name:get_fw1_logfiles code_line_no:2311 :OPSEC LEA client DN (sic name) : CN=SplunkLEA,O=cpserver.example.com..abab9q
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:12] opsec_init_entity_sic: called for the client side
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:12] Configuring entity lea_server
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:12] Could not find info for ...conn_buf_size...
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:12] Could not find info for ...no_nagle...
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:12] Could not find info for ...port...
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:12] opsec_entity_add_sic_rule: adding rules: apply_to: ME, peer: CN=cp_mgmt,O=cpserver.example.com..abab9q, d_ip: NULL, dport 18184, svc: lea, method: sslca
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:12] opsec_entity_add_sic_rule: adding INBOUND rule
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:12] opsec_entity_add_sic_rule: adding OUTBOUND rule
log_level=2 file:lea_loggrabber.cpp func_name:get_fw1_logfiles code_line_no:2357 :Successfully initialize client/server-pair
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:12] opsec_get_comm: creating comm for ent=f6c16458 peer=f6c15e48 passive=0 key=2 info=0
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:12] c=0xf6c16458 s=0xf6c15e48 comm_type=4
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:12] Could not find info for ...opsec_client...
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:12] opsec_get_comm: Creating session hash (size=256)
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:12] opsec_get_comm: ADDING comm=0xf6c15570 to ent=0xf6c16458 with key=2
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:12] opsec_env_get_context_id_by_peer_sic_name: found context id=0 for peer sic name=CN=cp_mgmt,O=cpserver.example.com..abab9q
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:12] opsec_env_get_sic_handle_by_context_id: found sic handle (ctx id=0)
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:12] opsec_sic_connect: connecting... (ctx id=0)
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:12] fw_do_get_all_ipaddrs: called. naddrs=32769
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:12] resolver_getaddrinfo_list: name=splunkhf.example.com, pref=0
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:12] resolver_getaddrinfo_list: found peer 0 10.62.9.30
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:12] fw_do_get_all_ipaddrs: fw_ipaddr_both returned 10.62.9.30 ::
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:12] fw_do_get_all_ipaddrs: found 1 addresses
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:12] peers addresses are
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:12] fe80::2e44:fdff:fe7a:73c8
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:12] resolver_gethostbyname: Performing gethostbyname for splunkhf.example.com
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:12] peers addresses are
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:12] 10.62.9.30
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:12] CkpRegDir: Environment variable CPDIR is not set.
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:12] GenerateGlobalEntry: Unable to get registry path
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:12] cpsicdemux_get_mode: the mode is 1
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:12] cpsicdemux_check_mode: server_mode=1 | requested_mode=1
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:12] fwasync_get_maxbuf: maxbuf=4194304
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:12] T_event_epoll_report: EPOLL API disabled; SELECT is used
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:12] SESSION ID:3 is sending DG_TYPE=1
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:12] pushing dgtype=1 len=0 to list=0xf6c1558c
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:12] SESSION ID:3 is sending DG_TYPE=402
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:12] pushing dgtype=402 len=27 to list=0xf6c1558c
log_level=2 file:lea_loggrabber.cpp func_name:get_fw1_logfiles code_line_no:2371 :Successfully create session
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:12] fwasync_conn_params: <a3e091e,38046> -> <ac10c80c,18184>
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:12] fwasync_connbuf_realloc: reallocating 0 from 0 to 1028
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:12] fwasync_conn_get: get max buffer size (4194304) .
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:12] fwasync_connbuf_realloc: reallocating 0 from 0 to 1028
log_level=3 file:lea_loggrabber.cpp func_name:main code_line_no:1107 :Current pid=54515 parent_pid=52671, Sleeping 1 sec
log_level=3 file:lea_loggrabber.cpp func_name:main code_line_no:1107 :Current pid=54515 parent_pid=52671, Sleeping 1 sec
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] sic_client_set_version: 11: protocol version is 59000000
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] cpsicdemux_check_mode: server_mode=1 | requested_mode=1
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] fwasync_conn_get: get max buffer size (4194304) .
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] fwasync_conn_get: get max buffer size (4194304) .
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] fwasync_conn_get: get max buffer size (4194304) .
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] fwasync_conn_get: get max buffer size (4194304) .
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] fwasync_conn_get: get max buffer size (4194304) .
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] fwasync_conn_get: get max buffer size (4194304) .
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] fwasync_conn_get: get max buffer size (4194304) .
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] fwasync_conn_get: get max buffer size (4194304) .
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] fwasync_conn_get: get max buffer size (4194304) .
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] call_handlers_list: no conversion done, set CN=cp_mgmt,O=cpserver.example.com..abab9q as sic name
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] PM_session_init: given session O(CN=SplunkLEA,O=cpserver.example.com..abab9q;CN=cp_mgmt,O=cpserver.example.com..abab9q;18184;lea).
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] PM_policy_query: input session O(CN=SplunkLEA,O=cpserver.example.com..abab9q;CN=cp_mgmt,O=cpserver.example.com..abab9q;18184;lea).
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] PM_policy_query: rule found (ME;CN=cp_mgmt,O=cpserver.example.com..abab9q;18184;lea;sslca(1/1)).
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] PM_policy_query: finished successfully. 1st method = sslca
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] PM_policy_choose: finished successfully. choose: sslca.
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] sic_client_call_auth_func: calling save_opaque_cb, defs = 0xf6c16f80.
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] check_if_sslca_auth_and_save_opaque: calling sic_sslca_defs_save, defs = 0xf6c16f80.
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] sic_sslca_defs_save: defs = 0xf6c16f80, references = 2
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] fwasync_conn_get: get max buffer size (4194304) .
log_level=3 file:lea_loggrabber.cpp func_name:main code_line_no:1107 :Current pid=54515 parent_pid=52671, Sleeping 1 sec
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] fwasync_conn_get: get max buffer size (4194304) .
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] sslca_get_session_db: Using cache file /etc/fw/database//SessionCache
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] sslca_read_session: failed to get cached session
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] auth_sslca_clnt_handler: failed to read session
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] ckpSSL_PrepareConnection: verify mode: 3
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] My SSL Ciphers:
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] Cipher List:
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] 0: AES128-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA1
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] 1: AES256-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA1
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] 2: DES-CBC3-SHA SSLv3 Kx=RSA Au=RSA Enc=3DES(168) Mac=SHA1
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] 3: RC4-SHA SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] ckpSSL_NegotiateStep: current state = before/connect initialization
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] is_initialized: new process or forked
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] fwprng_get_entropy_collection_time_opsec: value read is 1473071258
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] cpprng_get_opsec_entropy_collection_time: entropy_collection time returned is 1473071258
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] CkpRegDir: Environment variable CPDIR is not set.
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] GenerateGlobalEntry: Unable to get registry path
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] CkpRegDir: Environment variable CPDIR is not set.
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] GenerateGlobalEntry: Unable to get registry path
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] CkpRegDir: Environment variable CPDIR is not set.
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] GenerateGlobalEntry: Unable to get registry path
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] CkpRegDir: Environment variable CPDIR is not set.
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] GenerateGlobalEntry: Unable to get registry path
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] ckpSSL_NegotiateStep: should retry.
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] ckpSSL_NegotiateStep: current state = SSLv3 read server hello A
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] fwCert_FixChain_do: 2 certificates
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] PubKey:
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] Modulus:
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] d4 40 1c 45 91 7d 98 ab 96 23 2b bc 74 89 1a 45 00 f8 37 af
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] 80 e9 69 65 3a 5b b3 e0 c3 79 af af 08 68 74 7f 86 fc f1 6a
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] ad 28 44 42 7b 86 27 ea 37 cb cd 21 1f 27 34 e1 d8 32 76 b6
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] 25 21 68 5e 46 c8 5b 12 89 8e 0e a7 1d 9d 93 a0 de 82 d6 ad
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] 5b 10 11 27 0c 76 cc 56 06 56 95 c4 bf c7 e4 0b 68 6d 51 b5
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] 35 5e 2e ea ef 78 44 0a d9 3d 6e 9c 6e 7e a2 72 89 b3 d8 d9
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] 6b d6 56 c6 21 58 07 d9
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] Exponent: 65537 (0x10001)
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] X509 Certificate Version 3
Serial Number: 3046
Issuer: O=cpserver.example.com..abab9q
Subject: CN=cp_mgmt,O=cpserver.example.com..abab9q
Not valid before: Fri Jul 25 02:11:59 2014 Local Time
Not valid after: Thu Jul 25 02:11:59 2019 Local Time
Signature Algorithm: RSA with SHA-1 Public key: RSA (1024 bits)
Extensions:
Key Usage:
digitalSignature
keyEncipherment
Basic Constraint:
not CA
CRL distribution Points:
URI: http://cpserver.example.com:18264/ICA_CRL0.crl
DN: CN=ICA_CRL0,O=cpserver.example.com..abab9q
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] PubKey:
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] Modulus:
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] ce 22 3c 31 a0 55 32 96 eb 6c fb be 9e a6 1c b4 21 e4 20 28
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] c2 26 b5 4f 12 de e8 c7 55 a3 2f 78 d8 73 42 7d f4 b2 89 c6
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] 4d af 9f fe fc b7 2f 95 a4 1b a3 66 58 ea 54 a6 9f 0c 40 4e
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] f7 b1 13 bf 25 de c0 01 a1 3c b5 3a ed ca cc 87 04 43 6e 38
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] 50 78 f4 73 99 87 7a 7c 84 86 8c ab af e2 53 25 d6 05 5c f3
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] 24 3c 1e 3c 5a 5d e1 2f 49 ad 1f 53 41 4e f5 fd 07 15 7e 32
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] 42 7f fa 70 84 3b 64 b1 49 33 74 61 df aa 76 b6 64 f3 f7 a3
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] 5f a5 2a 0a 78 48 4d 4f ed f6 a8 1e 2d 36 d7 08 d3 fe b6 02
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] 0d ac f1 ed 39 ba 36 f4 3d c1 56 f7 34 cc fd f3 df 5d 4a 99
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] a1 9a 29 f7 d4 c1 69 96 0b 49 1b 23 1c 73 3c 22 00 e7 53 e7
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] fa 4c dc c0 a3 42 7e c2 6c 54 21 a2 d6 8f 33 c9 48 69 62 bb
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] 15 80 fa 3b 6e 86 a7 15 a4 c8 3c 2f 4a b5 da d8 4e 8c ea f6
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] 15 b6 bc 6f 63 a8 68 01 f4 e3 0e ec 16 f9 da 8d
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] Exponent: 3 (0x3)
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] X509 Certificate Version 3
Serial Number: 1
Issuer: O=cpserver.example.com..abab9q
Subject: O=cpserver.example.com..abab9q
Not valid before: Mon Apr 28 14:11:54 2003 Local Time
Not valid after: Sun Apr 23 14:11:54 2023 Local Time
Signature Algorithm: RSA with SHA-1 Public key: RSA (2048 bits)
Extensions:
Key Usage:
digitalSignature
keyCertSign
cRLSign
Basic Constraint (Critical):
is CA
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] fwKeyHolder:
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] Root CAs
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] 1: internal_ca
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] O=cpserver.example.com..abab9q
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] Certified keys
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] 1: SplunkLEA
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] Has Private
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] CN=SplunkLEA,O=cpserver.example.com..abab9q
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] O=cpserver.example.com..abab9q
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] Root: internal_ca
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] fwCert_FixChain_do: found root ca:internal_ca
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] CkpRegDir: Environment variable CPDIR is not set.
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] GenerateGlobalEntry: Unable to get registry path
[ 4152216384][5 Sep 12:28:15] get_pkxld_path: cpshared_filename failed
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] fwCert_FixChain_do: Found the root CA O=cpserver.example.com..abab9q in my token
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] fwValidateCert:certificate - O=cpserver.example.com..abab9q
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] notBefore: Mon Apr 28 14:11:54 2003 Local Time
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] notAfter: Sun Apr 23 14:11:54 2023 Local Time
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] now: Mon Sep 5 12:28:15 2016 Local Time
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] cert start grace period=7200 cert end grace period=0
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] fwValidateCert:certificate - CN=cp_mgmt,O=cpserver.example.com..abab9q
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] notBefore: Fri Jul 25 02:11:59 2014 Local Time
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] notAfter: Thu Jul 25 02:11:59 2019 Local Time
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] now: Mon Sep 5 12:28:15 2016 Local Time
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] cert start grace period=7200 cert end grace period=0
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] fwValidatePath: checking PathLen: -1 (elevel: 0).
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] fwValidateNameConstraints: rootCA without name constraints
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] ckpSSL_NegotiateStep: should retry.
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] ckpSSL_NegotiateStep: current state = SSLv3 read finished A
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] ckpSSL_NegotiateStep: conncected, used TLSv1/SSLv3 ,AES128-SHA (-1)
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] ckpSSL_connected: peer authenticated
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] ckpSSL_connected: current state: SSL negotiation finished successfully
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] Certificate is:
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] PubKey:
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] Modulus:
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] d4 40 1c 45 91 7d 98 ab 96 23 2b bc 74 89 1a 45 00 f8 37 af
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] 80 e9 69 65 3a 5b b3 e0 c3 79 af af 08 68 74 7f 86 fc f1 6a
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] ad 28 44 42 7b 86 27 ea 37 cb cd 21 1f 27 34 e1 d8 32 76 b6
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] 25 21 68 5e 46 c8 5b 12 89 8e 0e a7 1d 9d 93 a0 de 82 d6 ad
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] 5b 10 11 27 0c 76 cc 56 06 56 95 c4 bf c7 e4 0b 68 6d 51 b5
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] 35 5e 2e ea ef 78 44 0a d9 3d 6e 9c 6e 7e a2 72 89 b3 d8 d9
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] 6b d6 56 c6 21 58 07 d9
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] Exponent: 65537 (0x10001)
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] X509 Certificate Version 3
Serial Number: 3046
Issuer: O=cpserver.example.com..abab9q
Subject: CN=cp_mgmt,O=cpserver.example.com..abab9q
Not valid before: Fri Jul 25 02:11:59 2014 Local Time
Not valid after: Thu Jul 25 02:11:59 2019 Local Time
Signature Algorithm: RSA with SHA-1 Public key: RSA (1024 bits)
Extensions:
Key Usage:
digitalSignature
keyEncipherment
Basic Constraint:
not CA
CRL distribution Points:
URI: http://cpserver.example.com:18264/ICA_CRL0.crl
DN: CN=ICA_CRL0,O=cpserver.example.com..abab9q
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] X509 Certificate Version 3
Serial Number: 3046
Issuer: O=cpserver.example.com..abab9q
Subject: CN=cp_mgmt,O=cpserver.example.com..abab9q
Not valid before: Fri Jul 25 02:11:59 2014 Local Time
Not valid after: Thu Jul 25 02:11:59 2019 Local Time
Signature Algorithm: RSA with SHA-1 Public key: RSA (1024 bits)
Extensions:
Key Usage:
digitalSignature
keyEncipherment
Basic Constraint:
not CA
CRL distribution Points:
URI: http://cpserver.example.com:18264/ICA_CRL0.crl
DN: CN=ICA_CRL0,O=cpserver.example.com..abab9q
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] fwca_read_crl_file: failed to open file
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] read_crl: failed to read mgmt crl
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] fwca_create_file_name: dn without organizationUnitName
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] fwca_read_crl_file: failed to open file
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] read_crl : failed to read crl from file
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] X509 Certificate Version 3
Serial Number: 3046
Issuer: O=cpserver.example.com..abab9q
Subject: CN=cp_mgmt,O=cpserver.example.com..abab9q
Not valid before: Fri Jul 25 02:11:59 2014 Local Time
Not valid after: Thu Jul 25 02:11:59 2019 Local Time
Signature Algorithm: RSA with SHA-1 Public key: RSA (1024 bits)
Extensions:
Key Usage:
digitalSignature
keyEncipherment
Basic Constraint:
not CA
CRL distribution Points:
URI: http://cpserver.example.com:18264/ICA_CRL0.crl
DN: CN=ICA_CRL0,O=cpserver.example.com..abab9q
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] client_send_crlreq: fetching crl failed
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] ckpSSL_do_write: write 197 bytes
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] fwasync_conn_get: get max buffer size (4194304) .
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] ckpSSL_do_read: return should retry rc = -1
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] ckpSSL_do_read: return should retry rc = -1
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] ckpSSL_do_read: return should retry rc = -1
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] ckpSSL_do_read: return should retry rc = -1
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] ckpSSL_do_read: return should retry rc = -1
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] ckpSSL_do_read: read 4 bytes
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] auth_sslca_clnt_handler: illegal server crl_length message.
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] fwasync_do_mux_in: 11: handler returned with error
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] ckpSSL_fwasync_close: start shutdown
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] sic_client_end_handler: for conn id = 11
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] opsec_auth_client_connected: connect failed (328)
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] opsec_auth_client_connected: SIC Error for lea: received bad message length from peer
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] opsec_auth_client_connected:conn=(nil) opaque=0xf6c15d60 err=0 comm=0xf6c15570
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] comm failed to connect 0xf6c15570
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] OPSEC_SET_ERRNO: err = 8 Comm is not connected/Unable to connect (pre = 0)
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] COM 0xf6c15570 got signal 131075
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] destroying comm 0xf6c15570
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] Destroying comm 0xf6c15570 with 1 active sessions
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] Destroying session (f6c22128) id 3 (ent=f6c16458) reason=SIC_FAILURE
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] SESSION ID:3 is sending DG_TYPE=3
log_level=3 file:lea_loggrabber.cpp func_name:get_fw1_logfiles_end code_line_no:2184 :OPSEC_SESSION_END_HANDLER called
log_level=2 file:lea_loggrabber.cpp func_name:check_session_end_reason code_line_no:2106 :Start to check session end reason: is_read_end 0
log_level=0 file:lea_loggrabber.cpp func_name:check_session_end_reason code_line_no:2159 :Session end reason: SIC ERROR 328 - SIC Error for lea: received bad message length from peer
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] opsec_comm_is_needed:comm 0xf6c15570 1/1 sessions need the comm.
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] pulling dgtype=1 len=0 to list=0xf6c1558c
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] pulling dgtype=402 len=27 to list=0xf6c1558c
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] pulling dgtype=ffffffff len=-1 to list=0xf6c1558c
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] REMOVING comm=0xf6c15570 from ent=0xf6c16458 with key=2
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] ckpSSL_ShutdownHandler: rc=0 (1) SSL negotiation finished successfully
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] ckpSSL_ShutdownTimeout: 0xF6C156A0
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] ckpSSL_Destroy: closed fd 11
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] T_event_mainloop_e: T_event_mainloop_iter returns 0
log_level=3 file:lea_loggrabber.cpp func_name:cleanup_fw1_environment code_line_no:2438 :Enter
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] Destroying entity 1 with 0 active comms
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] opsec_destroy_entity_sic: deleting sic rules for entity 0xf6c16458
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] Destroying entity 2 with 0 active comms
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] opsec_destroy_entity_sic: deleting sic rules for entity 0xf6c15e48
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] IpcUnMapFile: unmapping file (handle=0xf6c08290)
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] IpcUnMapFile: unmapping file (handle=0xf6c099a0)
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] IpcUnMapFile: unmapping file (handle=0xf6c09a20)
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] IpcUnMapFile: unmapping file (handle=0xf6c09ac0)
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] IpcUnMapFile: unmapping file (handle=0xf6c09b40)
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] sic_sslca_Free: defs = 0xf6c16f80, references = 1
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] sic_sslca_Free: defs = 0xf6c18060, references = 0
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] sic_sslca_Free: defs = 0xf6c19238, references = 0
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] sic_sslca_Free: defs = 0xf6c1a3f8, references = 0
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] sic_sslca_Free: defs = 0xf6c1b5b8, references = 0
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] sic_sslca_Free: defs = 0xf6c1bee0, references = 0
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] sic_sslca_Free: defs = 0xf6c1d348, references = 0
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] sic_sslca_Free: defs = 0xf6c1dc88, references = 0
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] sic_sslca_Free: defs = 0xf6c1f0e8, references = 0
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] sic_sslca_Free: defs = 0xf6c1fa08, references = 0
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] sic_sslca_Free: defs = 0xf6c20e68, references = 0
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] sic_sslca_Free: defs = 0xf6c21750, references = 0
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] sic_sslca_Free: defs = 0xf6c22bb8, references = 0
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] PM_policy_destroy: finished successfully.
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] opsec_destroy_sic_id_internal: Destroyed sic id (ctx id=0)
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] opsec_env_destroy_sic_id_hash: Destroyed sic id hash
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] fwd_env_destroy: env 0xf6c03178 (alloced = 1)
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] T_env_destroy: env 0xf6c03178
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] do_fwd_env_destroy: really destroy 0xf6c03178
log_level=2 file:lea_loggrabber.cpp func_name:main_worker code_line_no:1220 :Didn't find file, start read normal file: filename=fw.log, fileid=1
log_level=3 file:lea_loggrabber.cpp func_name:read_fw1_logfile code_line_no:1406 :Start reading fw.log 1
log_level=3 file:lea_loggrabber.cpp func_name:getSplunkLeaConfigArgs code_line_no:517 :lea arg: -v
log_level=3 file:lea_loggrabber.cpp func_name:getSplunkLeaConfigArgs code_line_no:517 :lea arg: opsec_sic_name
log_level=3 file:lea_loggrabber.cpp func_name:getSplunkLeaConfigArgs code_line_no:517 :lea arg: CN=SplunkLEA,O=cpserver.example.com..abab9q
log_level=3 file:lea_loggrabber.cpp func_name:getSplunkLeaConfigArgs code_line_no:517 :lea arg: -v
log_level=3 file:lea_loggrabber.cpp func_name:getSplunkLeaConfigArgs code_line_no:517 :lea arg: opsec_sslca_file
log_level=3 file:lea_loggrabber.cpp func_name:getSplunkLeaConfigArgs code_line_no:517 :lea arg: /opt/2014/splunk/etc/apps/Splunk_TA_checkpoint-opseclea/certs/opsec_logs_1496239478.p12
log_level=3 file:lea_loggrabber.cpp func_name:getSplunkLeaConfigArgs code_line_no:517 :lea arg: -v
log_level=3 file:lea_loggrabber.cpp func_name:getSplunkLeaConfigArgs code_line_no:517 :lea arg: lea_server
log_level=3 file:lea_loggrabber.cpp func_name:getSplunkLeaConfigArgs code_line_no:517 :lea arg: ip
log_level=3 file:lea_loggrabber.cpp func_name:getSplunkLeaConfigArgs code_line_no:517 :lea arg: 1.1.1.1
log_level=3 file:lea_loggrabber.cpp func_name:getSplunkLeaConfigArgs code_line_no:517 :lea arg: -v
log_level=3 file:lea_loggrabber.cpp func_name:getSplunkLeaConfigArgs code_line_no:517 :lea arg: lea_server
log_level=3 file:lea_loggrabber.cpp func_name:getSplunkLeaConfigArgs code_line_no:517 :lea arg: auth_port
log_level=3 file:lea_loggrabber.cpp func_name:getSplunkLeaConfigArgs code_line_no:517 :lea arg: 18184
log_level=3 file:lea_loggrabber.cpp func_name:getSplunkLeaConfigArgs code_line_no:517 :lea arg: -v
log_level=3 file:lea_loggrabber.cpp func_name:getSplunkLeaConfigArgs code_line_no:517 :lea arg: lea_server
log_level=3 file:lea_loggrabber.cpp func_name:getSplunkLeaConfigArgs code_line_no:517 :lea arg: auth_type
log_level=3 file:lea_loggrabber.cpp func_name:getSplunkLeaConfigArgs code_line_no:517 :lea arg: sslca
log_level=3 file:lea_loggrabber.cpp func_name:getSplunkLeaConfigArgs code_line_no:517 :lea arg: -v
log_level=3 file:lea_loggrabber.cpp func_name:getSplunkLeaConfigArgs code_line_no:517 :lea arg: lea_server
log_level=3 file:lea_loggrabber.cpp func_name:getSplunkLeaConfigArgs code_line_no:517 :lea arg: opsec_entity_sic_name
log_level=3 file:lea_loggrabber.cpp func_name:getSplunkLeaConfigArgs code_line_no:517 :lea arg: CN=cp_mgmt,O=cpserver.example.com..abab9q
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] Env Configuration:
(
:type (opsec_info)
:lea_server (
:opsec_entity_sic_name ("CN=cp_mgmt,O=cpserver.example.com..abab9q")
:auth_type (sslca)
:auth_port (18184)
:ip (1.1.1.1)
)
:opsec_sslca_file ("/opt/2014/splunk/etc/apps/Splunk_TA_checkpoint-opseclea/certs/opsec_logs_1496239478.p12")
:opsec_sic_name ("CN=SplunkLEA,O=cpserver.example.com..abab9q")
)
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] Could not find info for ...opsec_shared_local_path...
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] Could not find info for ...opsec_sic_policy_file...
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] Could not find info for ...opsec_mt...
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:15] opsec_init: multithread safety is not initialized
log_level=3 file:lea_loggrabber.cpp func_name:main code_line_no:1107 :Current pid=54515 parent_pid=52671, Sleeping 1 sec
log_level=3 file:lea_loggrabber.cpp func_name:main code_line_no:1107 :Current pid=54515 parent_pid=52671, Sleeping 1 sec
log_level=3 file:lea_loggrabber.cpp func_name:main code_line_no:1107 :Current pid=54515 parent_pid=52671, Sleeping 1 sec
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:19] fwprng_set_entropy_collection_time_opsec: entering time is Mon Sep 5 12:28:19 2016 (1473071299)
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:19] cpprng_opsec_initialize: dev_urandom_poll returned 0
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:19] opsec_file_is_intialized: seed is initialized
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:19] cpprng_opsec_initialize: seed init for opsec succeeded
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:19] PM_policy_create: version 5301.
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:19] PM_policy_add_name_to_group: finished successfully.
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:19] PM_policy_set_local_names: () names. finished successfully.
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:19] PM_policy_create: finished successfully.
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:19] PM_policy_add_name_to_group: finished successfully.
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:19] PM_policy_set_local_names: (local_sic_name) names. finished successfully.
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:19] PM_policy_add_name_to_group: finished successfully.
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:19] PM_policy_set_local_names: (127.0.0.1) names. finished successfully.
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:19] PM_policy_add_name_to_group: finished successfully.
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:19] PM_policy_set_local_names: ("CN=SplunkLEA,O=cpserver.example.com..abab9q") names. finished successfully.
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:19] PM_apply_default_dn: ca_dn = [O=cpserver.example.com..abab9q].
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:19] PM_apply_default_dn: calling PM_policy_DN_conversion ..
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:19] PM_apply_default_dn: finished successfully.
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:19] fwPubKeyfromPKCS8: decoding RSA key
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:19] ckpSSLctx_New: prefs = 12
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:19] CkpRegDir: Environment variable CPDIR is not set.
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:19] GenerateGlobalEntry: Unable to get registry path
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:19] cpcrypto_get_registry_value: could not find key 'Get_Disable_RC4' in registry path 'SOFTWARE\CheckPoint\FW1'.
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:19] ckpSSLctx_New: prefs = 12
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:19] CkpRegDir: Environment variable CPDIR is not set.
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:19] GenerateGlobalEntry: Unable to get registry path
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:19] cpcrypto_get_registry_value: could not find key 'Get_Disable_RC4' in registry path 'SOFTWARE\CheckPoint\FW1'.
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:19] opsec_init_sslca: calling sic_set_auth_handler_save_opaque, server_opaque - defs = 0xf6c22350, client_opaque - defs = 0xf6c22350
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:19] ckpSSLctx_New: prefs = 32
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:19] CkpRegDir: Environment variable CPDIR is not set.
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:19] GenerateGlobalEntry: Unable to get registry path
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:19] cpcrypto_get_registry_value: could not find key 'Get_Disable_RC4' in registry path 'SOFTWARE\CheckPoint\FW1'.
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:19] opsec_init_sslca: calling sic_set_auth_handler_save_opaque, server_opaque - defs = 0xf6c234c8, client_opaque - defs = 0xf6c234c8
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:19] ckpSSLctx_New: prefs = 11
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:19] CkpRegDir: Environment variable CPDIR is not set.
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:19] GenerateGlobalEntry: Unable to get registry path
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:19] cpcrypto_get_registry_value: could not find key 'Get_Disable_RC4' in registry path 'SOFTWARE\CheckPoint\FW1'.
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:19] opsec_init_sslca: calling sic_set_auth_handler_save_opaque, server_opaque - defs = 0xf6c246a0, client_opaque - defs = 0xf6c246a0
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:19] ckpSSLctx_New: prefs = 31
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:19] CkpRegDir: Environment variable CPDIR is not set.
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:19] GenerateGlobalEntry: Unable to get registry path
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:19] cpcrypto_get_registry_value: could not find key 'Get_Disable_RC4' in registry path 'SOFTWARE\CheckPoint\FW1'.
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:19] opsec_init_sslca: calling sic_set_auth_handler_save_opaque, server_opaque - defs = 0xf6c17c58, client_opaque - defs = 0xf6c17c58
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:19] ckpSSLctx_New: prefs = 12
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:19] CkpRegDir: Environment variable CPDIR is not set.
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:19] GenerateGlobalEntry: Unable to get registry path
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:19] cpcrypto_get_registry_value: could not find key 'Get_Disable_RC4' in registry path 'SOFTWARE\CheckPoint\FW1'.
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:19] opsec_init_sslca: calling sic_set_auth_handler_save_opaque, server_opaque - defs = 0xf6c18dd0, client_opaque - defs = 0xf6c18dd0
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:19] sslcaInitCP_Ex: using asym client without ca cert
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:19] ckpSSLctx_New: prefs = 12
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:19] CkpRegDir: Environment variable CPDIR is not set.
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:19] GenerateGlobalEntry: Unable to get registry path
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:19] cpcrypto_get_registry_value: could not find key 'Get_Disable_RC4' in registry path 'SOFTWARE\CheckPoint\FW1'.
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:19] ckpSSLctx_New: prefs = 12
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:19] CkpRegDir: Environment variable CPDIR is not set.
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:19] GenerateGlobalEntry: Unable to get registry path
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:19] cpcrypto_get_registry_value: could not find key 'Get_Disable_RC4' in registry path 'SOFTWARE\CheckPoint\FW1'.
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:19] opsec_init_sslca: calling sic_set_auth_handler_save_opaque, server_opaque - defs = 0xf6c1ab70, client_opaque - defs = 0xf6c19718
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:19] sslcaInitCP_Ex: using asym client without ca cert
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:19] ckpSSLctx_New: prefs = 32
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:19] CkpRegDir: Environment variable CPDIR is not set.
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:19] GenerateGlobalEntry: Unable to get registry path
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:19] cpcrypto_get_registry_value: could not find key 'Get_Disable_RC4' in registry path 'SOFTWARE\CheckPoint\FW1'.
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:19] ckpSSLctx_New: prefs = 32
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:19] CkpRegDir: Environment variable CPDIR is not set.
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:19] GenerateGlobalEntry: Unable to get registry path
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:19] cpcrypto_get_registry_value: could not find key 'Get_Disable_RC4' in registry path 'SOFTWARE\CheckPoint\FW1'.
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:19] opsec_init_sslca: calling sic_set_auth_handler_save_opaque, server_opaque - defs = 0xf6c1c8f8, client_opaque - defs = 0xf6c1b490
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:19] sslcaInitCP_Ex: using asym client without ca cert
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:19] ckpSSLctx_New: prefs = 11
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:19] CkpRegDir: Environment variable CPDIR is not set.
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:19] GenerateGlobalEntry: Unable to get registry path
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:19] cpcrypto_get_registry_value: could not find key 'Get_Disable_RC4' in registry path 'SOFTWARE\CheckPoint\FW1'.
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:19] ckpSSLctx_New: prefs = 11
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:19] CkpRegDir: Environment variable CPDIR is not set.
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:19] GenerateGlobalEntry: Unable to get registry path
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:19] cpcrypto_get_registry_value: could not find key 'Get_Disable_RC4' in registry path 'SOFTWARE\CheckPoint\FW1'.
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:19] opsec_init_sslca: calling sic_set_auth_handler_save_opaque, server_opaque - defs = 0xf6c1e670, client_opaque - defs = 0xf6c1d218
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:19] sslcaInitCP_Ex: using asym client without ca cert
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:19] ckpSSLctx_New: prefs = 31
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:19] CkpRegDir: Environment variable CPDIR is not set.
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:19] GenerateGlobalEntry: Unable to get registry path
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:19] cpcrypto_get_registry_value: could not find key 'Get_Disable_RC4' in registry path 'SOFTWARE\CheckPoint\FW1'.
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:19] ckpSSLctx_New: prefs = 31
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:19] CkpRegDir: Environment variable CPDIR is not set.
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:19] GenerateGlobalEntry: Unable to get registry path
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:19] cpcrypto_get_registry_value: could not find key 'Get_Disable_RC4' in registry path 'SOFTWARE\CheckPoint\FW1'.
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:19] opsec_init_sslca: calling sic_set_auth_handler_save_opaque, server_opaque - defs = 0xf6c203b8, client_opaque - defs = 0xf6c1ef70
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:19] sic_sslca_Free: defs = 0xf6c06258, references = 0
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:19] opsec_init_sic_id_internal: Added sic id (ctx id = 0)
log_level=2 file:lea_loggrabber.cpp func_name:read_fw1_logfile code_line_no:1443 :Successfully create opsec environment
log_level=3 file:lea_loggrabber.cpp func_name:read_fw1_logfile code_line_no:1454 :Starting fw.log 1 at offset -1
log_level=3 file:lea_loggrabber.cpp func_name:verify_env_parameters code_line_no:1248 :OPSEC LEA conf file is lea.conf
log_level=3 file:lea_loggrabber.cpp func_name:verify_env_parameters code_line_no:1291 :Authentication mode has been used.
log_level=3 file:lea_loggrabber.cpp func_name:verify_env_parameters code_line_no:1292 :Server-IP : 1.1.1.1
log_level=3 file:lea_loggrabber.cpp func_name:verify_env_parameters code_line_no:1293 :Server-Port : 18184
log_level=3 file:lea_loggrabber.cpp func_name:verify_env_parameters code_line_no:1294 :Authentication type: sslca
log_level=3 file:lea_loggrabber.cpp func_name:verify_env_parameters code_line_no:1295 :OPSEC sic certificate file name : /opt/2014/splunk/etc/apps/Splunk_TA_checkpoint-opseclea/certs/opsec_logs_1496239478.p12
log_level=3 file:lea_loggrabber.cpp func_name:verify_env_parameters code_line_no:1296 :Server DN (sic name) : CN=cp_mgmt,O=cpserver.example.com..abab9q
log_level=3 file:lea_loggrabber.cpp func_name:verify_env_parameters code_line_no:1297 :OPSEC LEA client DN (sic name) : CN=SplunkLEA,O=cpserver.example.com..abab9q
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:19] opsec_init_entity_sic: called for the client side
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:19] Configuring entity lea_server
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:19] Could not find info for ...conn_buf_size...
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:19] Could not find info for ...no_nagle...
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:19] Could not find info for ...port...
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:19] opsec_entity_add_sic_rule: adding rules: apply_to: ME, peer: CN=cp_mgmt,O=cpserver.example.com..abab9q, d_ip: NULL, dport 18184, svc: lea, method: sslca
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:19] opsec_entity_add_sic_rule: adding INBOUND rule
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:19] opsec_entity_add_sic_rule: adding OUTBOUND rule
log_level=2 file:lea_loggrabber.cpp func_name:read_fw1_logfile code_line_no:1514 :Successfully initialize client/server-pair
log_level=2 file:lea_loggrabber.cpp func_name:read_fw1_logfile code_line_no:1570 :Start to setup suspended session for ng, online 0, last_record_location -1 audit_mode 0
log_level=3 file:lea_loggrabber.cpp func_name:read_fw1_logfile code_line_no:1602 :Starting at position: -1
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:19] opsec_get_comm: creating comm for ent=f6c53108 peer=f6c53bb0 passive=0 key=2 info=0
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:19] c=0xf6c53108 s=0xf6c53bb0 comm_type=4
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:19] Could not find info for ...opsec_client...
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:19] opsec_get_comm: Creating session hash (size=256)
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:19] opsec_get_comm: ADDING comm=0xf6c534d0 to ent=0xf6c53108 with key=2
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:19] opsec_env_get_context_id_by_peer_sic_name: found context id=0 for peer sic name=CN=cp_mgmt,O=cpserver.example.com..abab9q
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:19] opsec_env_get_sic_handle_by_context_id: found sic handle (ctx id=0)
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:19] opsec_sic_connect: connecting... (ctx id=0)
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:19] peers addresses are
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:19] fe80::2e44:fdff:fe7a:73c8
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:19] peers addresses are
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:19] 10.62.9.30
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:19] cpsicdemux_get_mode: the mode is 1
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:19] cpsicdemux_check_mode: server_mode=1 | requested_mode=1
log_level=2 file:lea_loggrabber.cpp func_name:read_fw1_logfile_start code_line_no:2210 :OPSEC session start handler was invoked
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:19] SESSION ID:3 is sending DG_TYPE=1
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:19] pushing dgtype=1 len=0 to list=0xf6c534ec
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:19] SESSION ID:3 is sending DG_TYPE=402
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:19] pushing dgtype=402 len=20 to list=0xf6c534ec
log_level=2 file:lea_loggrabber.cpp func_name:read_fw1_logfile code_line_no:1651 :Successfully create session
log_level=2 file:lea_loggrabber.cpp func_name:do_create_filter_for_session code_line_no:1330 :No need to create filter: filter_count=0
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:19] SESSION ID:3 is sending DG_TYPE=40c
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:19] pushing dgtype=40c len=0 to list=0xf6c534ec
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:19] fwasync_conn_params: <a3e091e,58787> -> <ac10c80c,18184>
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:19] fwasync_connbuf_realloc: reallocating 0 from 0 to 1028
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:19] fwasync_conn_get: get max buffer size (4194304) .
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:19] fwasync_connbuf_realloc: reallocating 0 from 0 to 1028
log_level=3 file:lea_loggrabber.cpp func_name:main code_line_no:1107 :Current pid=54515 parent_pid=52671, Sleeping 1 sec
log_level=3 file:lea_loggrabber.cpp func_name:main code_line_no:1107 :Current pid=54515 parent_pid=52671, Sleeping 1 sec
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:21] sic_client_set_version: 11: protocol version is 59000000
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:21] cpsicdemux_check_mode: server_mode=1 | requested_mode=1
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:21] fwasync_conn_get: get max buffer size (4194304) .
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:21] fwasync_conn_get: get max buffer size (4194304) .
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:21] fwasync_conn_get: get max buffer size (4194304) .
log_level=3 file:lea_loggrabber.cpp func_name:main code_line_no:1107 :Current pid=54515 parent_pid=52671, Sleeping 1 sec
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:21] fwasync_conn_get: get max buffer size (4194304) .
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:21] fwasync_conn_get: get max buffer size (4194304) .
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:21] fwasync_conn_get: get max buffer size (4194304) .
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:21] fwasync_conn_get: get max buffer size (4194304) .
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:21] fwasync_conn_get: get max buffer size (4194304) .
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:21] fwasync_conn_get: get max buffer size (4194304) .
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:21] call_handlers_list: no conversion done, set CN=cp_mgmt,O=cpserver.example.com..abab9q as sic name
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:21] PM_session_init: given session O(CN=SplunkLEA,O=cpserver.example.com..abab9q;CN=cp_mgmt,O=cpserver.example.com..abab9q;18184;lea).
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:21] PM_policy_query: input session O(CN=SplunkLEA,O=cpserver.example.com..abab9q;CN=cp_mgmt,O=cpserver.example.com..abab9q;18184;lea).
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:21] PM_policy_query: rule found (ME;CN=cp_mgmt,O=cpserver.example.com..abab9q;18184;lea;sslca(1/1)).
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:21] PM_policy_query: finished successfully. 1st method = sslca
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:35] PM_policy_choose: finished successfully. choose: sslca.
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:35] sic_client_call_auth_func: calling save_opaque_cb, defs = 0xf6c22350.
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:35] check_if_sslca_auth_and_save_opaque: calling sic_sslca_defs_save, defs = 0xf6c22350.
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:35] sic_sslca_defs_save: defs = 0xf6c22350, references = 2
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:35] fwasync_conn_get: get max buffer size (4194304) .
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:35] sic_client_end_handler: for conn id = 11
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:35] opsec_auth_client_connected: connect failed (147)
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:35] opsec_auth_client_connected: SIC Error for lea: Authentication error
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:35] opsec_auth_client_connected:conn=(nil) opaque=0xf6c07ed0 err=0 comm=0xf6c534d0
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:35] comm failed to connect 0xf6c534d0
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:35] OPSEC_SET_ERRNO: err = 8 Comm is not connected/Unable to connect (pre = 8)
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:35] COM 0xf6c534d0 got signal 131075
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:35] destroying comm 0xf6c534d0
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:35] Destroying comm 0xf6c534d0 with 1 active sessions
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:35] Destroying session (f6c52f88) id 3 (ent=f6c53108) reason=SIC_FAILURE
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:35] SESSION ID:3 is sending DG_TYPE=3
log_level=3 file:lea_loggrabber.cpp func_name:read_fw1_logfile_end code_line_no:2198 :OPSEC_SESSION_END_HANDLER called
log_level=2 file:lea_loggrabber.cpp func_name:check_session_end_reason code_line_no:2106 :Start to check session end reason: is_read_end 1
log_level=0 file:lea_loggrabber.cpp func_name:check_session_end_reason code_line_no:2159 :Session end reason: SIC ERROR 147 - SIC Error for lea: Authentication error
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:35] opsec_comm_is_needed:comm 0xf6c534d0 1/1 sessions need the comm.
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:35] pulling dgtype=1 len=0 to list=0xf6c534ec
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:35] pulling dgtype=402 len=20 to list=0xf6c534ec
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:35] pulling dgtype=40c len=0 to list=0xf6c534ec
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:35] pulling dgtype=ffffffff len=-1 to list=0xf6c534ec
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:35] REMOVING comm=0xf6c534d0 from ent=0xf6c53108 with key=2
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:35] T_event_mainloop_e: T_event_mainloop_iter returns 0
log_level=3 file:lea_loggrabber.cpp func_name:cleanup_fw1_environment code_line_no:2438 :Enter
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:35] Destroying entity 1 with 0 active comms
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:35] opsec_destroy_entity_sic: deleting sic rules for entity 0xf6c53108
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:35] Destroying entity 2 with 0 active comms
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:35] opsec_destroy_entity_sic: deleting sic rules for entity 0xf6c53bb0
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:35] IpcUnMapFile: unmapping file (handle=0xf6c15d40)
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:35] IpcUnMapFile: unmapping file (handle=0xf6c027c0)
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:35] IpcUnMapFile: unmapping file (handle=0xf6c53f50)
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:35] IpcUnMapFile: unmapping file (handle=0xf6c53ff0)
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:35] IpcUnMapFile: unmapping file (handle=0xf6c54070)
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:35] sic_sslca_Free: defs = 0xf6c22350, references = 1
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:35] sic_sslca_Free: defs = 0xf6c234c8, references = 0
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:35] sic_sslca_Free: defs = 0xf6c246a0, references = 0
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:35] sic_sslca_Free: defs = 0xf6c17c58, references = 0
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:35] sic_sslca_Free: defs = 0xf6c18dd0, references = 0
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:35] sic_sslca_Free: defs = 0xf6c19718, references = 0
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:35] sic_sslca_Free: defs = 0xf6c1ab70, references = 0
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:35] sic_sslca_Free: defs = 0xf6c1b490, references = 0
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:35] sic_sslca_Free: defs = 0xf6c1c8f8, references = 0
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:35] sic_sslca_Free: defs = 0xf6c1d218, references = 0
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:35] sic_sslca_Free: defs = 0xf6c1e670, references = 0
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:35] sic_sslca_Free: defs = 0xf6c1ef70, references = 0
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:35] sic_sslca_Free: defs = 0xf6c203b8, references = 0
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:35] PM_policy_destroy: finished successfully.
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:35] opsec_destroy_sic_id_internal: Destroyed sic id (ctx id=0)
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:35] opsec_env_destroy_sic_id_hash: Destroyed sic id hash
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:35] fwd_env_destroy: env 0xf6c03178 (alloced = 1)
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:35] T_env_destroy: env 0xf6c03178
[ 54515 4152216384]@splunkhf.example.com[5 Sep 12:28:35] do_fwd_env_destroy: really destroy 0xf6c03178
log_level=2 file:lea_loggrabber.cpp func_name:read_fw1_logfile code_line_no:1705 :Finish reading fw.log 1
log_level=3 file:lea_loggrabber.cpp func_name:close_screen code_line_no:5629 :Close connection to screen.
log_level=3 file:lea_loggrabber.cpp func_name:main code_line_no:1107 :Current pid=54515 parent_pid=52671, Sleeping 1 sec
... View more
09-05-2016
03:40 AM
Thanks. I had to post the output as an answer since the comment box won't accept more than 9999 chars.
I see a few errors. I'm wondering if this is on the Checkpoint side, not Splunk?
... View more
08-23-2016
09:12 PM
I don't have access to the file now and won't have for a few weeks, but it was created via the GUI so I believe it should be fine.
Management is R77.
Trust is established. I reset the connection and set it up again just to be sure that the state had changed.
Firewall rules are in place.
Logging is done on the management server.
... View more
08-22-2016
06:03 AM
I just installed version 4 of the CP OPSEC LEA app and am able to establish trust with the CP management server as well as add an input, but I see no data coming in. I get the following messages in the _internal log, but I'm unable to figure out what they actually mean (google provided very little info).
The events I see that could be related are the following. The full list is below for clarity
2016-08-22 11:39:14,424 +0000 log_level=ERROR, pid=10303, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=62 | [input_name="opsec_fw" connection="opsec_logs" data="non_audit"]log_level=0 file:lea_loggrabber.cpp func_name:check_session_end_reason code_line_no:2159 :Session end reason: SIC ERROR 328 - SIC Error for lea: received bad message length from peer
2016-08-22 11:39:14,419 +0000 log_level=INFO, pid=10303, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=62 | [input_name="opsec_fw" connection="opsec_logs" data="non_audit"][ 10441 4151970624]@host.example.com[22 Aug 13:39:14] auth_sslca_clnt_handler: illegal server crl_length message.
2016-08-22 11:39:14,226 +0000 log_level=INFO, pid=10303, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=62 | [input_name="opsec_fw" connection="opsec_logs" data="non_audit"][ 10441 4151970624]@host.example.com[22 Aug 13:39:14] client_send_crlreq: fetching crl failed
Full list:
2016-08-22 11:39:56,748 +0000 log_level=DEBUG, pid=10303, tid=Thread-3, file=file_monitor.py, func_name=check_changes, code_line_no=36 | Checking files=['/opt/2014/splunk/etc/apps/Splunk_TA_checkpoint-opseclea/local/opseclea_connection.conf', '/opt/2014/splunk/etc/apps/Splunk_TA_checkpoint-opseclea/local/opseclea_inputs.conf', '/opt/2014/splunk/etc/apps/Splunk_TA_checkpoint-opseclea/local/opseclea_settings.conf']
2016-08-22 11:39:50,753 +0000 log_level=DEBUG, pid=10303, tid=Thread-8, file=thread_pool.py, func_name=_do_resize_according_to_loads, code_line_no=201 | current_thr_size=4, free_thrs=4, work_size=0
2016-08-22 11:39:46,748 +0000 log_level=DEBUG, pid=10303, tid=Thread-3, file=file_monitor.py, func_name=check_changes, code_line_no=36 | Checking files=['/opt/2014/splunk/etc/apps/Splunk_TA_checkpoint-opseclea/local/opseclea_connection.conf', '/opt/2014/splunk/etc/apps/Splunk_TA_checkpoint-opseclea/local/opseclea_inputs.conf', '/opt/2014/splunk/etc/apps/Splunk_TA_checkpoint-opseclea/local/opseclea_settings.conf']
2016-08-22 11:39:39,752 +0000 log_level=DEBUG, pid=10303, tid=Thread-8, file=thread_pool.py, func_name=_do_resize_according_to_loads, code_line_no=201 | current_thr_size=4, free_thrs=4, work_size=0
2016-08-22 11:39:36,748 +0000 log_level=DEBUG, pid=10303, tid=Thread-3, file=file_monitor.py, func_name=check_changes, code_line_no=36 | Checking files=['/opt/2014/splunk/etc/apps/Splunk_TA_checkpoint-opseclea/local/opseclea_connection.conf', '/opt/2014/splunk/etc/apps/Splunk_TA_checkpoint-opseclea/local/opseclea_inputs.conf', '/opt/2014/splunk/etc/apps/Splunk_TA_checkpoint-opseclea/local/opseclea_settings.conf']
2016-08-22 11:39:28,750 +0000 log_level=DEBUG, pid=10303, tid=Thread-8, file=thread_pool.py, func_name=_do_resize_according_to_loads, code_line_no=201 | current_thr_size=4, free_thrs=4, work_size=0
2016-08-22 11:39:26,748 +0000 log_level=DEBUG, pid=10303, tid=Thread-3, file=file_monitor.py, func_name=check_changes, code_line_no=36 | Checking files=['/opt/2014/splunk/etc/apps/Splunk_TA_checkpoint-opseclea/local/opseclea_connection.conf', '/opt/2014/splunk/etc/apps/Splunk_TA_checkpoint-opseclea/local/opseclea_inputs.conf', '/opt/2014/splunk/etc/apps/Splunk_TA_checkpoint-opseclea/local/opseclea_settings.conf']
2016-08-22 11:39:17,750 +0000 log_level=DEBUG, pid=10303, tid=Thread-8, file=thread_pool.py, func_name=_do_resize_according_to_loads, code_line_no=201 | current_thr_size=4, free_thrs=4, work_size=0
2016-08-22 11:39:16,748 +0000 log_level=DEBUG, pid=10303, tid=Thread-3, file=file_monitor.py, func_name=check_changes, code_line_no=36 | Checking files=['/opt/2014/splunk/etc/apps/Splunk_TA_checkpoint-opseclea/local/opseclea_connection.conf', '/opt/2014/splunk/etc/apps/Splunk_TA_checkpoint-opseclea/local/opseclea_inputs.conf', '/opt/2014/splunk/etc/apps/Splunk_TA_checkpoint-opseclea/local/opseclea_settings.conf']
2016-08-22 11:39:14,767 +0000 log_level=DEBUG, pid=10303, tid=Thread-4, file=thread_pool.py, func_name=_run, code_line_no=240 | Going to get job
2016-08-22 11:39:14,767 +0000 log_level=INFO, pid=10303, tid=Thread-4, file=thread_pool.py, func_name=_run, code_line_no=261 | Thread work_queue_size=0
2016-08-22 11:39:14,767 +0000 log_level=DEBUG, pid=10303, tid=Thread-4, file=thread_pool.py, func_name=_run, code_line_no=260 | Done with exec job
2016-08-22 11:39:14,767 +0000 log_level=INFO, pid=10303, tid=Thread-4, file=ta_data_collector.py, func_name=index_data, code_line_no=114 | [input_name="opsec_fw" data="non_audit"] End of indexing data for opsec_fw_non_audit
2016-08-22 11:39:14,767 +0000 log_level=DEBUG, pid=10303, tid=Thread-4, file=ta_data_collector.py, func_name=_do_safe_index, code_line_no=154 | [input_name="opsec_fw" data="non_audit"] Finished this round
2016-08-22 11:39:14,431 +0000 log_level=DEBUG, pid=10303, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=62 | [input_name="opsec_fw" connection="opsec_logs" data="non_audit"]log_level=3 file:lea_loggrabber.cpp func_name:close_screen code_line_no:5629 :Close connection to screen.
2016-08-22 11:39:14,431 +0000 log_level=INFO, pid=10303, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=62 | [input_name="opsec_fw" connection="opsec_logs" data="non_audit"]log_level=2 file:lea_loggrabber.cpp func_name:read_fw1_logfile code_line_no:1705 :Finish reading fw.log 1
2016-08-22 11:39:14,431 +0000 log_level=INFO, pid=10303, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=62 | [input_name="opsec_fw" connection="opsec_logs" data="non_audit"][ 10441 4151970624]@host.example.com[22 Aug 13:39:14] do_fwd_env_destroy: really destroy 0xf6c03178
2016-08-22 11:39:14,431 +0000 log_level=INFO, pid=10303, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=62 | [input_name="opsec_fw" connection="opsec_logs" data="non_audit"][ 10441 4151970624]@host.example.com[22 Aug 13:39:14] T_env_destroy: env 0xf6c03178
2016-08-22 11:39:14,431 +0000 log_level=INFO, pid=10303, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=62 | [input_name="opsec_fw" connection="opsec_logs" data="non_audit"][ 10441 4151970624]@host.example.com[22 Aug 13:39:14] fwd_env_destroy: env 0xf6c03178 (alloced = 1)
2016-08-22 11:39:14,431 +0000 log_level=INFO, pid=10303, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=62 | [input_name="opsec_fw" connection="opsec_logs" data="non_audit"][ 10441 4151970624]@host.example.com[22 Aug 13:39:14] opsec_env_destroy_sic_id_hash: Destroyed sic id hash
2016-08-22 11:39:14,431 +0000 log_level=INFO, pid=10303, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=62 | [input_name="opsec_fw" connection="opsec_logs" data="non_audit"][ 10441 4151970624]@host.example.com[22 Aug 13:39:14] opsec_destroy_sic_id_internal: Destroyed sic id (ctx id=0)
2016-08-22 11:39:14,430 +0000 log_level=INFO, pid=10303, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=62 | [input_name="opsec_fw" connection="opsec_logs" data="non_audit"][ 10441 4151970624]@host.example.com[22 Aug 13:39:14] PM_policy_destroy: finished successfully.
2016-08-22 11:39:14,430 +0000 log_level=INFO, pid=10303, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=62 | [input_name="opsec_fw" connection="opsec_logs" data="non_audit"][ 10441 4151970624]@host.example.com[22 Aug 13:39:14] sic_sslca_Free: defs = 0xf6c203f8, references = 0
2016-08-22 11:39:14,430 +0000 log_level=INFO, pid=10303, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=62 | [input_name="opsec_fw" connection="opsec_logs" data="non_audit"][ 10441 4151970624]@host.example.com[22 Aug 13:39:14] sic_sslca_Free: defs = 0xf6c1efb0, references = 0
2016-08-22 11:39:14,430 +0000 log_level=INFO, pid=10303, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=62 | [input_name="opsec_fw" connection="opsec_logs" data="non_audit"][ 10441 4151970624]@host.example.com[22 Aug 13:39:14] sic_sslca_Free: defs = 0xf6c1e6b0, references = 0
2016-08-22 11:39:14,430 +0000 log_level=INFO, pid=10303, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=62 | [input_name="opsec_fw" connection="opsec_logs" data="non_audit"][ 10441 4151970624]@host.example.com[22 Aug 13:39:14] sic_sslca_Free: defs = 0xf6c1d258, references = 0
2016-08-22 11:39:14,430 +0000 log_level=INFO, pid=10303, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=62 | [input_name="opsec_fw" connection="opsec_logs" data="non_audit"][ 10441 4151970624]@host.example.com[22 Aug 13:39:14] sic_sslca_Free: defs = 0xf6c1c938, references = 0
2016-08-22 11:39:14,430 +0000 log_level=INFO, pid=10303, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=62 | [input_name="opsec_fw" connection="opsec_logs" data="non_audit"][ 10441 4151970624]@host.example.com[22 Aug 13:39:14] sic_sslca_Free: defs = 0xf6c1b4d0, references = 0
2016-08-22 11:39:14,429 +0000 log_level=INFO, pid=10303, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=62 | [input_name="opsec_fw" connection="opsec_logs" data="non_audit"][ 10441 4151970624]@host.example.com[22 Aug 13:39:14] sic_sslca_Free: defs = 0xf6c1abb0, references = 0
2016-08-22 11:39:14,429 +0000 log_level=INFO, pid=10303, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=62 | [input_name="opsec_fw" connection="opsec_logs" data="non_audit"][ 10441 4151970624]@host.example.com[22 Aug 13:39:14] sic_sslca_Free: defs = 0xf6c19758, references = 0
2016-08-22 11:39:14,429 +0000 log_level=INFO, pid=10303, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=62 | [input_name="opsec_fw" connection="opsec_logs" data="non_audit"][ 10441 4151970624]@host.example.com[22 Aug 13:39:14] sic_sslca_Free: defs = 0xf6c18e10, references = 0
2016-08-22 11:39:14,429 +0000 log_level=INFO, pid=10303, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=62 | [input_name="opsec_fw" connection="opsec_logs" data="non_audit"][ 10441 4151970624]@host.example.com[22 Aug 13:39:14] sic_sslca_Free: defs = 0xf6c17cb0, references = 0
2016-08-22 11:39:14,429 +0000 log_level=INFO, pid=10303, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=62 | [input_name="opsec_fw" connection="opsec_logs" data="non_audit"][ 10441 4151970624]@host.example.com[22 Aug 13:39:14] sic_sslca_Free: defs = 0xf6c246e0, references = 0
2016-08-22 11:39:14,429 +0000 log_level=INFO, pid=10303, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=62 | [input_name="opsec_fw" connection="opsec_logs" data="non_audit"][ 10441 4151970624]@host.example.com[22 Aug 13:39:14] sic_sslca_Free: defs = 0xf6c23508, references = 0
2016-08-22 11:39:14,429 +0000 log_level=INFO, pid=10303, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=62 | [input_name="opsec_fw" connection="opsec_logs" data="non_audit"][ 10441 4151970624]@host.example.com[22 Aug 13:39:14] sic_sslca_Free: defs = 0xf6c223a8, references = 1
2016-08-22 11:39:14,428 +0000 log_level=INFO, pid=10303, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=62 | [input_name="opsec_fw" connection="opsec_logs" data="non_audit"][ 10441 4151970624]@host.example.com[22 Aug 13:39:14] IpcUnMapFile: unmapping file (handle=0xf6c54070)
2016-08-22 11:39:14,428 +0000 log_level=INFO, pid=10303, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=62 | [input_name="opsec_fw" connection="opsec_logs" data="non_audit"][ 10441 4151970624]@host.example.com[22 Aug 13:39:14] IpcUnMapFile: unmapping file (handle=0xf6c53ff0)
2016-08-22 11:39:14,428 +0000 log_level=INFO, pid=10303, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=62 | [input_name="opsec_fw" connection="opsec_logs" data="non_audit"][ 10441 4151970624]@host.example.com[22 Aug 13:39:14] IpcUnMapFile: unmapping file (handle=0xf6c53f60)
2016-08-22 11:39:14,428 +0000 log_level=INFO, pid=10303, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=62 | [input_name="opsec_fw" connection="opsec_logs" data="non_audit"][ 10441 4151970624]@host.example.com[22 Aug 13:39:14] IpcUnMapFile: unmapping file (handle=0xf6c54110)
2016-08-22 11:39:14,428 +0000 log_level=INFO, pid=10303, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=62 | [input_name="opsec_fw" connection="opsec_logs" data="non_audit"][ 10441 4151970624]@host.example.com[22 Aug 13:39:14] IpcUnMapFile: unmapping file (handle=0xf6c02720)
2016-08-22 11:39:14,428 +0000 log_level=INFO, pid=10303, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=62 | [input_name="opsec_fw" connection="opsec_logs" data="non_audit"][ 10441 4151970624]@host.example.com[22 Aug 13:39:14] opsec_destroy_entity_sic: deleting sic rules for entity 0xf6c16420
2016-08-22 11:39:14,428 +0000 log_level=INFO, pid=10303, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=62 | [input_name="opsec_fw" connection="opsec_logs" data="non_audit"][ 10441 4151970624]@host.example.com[22 Aug 13:39:14] Destroying entity 2 with 0 active comms
2016-08-22 11:39:14,428 +0000 log_level=INFO, pid=10303, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=62 | [input_name="opsec_fw" connection="opsec_logs" data="non_audit"][ 10441 4151970624]@host.example.com[22 Aug 13:39:14] opsec_destroy_entity_sic: deleting sic rules for entity 0xf6c16308
2016-08-22 11:39:14,427 +0000 log_level=INFO, pid=10303, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=62 | [input_name="opsec_fw" connection="opsec_logs" data="non_audit"][ 10441 4151970624]@host.example.com[22 Aug 13:39:14] Destroying entity 1 with 0 active comms
2016-08-22 11:39:14,427 +0000 log_level=DEBUG, pid=10303, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=62 | [input_name="opsec_fw" connection="opsec_logs" data="non_audit"]log_level=3 file:lea_loggrabber.cpp func_name:cleanup_fw1_environment code_line_no:2438 :Enter
2016-08-22 11:39:14,427 +0000 log_level=INFO, pid=10303, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=62 | [input_name="opsec_fw" connection="opsec_logs" data="non_audit"][ 10441 4151970624]@host.example.com[22 Aug 13:39:14] T_event_mainloop_e: T_event_mainloop_iter returns 0
2016-08-22 11:39:14,427 +0000 log_level=INFO, pid=10303, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=62 | [input_name="opsec_fw" connection="opsec_logs" data="non_audit"][ 10441 4151970624]@host.example.com[22 Aug 13:39:14] ckpSSL_Destroy: closed fd 15
2016-08-22 11:39:14,426 +0000 log_level=INFO, pid=10303, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=62 | [input_name="opsec_fw" connection="opsec_logs" data="non_audit"][ 10441 4151970624]@host.example.com[22 Aug 13:39:14] ckpSSL_ShutdownTimeout: 0xF6C22058
2016-08-22 11:39:14,426 +0000 log_level=INFO, pid=10303, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=62 | [input_name="opsec_fw" connection="opsec_logs" data="non_audit"][ 10441 4151970624]@host.example.com[22 Aug 13:39:14] ckpSSL_ShutdownHandler_in_sock: called
2016-08-22 11:39:14,426 +0000 log_level=INFO, pid=10303, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=62 | [input_name="opsec_fw" connection="opsec_logs" data="non_audit"][ 10441 4151970624]@host.example.com[22 Aug 13:39:14] ckpSSL_ShutdownHandler: rc=0 (1) SSL negotiation finished successfully
2016-08-22 11:39:14,426 +0000 log_level=INFO, pid=10303, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=62 | [input_name="opsec_fw" connection="opsec_logs" data="non_audit"][ 10441 4151970624]@host.example.com[22 Aug 13:39:14] REMOVING comm=0xf6c53cb8 from ent=0xf6c16308 with key=2
2016-08-22 11:39:14,425 +0000 log_level=INFO, pid=10303, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=62 | [input_name="opsec_fw" connection="opsec_logs" data="non_audit"][ 10441 4151970624]@host.example.com[22 Aug 13:39:14] pulling dgtype=ffffffff len=-1 to list=0xf6c53cd4
2016-08-22 11:39:14,425 +0000 log_level=INFO, pid=10303, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=62 | [input_name="opsec_fw" connection="opsec_logs" data="non_audit"][ 10441 4151970624]@host.example.com[22 Aug 13:39:14] pulling dgtype=40c len=0 to list=0xf6c53cd4
2016-08-22 11:39:14,425 +0000 log_level=INFO, pid=10303, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=62 | [input_name="opsec_fw" connection="opsec_logs" data="non_audit"][ 10441 4151970624]@host.example.com[22 Aug 13:39:14] pulling dgtype=402 len=20 to list=0xf6c53cd4
2016-08-22 11:39:14,424 +0000 log_level=INFO, pid=10303, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=62 | [input_name="opsec_fw" connection="opsec_logs" data="non_audit"][ 10441 4151970624]@host.example.com[22 Aug 13:39:14] pulling dgtype=1 len=0 to list=0xf6c53cd4
2016-08-22 11:39:14,424 +0000 log_level=INFO, pid=10303, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=62 | [input_name="opsec_fw" connection="opsec_logs" data="non_audit"][ 10441 4151970624]@host.example.com[22 Aug 13:39:14] opsec_comm_is_needed:comm 0xf6c53cb8 1/1 sessions need the comm.
2016-08-22 11:39:14,424 +0000 log_level=ERROR, pid=10303, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=62 | [input_name="opsec_fw" connection="opsec_logs" data="non_audit"]log_level=0 file:lea_loggrabber.cpp func_name:check_session_end_reason code_line_no:2159 :Session end reason: SIC ERROR 328 - SIC Error for lea: received bad message length from peer
2016-08-22 11:39:14,424 +0000 log_level=INFO, pid=10303, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=62 | [input_name="opsec_fw" connection="opsec_logs" data="non_audit"]log_level=2 file:lea_loggrabber.cpp func_name:check_session_end_reason code_line_no:2106 :Start to check session end reason: is_read_end 1
2016-08-22 11:39:14,423 +0000 log_level=DEBUG, pid=10303, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=62 | [input_name="opsec_fw" connection="opsec_logs" data="non_audit"]log_level=3 file:lea_loggrabber.cpp func_name:read_fw1_logfile_end code_line_no:2198 :OPSEC_SESSION_END_HANDLER called
2016-08-22 11:39:14,423 +0000 log_level=INFO, pid=10303, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=62 | [input_name="opsec_fw" connection="opsec_logs" data="non_audit"]
2016-08-22 11:39:14,423 +0000 log_level=INFO, pid=10303, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=62 | [input_name="opsec_fw" connection="opsec_logs" data="non_audit"][ 10441 4151970624]@host.example.com[22 Aug 13:39:14] SESSION ID:3 is sending DG_TYPE=3
2016-08-22 11:39:14,423 +0000 log_level=INFO, pid=10303, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=62 | [input_name="opsec_fw" connection="opsec_logs" data="non_audit"][ 10441 4151970624]@host.example.com[22 Aug 13:39:14] Destroying session (f6c54d78) id 3 (ent=f6c16308) reason=SIC_FAILURE
2016-08-22 11:39:14,422 +0000 log_level=INFO, pid=10303, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=62 | [input_name="opsec_fw" connection="opsec_logs" data="non_audit"][ 10441 4151970624]@host.example.com[22 Aug 13:39:14] Destroying comm 0xf6c53cb8 with 1 active sessions
2016-08-22 11:39:14,422 +0000 log_level=INFO, pid=10303, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=62 | [input_name="opsec_fw" connection="opsec_logs" data="non_audit"][ 10441 4151970624]@host.example.com[22 Aug 13:39:14] destroying comm 0xf6c53cb8
2016-08-22 11:39:14,422 +0000 log_level=INFO, pid=10303, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=62 | [input_name="opsec_fw" connection="opsec_logs" data="non_audit"][ 10441 4151970624]@host.example.com[22 Aug 13:39:14] COM 0xf6c53cb8 got signal 131075
2016-08-22 11:39:14,421 +0000 log_level=INFO, pid=10303, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=62 | [input_name="opsec_fw" connection="opsec_logs" data="non_audit"][ 10441 4151970624]@host.example.com[22 Aug 13:39:14] OPSEC_SET_ERRNO: err = 8 Comm is not connected/Unable to connect (pre = 8)
2016-08-22 11:39:14,421 +0000 log_level=INFO, pid=10303, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=62 | [input_name="opsec_fw" connection="opsec_logs" data="non_audit"][ 10441 4151970624]@host.example.com[22 Aug 13:39:14] comm failed to connect 0xf6c53cb8
2016-08-22 11:39:14,421 +0000 log_level=INFO, pid=10303, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=62 | [input_name="opsec_fw" connection="opsec_logs" data="non_audit"][ 10441 4151970624]@host.example.com[22 Aug 13:39:14] opsec_auth_client_connected:conn=(nil) opaque=0xf6c16580 err=0 comm=0xf6c53cb8
2016-08-22 11:39:14,420 +0000 log_level=INFO, pid=10303, tid=Thread-4, file=ta_opseclea_data_collector.py, func_name=get_contents, code_line_no=246 | [input_name="opsec_fw" connection="opsec_logs" data="non_audit"] Successfully indexed events: 0
2016-08-22 11:39:14,420 +0000 log_level=INFO, pid=10303, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=62 | [input_name="opsec_fw" connection="opsec_logs" data="non_audit"][ 10441 4151970624]@host.example.com[22 Aug 13:39:14] opsec_auth_client_connected: SIC Error for lea: received bad message length from peer
2016-08-22 11:39:14,420 +0000 log_level=INFO, pid=10303, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=62 | [input_name="opsec_fw" connection="opsec_logs" data="non_audit"][ 10441 4151970624]@host.example.com[22 Aug 13:39:14] opsec_auth_client_connected: connect failed (328)
2016-08-22 11:39:14,420 +0000 log_level=INFO, pid=10303, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=62 | [input_name="opsec_fw" connection="opsec_logs" data="non_audit"][ 10441 4151970624]@host.example.com[22 Aug 13:39:14] sic_client_end_handler: for conn id = 15
2016-08-22 11:39:14,419 +0000 log_level=INFO, pid=10303, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=62 | [input_name="opsec_fw" connection="opsec_logs" data="non_audit"][ 10441 4151970624]@host.example.com[22 Aug 13:39:14] ckpSSL_fwasync_close: start shutdown
2016-08-22 11:39:14,419 +0000 log_level=INFO, pid=10303, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=62 | [input_name="opsec_fw" connection="opsec_logs" data="non_audit"][ 10441 4151970624]@host.example.com[22 Aug 13:39:14] fwasync_do_mux_in: 15: handler returned with error
2016-08-22 11:39:14,419 +0000 log_level=INFO, pid=10303, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=62 | [input_name="opsec_fw" connection="opsec_logs" data="non_audit"][ 10441 4151970624]@host.example.com[22 Aug 13:39:14] auth_sslca_clnt_handler: illegal server crl_length message.
2016-08-22 11:39:14,418 +0000 log_level=INFO, pid=10303, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=62 | [input_name="opsec_fw" connection="opsec_logs" data="non_audit"][ 10441 4151970624]@host.example.com[22 Aug 13:39:14] ckpSSL_do_read: read 4 bytes
2016-08-22 11:39:14,418 +0000 log_level=INFO, pid=10303, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=62 | [input_name="opsec_fw" connection="opsec_logs" data="non_audit"][ 10441 4151970624]@host.example.com[22 Aug 13:39:14] ckpSSL_do_read: return should retry rc = -1
2016-08-22 11:39:14,418 +0000 log_level=INFO, pid=10303, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=62 | [input_name="opsec_fw" connection="opsec_logs" data="non_audit"][ 10441 4151970624]@host.example.com[22 Aug 13:39:14] ckpSSL_do_read: return should retry rc = -1
2016-08-22 11:39:14,417 +0000 log_level=INFO, pid=10303, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=62 | [input_name="opsec_fw" connection="opsec_logs" data="non_audit"][ 10441 4151970624]@host.example.com[22 Aug 13:39:14] ckpSSL_do_read: return should retry rc = -1
2016-08-22 11:39:14,417 +0000 log_level=INFO, pid=10303, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=62 | [input_name="opsec_fw" connection="opsec_logs" data="non_audit"][ 10441 4151970624]@host.example.com[22 Aug 13:39:14] ckpSSL_do_read: return should retry rc = -1
2016-08-22 11:39:14,417 +0000 log_level=INFO, pid=10303, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=62 | [input_name="opsec_fw" connection="opsec_logs" data="non_audit"][ 10441 4151970624]@host.example.com[22 Aug 13:39:14] ckpSSL_do_read: return should retry rc = -1
2016-08-22 11:39:14,417 +0000 log_level=INFO, pid=10303, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=62 | [input_name="opsec_fw" connection="opsec_logs" data="non_audit"][ 10441 4151970624]@host.example.com[22 Aug 13:39:14] ckpSSL_do_read: return should retry rc = -1
2016-08-22 11:39:14,416 +0000 log_level=INFO, pid=10303, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=62 | [input_name="opsec_fw" connection="opsec_logs" data="non_audit"][ 10441 4151970624]@host.example.com[22 Aug 13:39:14] ckpSSL_do_read: return should retry rc = -1
2016-08-22 11:39:14,226 +0000 log_level=INFO, pid=10303, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=62 | [input_name="opsec_fw" connection="opsec_logs" data="non_audit"][ 10441 4151970624]@host.example.com[22 Aug 13:39:14] fwasync_conn_get: get max buffer size (4194304) .
2016-08-22 11:39:14,226 +0000 log_level=INFO, pid=10303, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=62 | [input_name="opsec_fw" connection="opsec_logs" data="non_audit"][ 10441 4151970624]@host.example.com[22 Aug 13:39:14] ckpSSL_do_write: write 197 bytes
2016-08-22 11:39:14,226 +0000 log_level=INFO, pid=10303, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=62 | [input_name="opsec_fw" connection="opsec_logs" data="non_audit"][ 10441 4151970624]@host.example.com[22 Aug 13:39:14] client_send_crlreq: fetching crl failed
2016-08-22 11:39:14,226 +0000 log_level=INFO, pid=10303, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=62 | [input_name="opsec_fw" connection="opsec_logs" data="non_audit"]
2016-08-22 11:39:14,226 +0000 log_level=INFO, pid=10303, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=62 | [input_name="opsec_fw" connection="opsec_logs" data="non_audit"] DN: CN=ICA_CRL0,O=cpserver.example.com..abab9q
2016-08-22 11:39:14,226 +0000 log_level=INFO, pid=10303, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=62 | [input_name="opsec_fw" connection="opsec_logs" data="non_audit"] URI: http://cpserver.example.com:18264/ICA_CRL0.crl
2016-08-22 11:39:14,225 +0000 log_level=INFO, pid=10303, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=62 | [input_name="opsec_fw" connection="opsec_logs" data="non_audit"] CRL distribution Points:
2016-08-22 11:39:14,225 +0000 log_level=INFO, pid=10303, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=62 | [input_name="opsec_fw" connection="opsec_logs" data="non_audit"] not CA
2016-08-22 11:39:14,225 +0000 log_level=INFO, pid=10303, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=62 | [input_name="opsec_fw" connection="opsec_logs" data="non_audit"] Basic Constraint:
2016-08-22 11:39:14,225 +0000 log_level=INFO, pid=10303, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=62 | [input_name="opsec_fw" connection="opsec_logs" data="non_audit"] keyEncipherment
2016-08-22 11:39:14,225 +0000 log_level=INFO, pid=10303, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=62 | [input_name="opsec_fw" connection="opsec_logs" data="non_audit"] digitalSignature
2016-08-22 11:39:14,225 +0000 log_level=INFO, pid=10303, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=62 | [input_name="opsec_fw" connection="opsec_logs" data="non_audit"] Key Usage:
2016-08-22 11:39:14,225 +0000 log_level=INFO, pid=10303, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=62 | [input_name="opsec_fw" connection="opsec_logs" data="non_audit"]Extensions:
2016-08-22 11:39:14,225 +0000 log_level=INFO, pid=10303, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=62 | [input_name="opsec_fw" connection="opsec_logs" data="non_audit"]Signature Algorithm: RSA with SHA-1 Public key: RSA (1024 bits)
2016-08-22 11:39:14,225 +0000 log_level=INFO, pid=10303, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=62 | [input_name="opsec_fw" connection="opsec_logs" data="non_audit"]Not valid after: Thu Jul 25 02:11:59 2019 Local Time
2016-08-22 11:39:14,225 +0000 log_level=INFO, pid=10303, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=62 | [input_name="opsec_fw" connection="opsec_logs" data="non_audit"]Not valid before: Fri Jul 25 02:11:59 2014 Local Time
2016-08-22 11:39:14,224 +0000 log_level=INFO, pid=10303, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=62 | [input_name="opsec_fw" connection="opsec_logs" data="non_audit"]Subject: CN=cp_mgmt,O=cpserver.example.com..abab9q
2016-08-22 11:39:14,224 +0000 log_level=INFO, pid=10303, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=62 | [input_name="opsec_fw" connection="opsec_logs" data="non_audit"]Issuer: O=cpserver.example.com..abab9q
2016-08-22 11:39:14,224 +0000 log_level=INFO, pid=10303, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=62 | [input_name="opsec_fw" connection="opsec_logs" data="non_audit"]Serial Number: 3046
2016-08-22 11:39:14,224 +0000 log_level=INFO, pid=10303, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=62 | [input_name="opsec_fw" connection="opsec_logs" data="non_audit"][ 10441 4151970624]@host.example.com[22 Aug 13:39:14] X509 Certificate Version 3
2016-08-22 11:39:14,224 +0000 log_level=INFO, pid=10303, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=62 | [input_name="opsec_fw" connection="opsec_logs" data="non_audit"][ 10441 4151970624]@host.example.com[22 Aug 13:39:14] read_crl : failed to read crl from file
2016-08-22 11:39:14,224 +0000 log_level=INFO, pid=10303, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=62 | [input_name="opsec_fw" connection="opsec_logs" data="non_audit"][ 10441 4151970624]@host.example.com[22 Aug 13:39:14] fwca_read_crl_file: failed to open file
2016-08-22 11:39:14,224 +0000 log_level=INFO, pid=10303, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=62 | [input_name="opsec_fw" connection="opsec_logs" data="non_audit"][ 10441 4151970624]@host.example.com[22 Aug 13:39:14] fwca_create_file_name: dn without organizationUnitName
2016-08-22 11:39:14,224 +0000 log_level=INFO, pid=10303, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=62 | [input_name="opsec_fw" connection="opsec_logs" data="non_audit"][ 10441 4151970624]@host.example.com[22 Aug 13:39:14] read_crl: failed to read mgmt crl
2016-08-22 11:39:14,223 +0000 log_level=INFO, pid=10303, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=62 | [input_name="opsec_fw" connection="opsec_logs" data="non_audit"][ 10441 4151970624]@host.example.com[22 Aug 13:39:14] fwca_read_crl_file: failed to open file
2016-08-22 11:39:14,223 +0000 log_level=INFO, pid=10303, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=62 | [input_name="opsec_fw" connection="opsec_logs" data="non_audit"]
2016-08-22 11:39:14,223 +0000 log_level=INFO, pid=10303, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=62 | [input_name="opsec_fw" connection="opsec_logs" data="non_audit"] DN: CN=ICA_CRL0,O=cpserver.example.com..abab9q
2016-08-22 11:39:14,223 +0000 log_level=INFO, pid=10303, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=62 | [input_name="opsec_fw" connection="opsec_logs" data="non_audit"] URI: http://cpserver.example.com:18264/ICA_CRL0.crl
2016-08-22 11:39:14,223 +0000 log_level=INFO, pid=10303, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=62 | [input_name="opsec_fw" connection="opsec_logs" data="non_audit"] CRL distribution Points:
2016-08-22 11:39:14,223 +0000 log_level=INFO, pid=10303, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=62 | [input_name="opsec_fw" connection="opsec_logs" data="non_audit"] not CA
2016-08-22 11:39:14,223 +0000 log_level=INFO, pid=10303, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=62 | [input_name="opsec_fw" connection="opsec_logs" data="non_audit"] Basic Constraint:
2016-08-22 11:39:14,223 +0000 log_level=INFO, pid=10303, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=62 | [input_name="opsec_fw" connection="opsec_logs" data="non_audit"] keyEncipherment
2016-08-22 11:39:14,223 +0000 log_level=INFO, pid=10303, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=62 | [input_name="opsec_fw" connection="opsec_logs" data="non_audit"] digitalSignature
2016-08-22 11:39:14,222 +0000 log_level=INFO, pid=10303, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=62 | [input_name="opsec_fw" connection="opsec_logs" data="non_audit"] Key Usage:
2016-08-22 11:39:14,222 +0000 log_level=INFO, pid=10303, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=62 | [input_name="opsec_fw" connection="opsec_logs" data="non_audit"]Extensions:
2016-08-22 11:39:14,222 +0000 log_level=INFO, pid=10303, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=62 | [input_name="opsec_fw" connection="opsec_logs" data="non_audit"]Signature Algorithm: RSA with SHA-1 Public key: RSA (1024 bits)
2016-08-22 11:39:14,222 +0000 log_level=INFO, pid=10303, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=62 | [input_name="opsec_fw" connection="opsec_logs" data="non_audit"]Not valid after: Thu Jul 25 02:11:59 2019 Local Time
I can see that the modular input is running:
ps aux | grep -i opsec Mon Aug 22 14:22:52 2016
root 12126 0.3 0.0 882628 14176 ? Ssl 13:40 0:09 python /opt/2014/splunk/etc/apps/Splunk_TA_checkpoint-opseclea/bin/checkpoint_opseclea.py
What is going on?
... View more
06-02-2016
10:13 PM
This is a known bug in Splunk 6.3.0. Upgrade to the latest 6.3 release or 6.4 release.
The documentation of the Cisco Networks app and add-on contains info about this, so make sure you read the documentation.
... View more
04-28-2016
10:35 PM
Try setting
sourcetype = syslog
In your monitor stanza
... View more
04-26-2016
12:59 PM
You will need Splunk 6.2+ or higher I believe due to new features in the search. Otherwise you may try an older version of the Cisco Networks App which uses the old functions to call searches from dashboards.
... View more
04-22-2016
11:54 PM
Sourcetype must be "cisco:ios" or "syslog".
In Splunk the sourcetype plays an important role. It is the main way of categorizing similar events. All apps rely on specific sourcetypes. It's mentioned in the documentation.
... View more
04-21-2016
10:18 AM
Why did you set sourcetype as Cisco_logs when the app expects sourcetype to be cisco:ios ?
You're saying that you can see the data in the search app. What is the search string you're using? If it includes an index=whatever that means you need to change your role to search that index BY DEFAULT in role settings.
... View more
04-21-2016
01:37 AM
Make sure your user searches whatever index your Cisco logs are in by default. Check your role settings.
... View more
04-20-2016
12:36 PM
See the Help page in the app for all the parameters you need to set on your devices.
Be sure to set the following as well
logging trap informational
to enable sending all types of logs
You need a high velocity of logs and lots of devices, and most importantly your devices actually have to send the types of logs that are relevant for this use case.
... View more
04-17-2016
10:24 AM
Q: What are the Configuration requirements to establish a communication between syslog and cisco devices, and how to configure it?
A: Install the Cisco Networks app and add-on, see the Help section in the app.
... View more
04-16-2016
11:12 PM
Correct, for most Splunk apps there is no need to add sending devices. Splunk works on whatever data is being received.
... View more
04-01-2016
02:17 AM
Yes, download the code as zip. Do not follow the link back to Splunkbase apps. The code downloaded will come in a folder called TA-cisco_ios-master. Just rename this folder to TA-cisco_ios. Make sure you delete the old folder first.
Call home is not mandatory.
... View more
03-31-2016
11:36 PM
Can you try the development version of the add-on at https://github.com/inspired/TA-cisco_ios ?
I looked at the code and it looks correct in the dev version
... View more
03-24-2016
10:49 PM
This is just a cosmetic error, but you may get an updated version at http://github.com/inspired/TA-cisco_ios where this is fixed.
... View more
03-15-2016
02:54 AM
Haven't seen this before and I have a lot of installations using either direct UDP syslog to Splunk or logging to a syslog daemon with a Universal Forwarder shipping the logs to indexers.
You may need to set up a LINE_BREAKER rule along with SHOULD_LINEMERGE=false in props.conf on your indexers/Heavy Forwarders.
... View more
03-15-2016
02:46 AM
Fixed in my git repo available at github.com/inspired/TA-cisco_ios
Just use the TA from that URL.
This file is actually supposed to be edited for your environment in case you want to exclude particular IP ranges (internal ones in particular) from being shown in one of the dashboards.
On holidays currently so no time to create a new release.
... View more
02-22-2016
02:12 AM
This is a feature request
The app needs to support proxying requests to be used in enterprise environments. I've made a temporary hack in bin/dnsdb_query.py myself, but a supported proxy config is needed.
... View more
02-04-2016
07:22 AM
Great! Thanks. Promising piece of software!
... View more
02-04-2016
06:59 AM
Hi,
this is more of a feature request, really.
Is caching or saving of received templates on the roadmap? I have a situation where I've had to restart the collector after I've started receiving flows. The collector doesn't handle this well so I need to restart the Netflow export on the Cisco ASA for the templates to be re-sent.
Thanks
... View more
02-04-2016
06:55 AM
I can help you out with CIM compliance if required. Just let me know. Shouldn't take much time. All I need is a list of "friendly names" for the fields the app extracts as some of them are a bit ambiguous 🙂
... View more
02-01-2016
01:17 AM
Is CIM compliance for this app on the roadmap? It looks like there's a lot of interesting stuff in there that would fit well into a security context.
... View more
01-29-2016
02:25 PM
The docs state that you need TA-cisco_ios on the search heads too.
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
06-05-2020
02:03 AM
|
Karma given to
