I have Checkpoint R75.40 installed in a tiered format (Separate Mgt Console, FW, and GUI on different boxes). I have followed all of the documentation found here: docs.splunk.com/Documentation/OPSEC-LEA
I have "Trust Established" on the OPSEC object in Checkpoint, and have found all of the SIC_ENTITY variables per the documentation, but in the Splunk frontend GUI under Splunk > Splunk Add-on for Check Point OPSEC LEA > Manage Connections > Just to the right of that I get the spinning circle as if it's trying to load data, but it never does.
In this document: wiki.splunk.com/Community:Configure_OPSEC_LEA_input under section 1 Checkpoint FW Modification Step 2 it says to "Edit $FWDIR/conf/fwopsec.conf and add the following lines to enable the LEA service". On my mgt console in that directory there is no fwopsec.conf file so I created one and added those 2 lines. I then did the cpstop / cpstart and did a ./splunk restart
As a sidenote I have Splunk installed on Ubuntu 14.04, but I don't think that matters as I've gotten everything installed programmatically just fine.
In var/log/splunk Ive tailed conf.log / opsec.log / splunk.log, but I don't see any errors... Not sure what to do to make this work...
... View more