About georgen_splunk

georgen_splunk · ‎07-26-2019

try using offline mode to retieve historical data, online mode attempts to retrieve data as it is generated by CPK in RT. /data/splunk/etc/apps/Splunk_TA_checkpoint-opseclea/bin/../bin/lea_loggrabber --data non_audit --debug_level 2 --appname Splunk_TA_checkpoint-opseclea --lea_server_ip 10.251.130.6 --lea_server_auth_port 18184 --lea_server_auth_type sslca --opsec_sslca_file /data/splunk/etc/apps/Splunk_TA_checkpoint-opseclea/certs/Connector_SSL_SmartEvent_1874929942.p12 --opsec_sic_name CN=Splunk_LEA2,O=SmartConsole.jmsp.prod.sq5ad5 --opsec_entity_sic_name CN=SmartEvent,O=SmartConsole.jmsp.prod.sq5ad5 --last_record_location -1:0 --no_online --no_resolve HTH

georgen_splunk · ‎03-13-2019

expected to be tagged with certificate in the Stream 7.1.3 release.

georgen_splunk · ‎01-31-2019

a bug has been filed for this in STREAM-3970, please open a Support case if you happen to need an update on status.

georgen_splunk · ‎01-22-2019

version = 3.0.6 decided to disable certificate verification as a workaround: edit $SPLUNK_HOME/etc/apps/Code42ForSplunk/bin/code42.py navigate to line 125 "verify_certificate": True, to "verify_certificate": False, SC says this is insecure, but an acceptable hack for now given our ultra-secure environment.

georgen_splunk · ‎09-12-2018

same goes for us, I'm assuming this is a string sent from F5? Is there a BIG-IP setting/config that we can change to limit or stop this additional data? <777>DEC 11 09:34:56 corp.LB logger: [ssl_acc] 192.168.0.0 - admin [11/DEC/2017:09:34:56 -0700] "/mgmt/XXX/XXXX/XXXXXX" 200 2 default send string default send string <777>DEC 11 10:37:16 corp.LB logger: [ssl_acc] 192.168.0.0 - admin [11/DEC/2017:10:37:16 -0700] "/mgmt/XXX/XXXX/XXXXXX" 200 2 default send string default send string default send string

georgen_splunk · ‎08-22-2018

The Splunk App for Windows Infrastructure v1.4.4 is not compatible with The Splunk Add-on for Windows 5.0 at this time. Also noted in the Overview: https://splunkbase.splunk.com/app/1680/

georgen_splunk · ‎08-15-2018

this appears to be a configuration issue, would it be possible to capture a diag of this instance and open a Support case? We should be able to quickly identify the stanza/setting that's causing this KeyError

georgen_splunk · ‎08-15-2018

Just the files

georgen_splunk · ‎08-03-2018

I downvoted this post because app works

georgen_splunk · ‎08-03-2018

an Enhancement request has been filed with our Products team to support this new format in the future, please open a Support case and reference ADDON-18988 for current status.

georgen_splunk · ‎08-03-2018

per CP Solution ID, sk11539: How to export Check Point logs to a Syslog server using CPLogToSyslog. I've configured our management server to send FW logs to syslogd, but the current Add-on for Check Point OPSEC LEA v4.3.1 does not appear to support the new log format. This also prevents us from normalizing the syslog data to support the Common Information Model for Enterprise Security. Does anyone happen to have an ETA to fully support this new log format? Here is an example of the two formats. sourcetype=opsec time=1533315360|loc=1280|fileid=1533279600|action=accept|orig=192.168.1.201|i/f_dir=inbound|i/f_name=eth0|has_accounting=0|logId=0|log_type=connection|log_sequence_num=1|is_first_for_luuid=131072|log_version=5|origin_sic_name=cn=cp_mgmt,o=gw-e0c5cb..8ah3wt|uuid=<5b648920,00000000,c901a8c0,c0000002>|product=VPN-1 & FireWall-1|__policy_id_tag=product=VPN-1 & FireWall-1[db_tag={1866F03E-955A-2C4C-91BD-22FA52339AB9};mgmt=gw-e0c5cb;date=1532556482;policy_name=Standard]|inzone=Internal|outzone=Local|service_id=FW1_lea|src=192.168.1.250|s_port=46108|dst=192.168.1.201|service=18184|proto=tcp|match_id=2|match_table.match_id=2|layer_uuid=8a5e96fb-c793-457f-b78f-c667074223a5|match_table.layer_uuid=8a5e96fb-c793-457f-b78f-c667074223a5|layer_name=Network|match_table.layer_name=Network|rule_uid=88caafe8-df4c-4239-9087-75a612de2c9b|match_table.rule_uid=88caafe8-df4c-4239-9087-75a612de2c9b|rule_name=Splunk LEA|match_table.rule_name=Splunk LEA|rule_action=2|match_table.rule_action=2|parent_rule=0|match_table.parent_rule=0 sourcetype=syslog.opsec Aug 3 10:00:21 192.168.1.201 Fri Aug 3 10:00:21 Log host CPLogToSyslog: ContentVersion: 5; Uuid: {0x5b648a23,0x0,0xc901a8c0,0xc0000001}; SequenceNum: 1; Flags: 49152; Action: accept; Origin: 192.168.1.201; IfDir: <; InterfaceName: eth0; Alert: ; LogId: 0; OriginSicName: cn=cp_mgmt,o=gw-e0c5cb..8ah3wt; OriginSicName: cn=cp_mgmt,o=gw-e0c5cb..8ah3wt; log_type: connection; is_first_for_luuid: 131072; inzone: Local; outzone: Internal; service_id: cp_udp_85FA60B6_96D2_4AD7_ABCE_61C392C2F3F1; src: 192.168.1.201; dst: 192.168.1.250; proto: 17; match_id: 3; match_table.match_id: 3; layer_uuid: 8a5e96fb-c793-457f-b78f-c667074223a5; match_table.layer_uuid: 8a5e96fb-c793-457f-b78f-c667074223a5; layer_name: Network; match_table.layer_name: Network; rule_uid: 725d9a70-e3a2-4e3f-b313-737c6d53c754; match_table.rule_uid: 725d9a70-e3a2-4e3f-b313-737c6d53c754; rule_name: SIEM logging; match_table.rule_name: SIEM logging; rule_action: 2; match_table.rule_action: 2; parent_rule: 0; match_table.parent_rule: 0; aba_customer: SMC User; date: 3Aug2018; hour: 10:00:19; type: connection; Interface: > eth0; ProductName: VPN-1 & FireWall-1; svc: 9514; sport_svc: 53164; Using simple field extractions, we've been able to identify all the notable fields, but I'm sure there's a bit more that's required here. Sample current props + transforms props.conf [syslog.opsec] REPORT-extractfields = extract_opsec_fields transforms.conf [extract_opsec_fields] DELIMS = ";", ":"

georgen_splunk · ‎06-13-2018

updated for Enterprise versions 7.1 Indexer: $SPLUNK_HOME/etc/system/local/inputs.conf [default] host = indexerA1.chubbybunny.com [splunktcp-ssl:9997] compressed = true [SSL] sslPassword = password requireClientCert = false sslRootCAPath = $SPLUNK_HOME/etc/auth/ca.pem serverCert = $SPLUNK_HOME/etc/auth/server.pem Forwarder: $SPLUNK_HOME/etc/system/local/outputs.conf [tcpout] defaultGroup = splunkssl [tcpout:splunkssl] compressed = true server = indexerA1.chubbybunny.com:9997 clientCert = $SPLUNK_HOME/etc/auth/server.pem sslPassword = password sslRootCAPath = $SPLUNK_HOME/etc/auth/ca.pem sslVerifyServerCert = false

georgen_splunk · ‎05-08-2018

try deleting the pointer file in the directory: $SPLUNK_home/var/lib/splunk/modinputs/checkpoint_opseclea/ And restart HWF/splunkd

georgen_splunk · ‎03-28-2018

thanks, Okie!

georgen_splunk · ‎02-06-2018

just had the same problem with our Deployer. Evidently, an app had multiple files exceeding 256 characters. Errors reported in splunkd.log regarding tar: Path/name too long To view your name + path limits: $getconf NAME_MAX /opt/splunk 255 $ getconf PATH_MAX /opt/splunk 4096

georgen_splunk · ‎11-07-2017

here's a nice search to validate your Check Point FW event data is successfully indexing FW event logs: index=_internal host= source="splunk_ta_checkpoint-opseclea_modinput.log" "Successfully indexed events:" |rex field=_raw "Successfully indexed events:\s(?.*)" |timechart span=600s sum(EVENT_COUNT) by connection

georgen_splunk · ‎10-18-2017

Secure method: append your CA's certificate that had signed the AppDynamics web_server cert to the TA’s list of trusted + verified providers in this file: $SPLUNK_HOME/etc/apps/Splunk_TA_AppDynamics/bin/splunk_ta_appdynamics/requests/cacert.pem -OR- Insecure method aka "Luuudicrous Mode." Disable SSL verify $SPLUNK_HOME/etc/apps/Splunk_TA_AppDynamics/bin/splunk_ta_appdynamics/modinput_wrapper/base_modinput.py line 474: headers=headers, cookies=cookies, verify=True, cert=cert Change to: headers=headers, cookies=cookies, verify=False, cert=cert

georgen_splunk · ‎09-14-2017

A bug has been filed for this issue in: SPL-144955. Contact Splunk support for more info.

georgen_splunk · ‎07-13-2017

This can also occur when the OPSEC App Name contains a combination of non-alphabetic and numeric characters. i.e SplunkLEA-US

georgen_splunk · ‎03-13-2017

cool!! just place ATTN: George in the subject line of your support request. Our teams will route the case over to me.

Posts	28
Solutions	2
Karma Given	65
Karma Received	24
Member Since	‎08-29-2016

Online Status	Offline
Date Last Visited	‎11-23-2020 12:43 PM

Does the Splunk Add-on for Check Point OPSEC LEA s...

Splunk Add-on for Check Point OPSEC LEA: Why am I ...

Splunk Add-on for Check Point OPSEC LEA 4.0.0: Is ...

Re: OPSEC LEA - connection to Smart Event : cpshar...

Re: Splunk Stream Tag for Certificate missing?

Re: Splunk Stream Tag for Certificate missing?

Re: Splunk apps: How do you resolve certificate ve...

Re: i am getting default send string logs from f5...

Re: Installing the Splunk App for Windows Infra an...

Re: Splunk Add-on for Check Point OPSEC LEA: Why a...

Re: Splunk Add-on for Check Point OPSEC LEA: Why a...

Re: Checkpoint R75.40 and OPSEC LEA

Re: Does the Splunk Add-on for Check Point OPSEC L...

Does the Splunk Add-on for Check Point OPSEC LEA s...

Re: What is the most simple way to enable SSL comm...

Re: Why did Splunk stopped logging and is throwing...

Re: What are all the URLs I need to open Splunk En...

Re: Why am I getting "Error while creating deploya...

Re: How can I validate the logging of successful c...

Re: Splunk App and Add-on for AppDynamics: Where d...

Re: Is geom mapping bugged for choropleth map when...

Re: Check Point OSPEC LEA app 2.0.2 Error: The re...

Re: Splunk Add-on for Check Point OPSEC LEA: How t...