Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About zeebo101
zeebo101
Explorer
Member since:
03-13-2017
06-05-2020
Community Statistics
| Posts | 5 |
| Solutions | 1 |
| Karma Given | 0 |
| Karma Received | 0 |
| Member Since | 03-13-2017 |
Activity Feed
- Posted Re: Splunk Add-on for Check Point OPSEC LEA: How to resolve error "Invalid key in stanza [schq] in Splunk_TA_checkpoint-opseclea/local/opseclea_connection.conf"? on All Apps and Add-ons. 03-16-2017 10:02 AM
- Posted Re: Splunk Add-on for Check Point OPSEC LEA: How to resolve error "Invalid key in stanza [schq] in Splunk_TA_checkpoint-opseclea/local/opseclea_connection.conf"? on All Apps and Add-ons. 03-16-2017 01:52 AM
- Posted Re: Splunk Add-on for Check Point OPSEC LEA: How to resolve error "Invalid key in stanza [schq] in Splunk_TA_checkpoint-opseclea/local/opseclea_connection.conf"? on All Apps and Add-ons. 03-14-2017 12:45 AM
- Posted Re: Splunk Add-on for Check Point OPSEC LEA: How to resolve error "Invalid key in stanza [schq] in Splunk_TA_checkpoint-opseclea/local/opseclea_connection.conf"? on All Apps and Add-ons. 03-13-2017 01:12 PM
- Posted Splunk Add-on for Check Point OPSEC LEA: How to resolve error "Invalid key in stanza [schq] in Splunk_TA_checkpoint-opseclea/local/opseclea_connection.conf"? on All Apps and Add-ons. 03-13-2017 03:04 AM
- Tagged Splunk Add-on for Check Point OPSEC LEA: How to resolve error "Invalid key in stanza [schq] in Splunk_TA_checkpoint-opseclea/local/opseclea_connection.conf"? on All Apps and Add-ons. 03-13-2017 03:04 AM
- Tagged Splunk Add-on for Check Point OPSEC LEA: How to resolve error "Invalid key in stanza [schq] in Splunk_TA_checkpoint-opseclea/local/opseclea_connection.conf"? on All Apps and Add-ons. 03-13-2017 03:04 AM
- Tagged Splunk Add-on for Check Point OPSEC LEA: How to resolve error "Invalid key in stanza [schq] in Splunk_TA_checkpoint-opseclea/local/opseclea_connection.conf"? on All Apps and Add-ons. 03-13-2017 03:04 AM
- Tagged Splunk Add-on for Check Point OPSEC LEA: How to resolve error "Invalid key in stanza [schq] in Splunk_TA_checkpoint-opseclea/local/opseclea_connection.conf"? on All Apps and Add-ons. 03-13-2017 03:04 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 |
03-16-2017
10:02 AM
Clean install of Centos7 still had this error. I did some googling and saw that splunk had pretty much re-used the opensource version of this app (log grabber etc) but the splunk built GUI adds the management_ip line int he opseclea-cong file... Removing this line and changing the LEA port to a different one on the server and the firewall seemed to resolve it.
... View more
03-16-2017
01:52 AM
Ok, so splunk support won't help as our contract expired (I emailed the account manager but he doesn't reply), so I'm on my own. I will wipe my machine and do a complete reinstall of centos, splunk and cp add on.. however I have tried this already so not too hopeful. I might try an older version of the add-on as i can see other people have this working.
Could i just ask, does anyone have this working with R77.30 and single smartcentre? I have a feeling that most use provider-1
... View more
03-14-2017
12:45 AM
Ok so from the logs i can see that it seems to complain about the CPDIR not being set, and access to the registry. The CPDIR variable is set however. Could this be an access issue? Like the splunk_TA needs to run as expert or something?
Im limited with the characters i can paste here so I will try to send it via support.. however some parts i think might be useful:
log_level=2 file:lea_loggrabber.cpp func_name:main_worker code_line_no:1220 :Didn't find file, start read normal file: filename=fw.log, fileid=1
log_level=3 file:lea_loggrabber.cpp func_name:read_fw1_logfile code_line_no:1406 :Start reading fw.log 1
log_level=3 file:lea_loggrabber.cpp func_name:getSplunkLeaConfigArgs code_line_no:517 :lea arg: -v
log_level=3 file:lea_loggrabber.cpp func_name:getSplunkLeaConfigArgs code_line_no:517 :lea arg: opsec_sic_name
log_level=3 file:lea_loggrabber.cpp func_name:getSplunkLeaConfigArgs code_line_no:517 :lea arg: CN=SplunkLEA,O=schq.domain.com.fjj4jw
log_level=3 file:lea_loggrabber.cpp func_name:getSplunkLeaConfigArgs code_line_no:517 :lea arg: -v
log_level=3 file:lea_loggrabber.cpp func_name:getSplunkLeaConfigArgs code_line_no:517 :lea arg: opsec_sslca_file
log_level=3 file:lea_loggrabber.cpp func_name:getSplunkLeaConfigArgs code_line_no:517 :lea arg: /opt/splunk/etc/apps/Splunk_TA_checkpoint-opseclea/certs/schq_2654242918.p12
log_level=3 file:lea_loggrabber.cpp func_name:getSplunkLeaConfigArgs code_line_no:517 :lea arg: -v
log_level=3 file:lea_loggrabber.cpp func_name:getSplunkLeaConfigArgs code_line_no:517 :lea arg: lea_server
log_level=3 file:lea_loggrabber.cpp func_name:getSplunkLeaConfigArgs code_line_no:517 :lea arg: ip
log_level=3 file:lea_loggrabber.cpp func_name:getSplunkLeaConfigArgs code_line_no:517 :lea arg: 10.10.10.38
log_level=3 file:lea_loggrabber.cpp func_name:getSplunkLeaConfigArgs code_line_no:517 :lea arg: -v
log_level=3 file:lea_loggrabber.cpp func_name:getSplunkLeaConfigArgs code_line_no:517 :lea arg: lea_server
log_level=3 file:lea_loggrabber.cpp func_name:getSplunkLeaConfigArgs code_line_no:517 :lea arg: auth_port
log_level=3 file:lea_loggrabber.cpp func_name:getSplunkLeaConfigArgs code_line_no:517 :lea arg: 18184
log_level=3 file:lea_loggrabber.cpp func_name:getSplunkLeaConfigArgs code_line_no:517 :lea arg: -v
log_level=3 file:lea_loggrabber.cpp func_name:getSplunkLeaConfigArgs code_line_no:517 :lea arg: lea_server
log_level=3 file:lea_loggrabber.cpp func_name:getSplunkLeaConfigArgs code_line_no:517 :lea arg: auth_type
log_level=3 file:lea_loggrabber.cpp func_name:getSplunkLeaConfigArgs code_line_no:517 :lea arg: sslca
log_level=3 file:lea_loggrabber.cpp func_name:getSplunkLeaConfigArgs code_line_no:517 :lea arg: -v
log_level=3 file:lea_loggrabber.cpp func_name:getSplunkLeaConfigArgs code_line_no:517 :lea arg: lea_server
log_level=3 file:lea_loggrabber.cpp func_name:getSplunkLeaConfigArgs code_line_no:517 :lea arg: opsec_entity_sic_name
log_level=3 file:lea_loggrabber.cpp func_name:getSplunkLeaConfigArgs code_line_no:517 :lea arg: CN=cp_mgmt,O=schq.domain.com.fjj4jw
[ 16075 4151331648]@localhost.localdomain[14 Mar 9:24:32] Env Configuration:
(
:type (opsec_info)
:lea_server (
:opsec_entity_sic_name ("CN=cp_mgmt,O=schq.domain.com.fjj4jw")
:auth_type (sslca)
:auth_port (18184)
:ip (10.10.10.38)
)
:opsec_sslca_file ("/opt/splunk/etc/apps/Splunk_TA_checkpoint-opseclea/certs/schq_2654242918.p12")
:opsec_sic_name ("CN=SplunkLEA,O=schq.domain.com.fjj4jw")
)
[ 16075 4151331648]@localhost.localdomain[14 Mar 9:24:32] Could not find info for ...opsec_shared_local_path...
[ 16075 4151331648]@localhost.localdomain[14 Mar 9:24:32] Could not find info for ...opsec_sic_policy_file...
[ 16075 4151331648]@localhost.localdomain[14 Mar 9:24:32] Could not find info for ...opsec_mt...
[ 16075 4151331648]@localhost.localdomain[14 Mar 9:24:32] opsec_init: multithread safety is not initialized
[ 16075 4151331648]@localhost.localdomain[14 Mar 9:25:32] cpprng_opsec_initialize: dev_urandom_poll returned 0
[ 16075 4151331648]@localhost.localdomain[14 Mar 9:25:32] opsec_file_is_intialized: seed is initialized
[ 16075 4151331648]@localhost.localdomain[14 Mar 9:25:32] cpprng_opsec_initialize: seed init for opsec succeeded
[ 16075 4151331648]@localhost.localdomain[14 Mar 9:25:32] PM_policy_create: version 5301.
[ 16075 4151331648]@localhost.localdomain[14 Mar 9:25:32] PM_policy_add_name_to_group: finished successfully.
[ 16075 4151331648]@localhost.localdomain[14 Mar 9:25:32] PM_policy_set_local_names: () names. finished successfully.
[ 16075 4151331648]@localhost.localdomain[14 Mar 9:25:32] PM_policy_create: finished successfully.
[ 16075 4151331648]@localhost.localdomain[14 Mar 9:25:32] PM_policy_add_name_to_group: finished successfully.
[ 16075 4151331648]@localhost.localdomain[14 Mar 9:25:32] PM_policy_set_local_names: (local_sic_name) names. finished successfully.
[ 16075 4151331648]@localhost.localdomain[14 Mar 9:25:32] PM_policy_add_name_to_group: finished successfully.
[ 16075 4151331648]@localhost.localdomain[14 Mar 9:25:32] PM_policy_set_local_names: (127.0.0.1) names. finished successfully.
[ 16075 4151331648]@localhost.localdomain[14 Mar 9:25:32] PM_policy_add_name_to_group: finished successfully.
[ 16075 4151331648]@localhost.localdomain[14 Mar 9:25:32] PM_policy_set_local_names: ("CN=SplunkLEA,O=schq.domain.com.fjj4jw") names. finished successfully.
[ 16075 4151331648]@localhost.localdomain[14 Mar 9:25:32] PM_apply_default_dn: ca_dn = [O=schq.domain.com.fjj4jw].
[ 16075 4151331648]@localhost.localdomain[14 Mar 9:25:32] PM_apply_default_dn: calling PM_policy_DN_conversion ..
[ 16075 4151331648]@localhost.localdomain[14 Mar 9:25:32] PM_apply_default_dn: finished successfully.
[ 16075 4151331648]@localhost.localdomain[14 Mar 9:25:32] fwPubKeyfromPKCS8: decoding RSA key
[ 16075 4151331648]@localhost.localdomain[14 Mar 9:25:32] ckpSSLctx_New: prefs = 12
[ 16075 4151331648]@localhost.localdomain[14 Mar 9:25:32] CkpRegDir: Environment variable CPDIR is not set.
[ 16075 4151331648]@localhost.localdomain[14 Mar 9:25:32] GenerateGlobalEntry: Unable to get registry path
[ 16075 4151331648]@localhost.localdomain[14 Mar 9:25:32] cpcrypto_get_registry_value: could not find key 'Get_Disable_RC4' in registry path 'SOFTWARE\CheckPoint\FW1'.
[ 16075 4151331648]@localhost.localdomain[14 Mar 9:25:32] ckpSSLctx_New: prefs = 12
[ 16075 4151331648]@localhost.localdomain[14 Mar 9:25:32] CkpRegDir: Environment variable CPDIR is not set.
[ 16075 4151331648]@localhost.localdomain[14 Mar 9:25:32] GenerateGlobalEntry: Unable to get registry path
[ 16075 4151331648]@localhost.localdomain[14 Mar 9:25:32] cpcrypto_get_registry_value: could not find key 'Get_Disable_RC4' in registry path 'SOFTWARE\CheckPoint\FW1'.
[ 16075 4151331648]@localhost.localdomain[14 Mar 9:25:32] opsec_init_sslca: calling sic_set_auth_handler_save_opaque, server_opaque - defs = 0xf6e074c8, client_opaque - defs = 0xf6e074c8
[ 16075 4151331648]@localhost.localdomain[14 Mar 9:25:32] ckpSSLctx_New: prefs = 32
... View more
03-13-2017
01:12 PM
Hi, Georgen,
I will check those logs as you said and put the findings in this post. How can I get more info from support? Who / how should i contact them?
Thanks
... View more
03-13-2017
03:04 AM
Hello,
Setup:
Centos7(64) with pam.i686 and gclibd.i686 - Splunk 6.5.2 - Checkpoint_splunk_TA 4.1.0(build 1) - iptables permitted 18184 18210
Checkpoint R77.30 on Gaia Single management (smartcentre) server that is the one and only log host. Not running provider-1.
Problem:
I have managed to install the Splunk Add-on for Check Point OPSEC LEA and configure the connection. I have followed the document carefully and i have successfully pulled the certificate from checkpoint (as described in the notes for this add-on), and established SIC. I have created the connection, but never receive any logs and when I run splunk btool check, I get this error:
[root@localhost bin]# ./splunk btool check
Invalid key in stanza [schq] in /opt/splunk/etc/apps/Splunk_TA_checkpoint-opseclea/local/opseclea_connection.conf, line 9: management_server_ip (value: 10.10.10.38)
The conf file is:
[schq]
cert_name = schq_2654242918.p12
fw_version = R77
lea_app_name = SplunkLEA
lea_server_auth_port = 18184
lea_server_auth_type = sslca
lea_server_ip = 10.10.10.38
lea_server_type = primary
management_server_ip = 10.10.10.38
opsec_entity_sic_name = CN=cp_mgmt,O=schq.domain.com.fjj4jw
opsec_sic_name = CN=SplunkLEA,O=schq.domain.com.fjj4jw
disabled = 0
I have ip tables open for 18210 18184 and can see the fw-ica-pull when the certificate is successfully retrieved and SIC is working fine.
I have a single management server which is also the only log server, so the log server and management server IP are the same.
I have read all of the answers i could find and all of the troubleshooting in: http://docs.splunk.com/Documentation/AddOns/released/OPSEC-LEA/Setup2 but I'm stuck.
I would be very happy for any help you can offer.
Thanks
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
06-05-2020
02:03 AM
|
