I had the same issue and coudn't fix it by following the guidelines above and updating the binaries in: $SPLUNK_HOME/etc/apps/Splunk_TA_checkpoint-opseclea/bin/opsec-tools I fixed it this way: 1. I saw that the new SIC certificate was PULLED SUCCESSFULLY from the CheckPoint server regardless the error message "External handler failed with code '1' and output: 'REST ERROR[400]: Bad Request..." The certificate was available in "$SPLUNK_HOME/etc/apps/Splunk_TA_checkpoint-opseclea/certs" 2. I manually editted the opseclea_connection.conf in "$SPLUNK_HOME/etc/apps/Splunk_TA_checkpoint-opseclea/local" and added the new certificate under the problematic connection stanza: [connection_stanza_name] cert_name = connection_1234567890.p12 <-- Put the name of the new certificate here fw_version = R80 lea_app_name = Splunk_Server_LEA lea_server_auth_port = 18184 lea_server_auth_type = sslca lea_server_ip = 10.10.10.10 lea_server_type = primary management_server_ip = 10.10.10.11 opsec_entity_sic_name = CN=***,O=*** opsec_sic_name = CN=Splunk_Server_LEA,O=*** disabled = 0 No need to restart splunkd! The connection started working right away. No error messages anymore. I hope it helps colleagues who had the same issue. ... View more

That worked for me: Move installation file (.msi) to a temporary folder: c:\temp\splunk-<version>-x64-release.msi Open a command prompt (CMD) with administrative privileges and start installation with enhanced logging: msiexec /i c:\temp\splunk-<version>-x64-release.msi /l*vx msiexec.log Seems like the installation with enhanced logging scared it and it worked 🙂 Thank you very much for that hint, jobe256 ... View more

I was getting the same error message when I tried to ingest data from CheckPoint LogExporter Log Server to Intermediate Heavy Forwarder. I tried to use port numbers below 1024 and 9997. It is not mentioned anywhere in the documentation that you can't use these ports to ingest data from LogExporter to Splunk. It turned-out that you can't use port numbers below 1024 if you are not running as "root" or "root privileges". You can't also use port 9997, because it's reserved for "cooked" data ingestion from Splunk Forwarder to indexer or heavy forwarder. In the end, I chose port 18188 and it worked. I hope that this info helps someone who runs into the same problem as I did. ... View more

I had a similar problem. Our setup is: CheckPoint Log Server => Splunk Intermediate Heavy Forwarder => Splunk Cloud indexer. The Intermediate HF was set-up to listen on TCP 514 from limited list of IP addresses (CheckPoint Log Servers). It didn't work, because you are not allowed to listen on ports below 1024 on Linux if you don't have root privileges. The intermediate HF was sending "Reset" packages to the LogExporter Log server. After that, I changed the port to 9997, but it didn't work as well, because this port is reserved for Splunk "cooked" data ingestion from Splunk instances. Finally, I made it work after selecting the port 18188. This port turned-out to be free and not reserved for other apps. This is example of my inputs.conf on the Heavy Forwarder: [tcp://1.2.3.4:18188] host = checkpoint_host_1 sourcetype = cp_log index = logexporter_index [tcp://1.2.3.5:18188] host = checkpoint_host_2 sourcetype = cp_log index = logexporter_index [tcp://1.2.3.6:18188] host = checkpoint_host_3 sourcetype = cp_log index = logexporter_index The outputs.conf file is set to send the data to the cloud: [tcpout] defaultGroup = splunkcloud [tcpout:splunkcloud] server = input_host.splunkcloud.com:9997 compressed = false Seems like the port number is very important and you cannot select just any random port... Also you need to check if the traffic is not being blocked on a Firewall device between the Log Server and Splunk instance. I hope that this info is helpful, because I didn't find anything like that in the CheckPoint Log Exporter documentation.  ... View more