I've recently set up LEA-LogGrabber, which is working fine from a communication point of view - the logs are being successfully retrieved from the Checkpoint Manager and fed into Splunk. However, I've noticed that I seem to be getting identical log entries repeated in my Splunk logs. This means that searches tend to return more data than necessary and also it's using up more of my daily Splunk license than it should. It looks like the reference pointer in the file "lea_log_rec_num.cache" in $SPLUNK_HOME/etc/apps/lea-loggrabber-splunk/bin is somehow getting reset back to 0 regularly and therefore the whole logfile is being reread into Splunk on a regular basis. For example, see the repeated commands below: /opt/splunk/etc/apps/lea-loggrabber-splunk/bin$ cat lea_log_rec_num.cache 13271 /opt/splunk/etc/apps/lea-loggrabber-splunk/bin$ cat lea_log_rec_num.cache 13271 /opt/splunk/etc/apps/lea-loggrabber-splunk/bin$ cat lea_log_rec_num.cache 0 /opt/splunk/etc/apps/lea-loggrabber-splunk/bin$ cat lea_log_rec_num.cache 13271 Does anyone know what could be causing this behaviour and how to stop it from happening? ... View more

I've been trying to get the OPSEC LEA loggrabber working with my Splunk (v4.3.2) and Checkpoint (R75.40). I've followed the instructions in OPSEC LEA for Checkpoint. I've installed the app on the forwarder successfully and have set up the OPSEC object in Checkpoint, along with the bits to enable the LEA server. However, when I try to retrieve the OPSEC certificate using opsec_pull_cert this fails. I can see in the Checkpoint logs that the connection is being attempted, but the Checkpoint server doesn't seem to respond to the certificate request. Can anyone tell me if I've missed something? Do I need to enable something in Checkpoint to tell it to respond to certificate downloads or something like that? ... View more