small note to add, since v9.x the password complexity is enforced in the user-seed.conf file as well.  So be sure the new password is at least 8ch long or whatever your complexity requirements are.  If the new etc/passwd file is not created, then check splunkd.log file for the failure reason.  ... View more

if all you want is to know what happens when you run a command, you could just spin up a VM and run the command.  that's literally what DEV environments are for... [splunk@ClientMachine bin]$ ./splunk disable deploy-server Your session is invalid. Please login. Splunk username: admin Password: Login successful, running command... Deployment Server is disabled. [splunk@ClientMachine bin]$ ... View more

this appears to be a bug in Checkpoint's app or their log server software. I did the above and followed everything correctly according to the documentation. The app pulled the certificate and no errors. But the data was not showing in the indexers. I changed the addon to debug logging and tailed the addon log and found the SIC error. It showed the SIC name being sent by the CP server (log server) was not what the app had received during the certificate pull. 2018-05-03 19:51:11,159 +0000 log_level=ERROR, pid=7122, tid=Thread-133, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=75 | [input_name="CMA04-input" connection="xxxx" data="non_audit"]log_level=0 file:lea_loggrabber.cpp func_name:check_session_end_reason code_line_no:1056 :ERROR: Session end reason: SIC ERROR 111 - SIC Error for lea: Peer sent wrong DN: CN=xxxxx,O=xxxxxxxxxxxxxxxx..xxx So I edited opseclea_connection.conf and changed opsec_entity_sic_name to match the DN text that was found in the debug log. Restarted splunk and the logs started showing in the indexers. This seems like a problem with the CP server in relation to the splunk addon as it provides the app with the wrong DN. ... View more