All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Why Splunk Add-on for Check Point OPSEC LEA is not collecting any firewall logs?

MousumiChowdhur
Contributor
‎02-05-2019 03:01 AM

Hello everyone,

I am using Splunk add-on for Check Point OPSEC LEA on linux HF to collect the Checkpoint firewall logs. I have established the connection and configured input (firewall events and firewall audit logs). There is no internal error or issues I faced during establishing the connection and configuring inputs but yet I am not receiving any logs.
I checked splunk_ta_checkpoint-opseclea_modinput.log and splunk_ta_checkpoint-opseclea_ucc_lib.log to look for any errors. There is also network connectivity between the firewall device and my HF.

If anyone has faced such issue, kindly help me if I am missing on something.

Thank you!

0 Karma
Reply

tkopchak
SplunkTrust
SplunkTrust
‎02-05-2019 06:00 AM

Is this a standalone or distributed Check Point environment? (eg, is there a dedicated management server, or does the management server and the firewall exist on the same server/appliance)

Do you have an explicit firewall rule to allow the Splunk forwarder to communicate to your management server on the FW1_lea service? If you were able to pull the certificate successfully that would confirm that FW1_ica_pull is allowed at least. If you make any modifications to these rules you'll need to either install database to the management server, install policy to the firewall, or both (depending on the communication path and type of Check Point environment).

0 Karma
Reply

MousumiChowdhur
Contributor
‎02-05-2019 09:01 PM

I am able to pull the certificate successfully. The management server IP and the log server IP is different. Also, I have an explicit firewall rule to allow the Splunk forwarder to communicate to the management server on the FW1_lea service.

0 Karma
Reply

MousumiChowdhur
Contributor
‎02-07-2019 01:23 AM

Hi, I am getting the below error now.

2019-02-07 06:56:53,772 +0000 log_level=INFO, pid=8708, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=75 | [input_name="fw events" connection="fw_mgmt" data="fw"][ 8736 156715136]@xxxxxxxx[7 Feb  7:56:53] rand_add_seedfile: Failed to create mutex.: Permission denied
    2019-02-07 06:56:53,785 +0000 log_level=INFO, pid=8708, tid=Thread-11, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=75 | [input_name="opsec_firewall" connection="fw_mgmt" data="fw"][ 8739 161634432]@xxxxxxxx[7 Feb  7:56:53] rand_add_external_source: Failed to create mutex.: Permission denied
    2019-02-07 06:56:53,785 +0000 log_level=INFO, pid=8708, tid=Thread-11, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=75 | [input_name="opsec_firewall" connection="fw_mgmt" data="fw"][ 8739 161634432]@xxxxxxxx[7 Feb  7:56:53] rand_add_seedfile: Failed to create mutex.: Permission denied
    2019-02-07 06:56:55,569 +0000 log_level=INFO, pid=8708, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=75 | [input_name="fw events" connection="fw_mgmt" data="fw"][ 8736 156715136]@xxxxxxxx[7 Feb  7:56:55] file_open_and_init: failed to create file: Permission denied
    2019-02-07 06:56:55,583 +0000 log_level=INFO, pid=8708, tid=Thread-11, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=75 | [input_name="opsec_firewall" connection="fw_mgmt" data="fw"][ 8739 161634432]@xxxxxxxx[7 Feb  7:56:55] file_open_and_init: failed to create file: Permission denied
    2019-02-07 06:57:46,616 +0000 log_level=INFO, pid=8822, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=75 | [input_name="fw events" connection="fw_mgmt" data="fw"][ 8849 143599744]@xxxxxxxx[7 Feb  7:57:46] file_open_and_init: failed to create file: Permission denied
    2019-02-07 06:57:46,618 +0000 log_level=INFO, pid=8822, tid=Thread-11, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=75 | [input_name="opsec_firewall" connection="fw_mgmt" data="fw"][ 8853 140867712]@xxxxxxxx[7 Feb  7:57:46] file_open_and_init: failed to create file: Permission denied
    2019-02-07 06:57:47,952 +0000 log_level=INFO, pid=8822, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=75 | [input_name="fw events" connection="fw_mgmt" data="fw"][ 8849 143599744]@xxxxxxxx[7 Feb  7:57:47] rand_add_external_source: Failed to create mutex.: Permission denied
    2019-02-07 06:57:47,952 +0000 log_level=INFO, pid=8822, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=75 | [input_name="fw events" connection="fw_mgmt" data="fw"][ 8849 143599744]@xxxxxxxx[7 Feb  7:57:47] rand_add_seedfile: Failed to create mutex.: Permission denied
    2019-02-07 06:57:47,972 +0000 log_level=INFO, pid=8822, tid=Thread-11, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=75 | [input_name="opsec_firewall" connection="fw_mgmt" data="fw"][ 8853 140867712]@xxxxxxxx[7 Feb  7:57:47] rand_add_external_source: Failed to create mutex.: Permission denied
    2019-02-07 06:57:47,973 +0000 log_level=INFO, pid=8822, tid=Thread-11, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=75 | [input_name="opsec_firewall" connection="fw_mgmt" data="fw"][ 8853 140867712]@xxxxxxxx[7 Feb  7:57:47] rand_add_seedfile: Failed to create mutex.: Permission denied
    2019-02-07 06:57:49,890 +0000 log_level=INFO, pid=8822, tid=Thread-11, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=75 | [input_name="opsec_firewall" connection="fw_mgmt" data="fw"][ 8853 140867712]@xxxxxxxx[7 Feb  7:57:49] file_open_and_init: failed to create file: Permission denied
    2019-02-07 06:57:49,971 +0000 log_level=INFO, pid=8822, tid=Thread-9, file=ta_opseclea_data_collector.py, func_name=get_logs, code_line_no=75 | [input_name="fw events" connection="fw_mgmt" data="fw"][ 8849 143599744]@xxxxxxxx[7 Feb  7:57:49] file_open_and_init: failed to create file: Permission denied
0 Karma
Reply

lakshman239
Influencer
‎02-07-2019 01:41 AM

Looks like the 'user' running the process is not having required permissions/privileges. could you check that? Also, will this help? - https://www.giac.org/paper/gsna/154/auditing-check-point-secureplat-formng-apaplication-inteligence-...

0 Karma
Reply

MousumiChowdhur
Contributor
‎02-07-2019 04:37 AM

Hi @lakshman239,

I checked all the permissions of the user running the process. Also, the same user with same privileges is running checkpoint in some other environment. I am not facing any issue there. Can you more specific on what process that could be that needs any special permission?

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...