I have similar problem, but with error "Client could not choose an authentication method for service lea"
I'v tried everything that I found in splunkbase and internet.
Does some one has any ideas?
this is fragment from the debug log:
Could not find info for ...opsec_sic _policy_file...
Could not find info for ...opsec_mt. ..
opsec_init: multithread safety is no t initialized
cpprng_opsec_initialize: dev_urandom_poll returned 0
opsec_file_is_intialized: seed is initialized
cpprng_opsec_initialize: seed init for opsec succeeded
PM_policy_create: version 5301.
PM_policy_add_name_to_group: finished successfully.
PM_policy_set_local_names: () names. finished successfully.
PM_policy_create: finished successfully.
PM_policy_add_name_to_group: finished successfully.
PM_policy_set_local_names: (local_sic_name) names. finished successfully.
PM_policy_add_name_to_group: finished successfully.
PM_policy_set_local_names: (127.0.0.1) names. finished successfully.
PM_policy_add_name_to_group: finished successfully.
PM_policy_set_local_names: ("CN=SplunkLEA,O=XXXXXX..xxxxxx") names. finished successfully.
PM_apply_default_dn: ca_dn = [O=XXXXXX..xxxxxx].
PM_apply_default_dn: calling PM_policy_DN_conversion ..
PM_apply_default_dn: finished successfully.
ckpSSLctx_New: prefs = 12
ckpSSLctx_New: prefs = 12
ckpSSLctx_New: prefs = 32
ckpSSLctx_New: prefs = 11
ckpSSLctx_New: prefs = 31
ckpSSLctx_New: prefs = 12
sslcaInitCP_Ex: using asym client without ca cert
ckpSSLctx_New: prefs = 12
ckpSSLctx_New: prefs = 12
slcaInitCP_Ex: using asym client without ca cert
ckpSSLctx_New: prefs = 32
ckpSSLctx_New: prefs = 32
sslcaInitCP_Ex: using asym client without ca cert
ckpSSLctx_New: prefs = 11
ckpSSLctx_New: prefs = 11
sslcaInitCP_Ex: using asym client without ca cert
ckpSSLctx_New: prefs = 31
ckpSSLctx_New: prefs = 31
opsec_init_sic_id_internal: Added sic id (ctx id = 0)
splunk internal call command: $SPLUNK_HOME/bin/splunk _internal call /servicesNS/nobody/Splunk_TA_opseclea_linux22/opsec/log_status/1@
splunk output: QUERYING: 'https://127.0.0.1:8089/servicesNS/nobody/Splunk_TA_opseclea_linux22/opsec/log_status/1@'
FAILED: 'HTTP/1.1 404 Not Found'
Content:
<?xml version="1.0" encoding="UTF-8"?>
<response>
<messages>
<msg type="ERROR">In handler 'log_status': Could not find object id=1@</msg>
</messages>
</response>
splunkd request failed, 404:
$SPLUNK_HOME/bin/splunk _internal call /servicesNS/nobody/Splunk_TA_opseclea_linux22/opsec/log_status/1@
QUERYING: 'https://127.0.0.1:8089/servicesNS/nobody/Splunk_TA_opseclea_linux22/opsec/log_status/1@'
FAILED: 'HTTP/1.1 404 Not Found'
Content:
<?xml version="1.0" encoding="UTF-8"?>
<response>
<messages>
<msg type="ERROR">In handler 'log_status': Could not find object id=1@</msg>
</messages>
</response>
DEBUG: Starting fw.log 1 at offset -1
DEBUG: OPSEC LEA conf file is lea.conf
DEBUG: Authentication mode has been used.
DEBUG: Server-IP : 192.168.10.1
DEBUG: Server-Port : 18184
DEBUG: Authentication type: sslca
DEBUG: OPSEC sic certificate file name : ../certs/SplunkLEA.p12
DEBUG: Server DN (sic name) : CN=SplunkLEA,O=XXXXXX..xxxxxx
DEBUG: OPSEC LEA client DN (sic name) : CN=SplunkLEA,O=XXXXXX..xxxxxx
opsec_init_entity_sic: called for the client side
Configuring entity lea_server
Could not find info for ...conn_buf_size...
Could not find info for ...no_nagle...
Could not find info for ...port...
opsec_entity_add_sic_rule: adding rules: apply_to: ME, peer: CN=SplunkLEA,O=XXXXXX..xxxxxx, d_ip: NULL, dport 18184, svc: lea, method: sslca
opsec_entity_add_sic_rule: adding INBOUND rule
opsec_entity_add_sic_rule: adding OUTBOUND rule
DEBUG: Starting at position: -1
opsec_get_comm: creating comm for ent=96c5a70 peer=96c5578 passive=0 key=2 info=0
c=0x96c5a70 s=0x96c5578 comm_type=4
Could not find info for ...opsec_client...
opsec_get_comm: Creating session hash (size=256)
opsec_get_comm: ADDING comm=0x96d0368 to ent=0x96c5a70 with key=2
opsec_env_get_context_id_by_peer_sic_name: found context id=0 for peer sic name=CN=SplunkLEA,O=XXXXXX..xxxxxx
opsec_env_get_sic_handle_by_context_id: found sic handle (ctx id=0)
opsec_sic_connect: connecting... (ctx id=0)
peers addresses are
192.168.10.18
DEBUG: function read_fw1_logfile_start
DEBUG: OPSEC session start handler was invoked
SESSION ID:3 is sending DG_TYPE=1
pushing dgtype=1 len=0 to list=0x96d0384
SESSION ID:3 is sending DG_TYPE=402
pushing dgtype=402 len=20 to list=0x96d0384
SESSION ID:3 is sending DG_TYPE=40c
pushing dgtype=40c len=0 to list=0x96d0384
fwasync_conn_params: <c0a80a12,40631> -> <c0a80a01,18184>
fwasync_connbuf_realloc: reallocating 0 from 0 to 1028
fwasync_connbuf_realloc: reallocating 0 from 0 to 1028
sic_client_set_version: 10: protocol version is 59000000
PM_session_init: given session O(CN=SplunkLEA,O=XXXXXX..xxxxxx;local_sic_name;18184;lea).
PM_policy_query: input session O(CN=SplunkLEA,O=XXXXXX..xxxxxx;local_sic_name;18184;lea).
PM_policy_query: rule not found.
PM_policy_query: finished successfully. 1st method = deny
PM_policy_choose: finished successfully. choose: DENY.
policy_choose: choose failed.
sic_client_negotiate_auth_method: policy choose failed.
fwasync_mux_in: 10: handler returned with error
sic_client_end_handler: for conn id = 10
opsec_auth_client_connected: connect failed (119)
opsec_auth_client_connected: SIC Error for lea: Client could not choose an authentication method for service lea
opsec_auth_client_connected:conn=(nil) opaque=0x96dbb00 err=0 comm=0x96d0368
comm failed to connect 0x96d0368
OPSEC_SET_ERRNO: err = 8 Comm is not connected/Unable to connect (pre = 8)
COM 0x96d0368 got signal 131075
destroying comm 0x96d0368
Destroying comm 0x96d0368 with 1 active sessions
Destroying session (96db450) id 3 (ent=96c5a70) reason=SIC_FAILURE
SESSION ID:3 is sending DG_TYPE=3
DEBUG: OPSEC_SESSION_END_HANDLER called
ERROR: SIC ERROR 119 - SIC Error for lea: Client could not choose an authentication method for service lea
opsec_comm_is_needed:comm 0x96d0368 1/1 sessions need the comm.
pulling dgtype=1 len=0 to list=0x96d0384
pulling dgtype=402 len=20 to list=0x96d0384
pulling dgtype=40c len=0 to list=0x96d0384
pulling dgtype=ffffffff len=-1 to list=0x96d0384
REMOVING comm=0x96d0368 from ent=0x96c5a70 with key=2
T_event_mainloop_e: T_event_mainloop_iter returns 0
DEBUG: function cleanup_fw1_environment
Destroying entity 1 with 0 active comms
opsec_destroy_entity_sic: deleting sic rules for entity 0x96c5a70
Destroying entity 2 with 0 active comms
opsec_destroy_entity_sic: deleting sic rules for entity 0x96c5578
IpcUnMapFile: unmapping file (handle=0x96ca890)
IpcUnMapFile: unmapping file (handle=0x96c98d8)
IpcUnMapFile: unmapping file (handle=0x96c9948)
IpcUnMapFile: unmapping file (handle=0x96da690)
IpcUnMapFile: unmapping file (handle=0x96da700)
PM_policy_destroy: finished successfully.
opsec_destroy_sic_id_internal: Destroyed sic id (ctx id=0)
opsec_env_destroy_sic_id_hash: Destroyed sic id hash
fwd_env_destroy: env 0x96a93b0 (alloced = 1)
T_env_destroy: env 0x96a93b0
do_fwd_env_destroy: really destroy 0x96a93b0
DEBUG: function close_screen
DEBUG: Close connection to screen.
DEBUG: function exit_loggrabber
DEBUG: function free_lfield_arrays
DEBUG: function free_afield_arrays
DEBUG: function free_lfield_arrays
DEBUG: function free_afield_arrays
... View more