Configure OPSEC LEA input

From Splunk Wiki

Jump to: navigation, search

If you run into troubles when you hit this bit:

<snip>

To retrieve this key, on the Solaris box: 

   cd opsec-tools/<solaris2>
   opsec_putkey -ssl -port 18184 <Source IP address of checkpoint box>

</snip>

try using this syntax instead:

<snip>

opsec_putkey -ssl -port fw <source ip of the checkpoint box>

</snip>

Also, if you are trying to pull logs off of a Provider-1 instance and have difficulties accessing a CMA check the following:

0 - mdsenv to the CMA in question

1 - modify the $CPDIR/conf/sic_policy.conf and find these lines:

#LEA:

ANY  ; ANY  ; 18184  ; fwn1_opsec ; fwn1, local_ipcheck

and change it to read:

ANY  ; ANY  ; 18184  ; ssl_opsec ; ssl, fwn1, local_ipcheck

Restart the CMA, restart Splunk, and you should see the LEA connector start working with the CMA.

--TDarley 03:25, 12 November 2009 (PST)


I am attempting to set this up. I am using a Ubuntu 8.04 server VM with Splunk installed and trying to extract logs from a R65 Checkpoint Appliance. I have followed the documentation. The two machines are communicating but there are no logs being indexed in the Splunk server.

Has anybody been able to get this to work?


hi Brian,

this sounds like something you could ask about in the Splunk irc channel on efnet:

efnet.org / #splunk

Rachel 11:42, 13 August 2009 (PDT)


Note: If you are installing it on 64-bit Debian linux you will also need the ia32 libs (run 'apt-get install ia32-libs') in addition to the other instructions.

rforsythe 11:39 072710

It appears that the lea_loggrabber binary provided by Splunk uses the lea_dictionary_lookup function to resolve 'src' to a name instead of an IP address if possible. Is there anyway to modify this behavior so that IP is always provided? Is there (less likely) any way to modify this behavior so that both src-ip and src-name-if-available are provided as two separate fields?

Any help is appreciated!!!

gowen 7 July 2011

hio Gowen,

i'd recommend asking about this in Splunk Answers: http://splunk-base.splunk.com/answers/

cheers,

Rachel 00:53, 12 July 2011 (UTC)

Retrieved from "http://wiki.splunk.com/Configure_OPSEC_LEA_input"
Hot Wiki Topics


About Splunk >
  • Search and navigate IT data from applications, servers and network devices in real-time.
  • Download Splunk