Hi All, For past couple of days we are not receiving firewall related data in splunk, when searched **index=net_fw sourcetype=opsec**
we are getting no data found and we could not find any errors related to OPSEC in splunkd.log
OPSEC is configured in one of the Heavy Forwarder instance. So kindly let me know how to manually start the OPSEC service from the command line and also to check the status of the OPSEC service from the command line.
Path
/opt/splunk/etc/apps/Splunk_TA_opseclea_linux22/local/opsec.conf
[LEA-smart03]
collect_audit = 0
fw_version = 77
is_disabled = 0
lea_server_auth_port = 18184
lea_server_auth_type = sslca
lea_server_ip = 168.133.28.53
opsec_entity_sic_name = cn=cp_mgmt,o=xxxx01.xxx.com.xxx25
opsec_sic_name = CN=SplunkLEA-3,O=xxxx01.xxx.com.xxx25
opsec_sslca_file = ../certs/LEA-smart03.p12
disabled = 0
conn_buf_size = 5120000
online_mode = 1
no_resolve = 1
[LEA-smart03-audit]
collect_audit = 1
fw_version = 77
is_disabled = 0
lea_server_auth_port = 18184
lea_server_auth_type = sslca
lea_server_ip = 168.120.10.10
opsec_entity_sic_name = cn=cp_mgmt,o=xxxx01.xxx.com.xxx25
opsec_sic_name = CN=SplunkLEA-3,O=xxxx01.xxx.com.xxx25
opsec_sslca_file = ../certs/LEA-smart03.p12
disabled = 0
thanks in advance
↧