Hello,
First post from a splunk noob so please go easy on me.
**Setup:**
Splunk 6.5.2 - Centos7(64) - Checkpoint_TA 4.1.0 (build1)
Checkpoint R77.30 single management server (smartcentre svr not provider-1)
**Issue:**
I have managed to install the Checkpoint_TA and configure the connection and successfully pull the certificate as described in the notes for the app. However I never get any data from checkpoint. When i run splunk btool check i get:
Invalid key in stanza [schq] in /opt/splunk/etc/apps/Splunk_TA_checkpoint-opseclea/local/opseclea_connection.conf, line 9: management_server_ip (value: 10.10.10.38)
The conf file is:
[schq]
cert_name = schq_2654242918.p12
fw_version = R77
lea_app_name = SplunkLEA
lea_server_auth_port = 18184
lea_server_auth_type = sslca
lea_server_ip = 10.10.10.38
lea_server_type = primary
management_server_ip = 10.10.10.38
opsec_entity_sic_name = CN=cp_mgmt,O=schq.domain.com.fjj4jw
opsec_sic_name = CN=SplunkLEA,O=schq.domain.com.fjj4jw
disabled = 0
I have ip tables open for 18210 18184 and can see the fw-ica-pull when the certificate is successfully retrieved and SIC is working fine.
I have a single management server which is also the only log server, so the log server and management server IP are the same.
Any help you could offer would be fantastic!
Thanks
I have been following this: http://docs.splunk.com/Documentation/AddOns/released/OPSEC-LEA/Setup2
↧