Configure OPSEC LEA Input

Configure OPSEC LEA Input

fw1-loggrabber-splunk.tar.gz

This package contains all the necessary files to create an OPSEC LEA bundle

to drop into Splunk 3.0 or later. It functions on Linux and on Solaris

with gmake and gcc installed.

Installation

In the working directory of the uncompressed archive execute

make -f Makefile.linux install

or

make -f Makefile.solaris install

depending on your platform. This will compile and link the necessary

objects and create a Splunk bundle in the "lea-bundle" directory. If

there are compliation errors, please contact Splunk support.

Once the make command has been successfully executed, copy the

lea-bundle directory to your $SPLUNK_HOME/etc/bundles directory. The

directory $SPLUNK_HOME/etc/bundles/lea-bundle should exist when this

is done.

If the make fails, chances are that you're missing one of all of the following packages.

(Debian/Ubuntu)

libpam-modules

libpam-runtime

libpam0g-dev

libelf-dev

libstdc+4.1-dev

Checkpoint Modification

You need to add a LEA OPSEC server to the checkpoint configuration.

In the CheckPoint Dashboard, click on manage -> servers and opsec

applications. Add an entry for SplunkLEA (vendor: user-defined,

make sure to click LEA in client entities). Click on Communication in

the LEA configuration screen, enter a one time password for the

activation key, it will provide a DN. You will need this DN later in

the LEA.conf. The DN should be the opsec_sic_name in the LEA.conf.

Use the following utility to extract the certificate in order to

communicate with the LEA server:

cd opsec-tools

./opsec_pull_cert -h <ip of checkpoint box> -n <object> -p <password>

(i.e. opsec_pull_cert -h 10.1.1.96 -n SplunkLEA -p <password>)

This will produce a file in the current directory called opsec.p12,

place that file in the lea-bundle directory.

(NOTE: For this to work you need to enable an FW1_ica_pull (accept) rule

in the main checkpoint configuration. In addition, for LEA to work

you will need to add a rule to accept FW1_lea traffic.)

Configuration

There are three relevant configuration files in the lea-bundle directory.

Inputs.conf is a Splunk configuration file. See the Splunk documentation

for information on how to modify this configuration. The default

configuration will place any information from your Checkpoint target

in the main index with sourcetype "opsec".

Lea.conf is the file containing connection information between the

loggrabber agent and the Checkpoint target. The default configuration

contains values for unauthenticated, clear sessions between the

loggrabber agent and the Checkpoint target. Documentation for configuring

a more secure channel on loggrabber agent's side is available in the doc

directory. Substantial configuration is required on the Checkpoint side.

Consult your Checkpoint documentation for that information.

Fw1-loggrabber.conf is the file containing information on how the actual

log extraction should behave. Sensible defaults are selected. Do not

adjust the LOGGING_CONFIGURATION value from "screen" unless appropriate

configuration changes are made to inputs.conf. It is recommended to

set SHOW_FIELDNAMES to "yes". This will enable Splunk to more easily

operate on the data.

To communicate with more than one Checkpoint target create multiple

instances of the bundle in $SPLUNK_HOME/etc/bundles.

Here is an example LEA.conf:

lea_server auth_type sslca

lea_server auth_port 18184

lea_server ip 10.1.1.96

lea_server port 18184

opsec_sic_name "CN=SplunkLEA,O=fwname-06791738..xm3v5d"

opsec_sslca_file /path/to/splunk/etc/bundles/lea-bundle/opsec.p12

#opsec_sic_policy_file "my_sic_policy.conf"

lea_server opsec_entity_sic_name "cn=cp_mgmt,o=fwname-06791738..xm3v5d"

The opsec_entity_sic_name can be retrieved from double clicking on the

main checkpoint object, opsec_sic_name comes from the DN for the LEA

object, and the opsec_sslca_file comes from the cert you extracted

in the above step with opsec_pull_cert. The opsec_sic_policy_file

is optional.

• Was this topic useful?
• Post a comment