Splunk® Supported Add-ons

Splunk Add-on for Check Point OPSEC LEA

Download manual as PDF

Download topic as PDF

Release history for the Splunk Add-on for Check Point OPSEC LEA

Latest release

The latest version of the Splunk Add-on for Check Point OPSEC LEA is version 5.0.0. See Release notes for the Splunk Add-on for Check Point OPSEC Lea for the release notes of this latest version.

Version 4.3.1

Version 4.3.1 of the Splunk Add-on for Check Point OPSEC LEA was released on May 9, 2018.

About this release

Version 4.3.1 of the Splunk Add-on for Check Point OPSEC LEA is compatible with the following software, CIM versions, and platforms.

Splunk platform versions 6.5.x, 6.6.x, 7.0.x, 7.1.x, 7.2.x
CIM 4.11
Platforms Linux (RHEL/CentOS 5.x, 6.x, 7.x) for forwarders
Linux kernel version 2.6.32 or later (x86_64)
Platform independent for search heads and indexers
Vendor Products Check Point OPSEC LEA R77, R80

Upgrade instructions

There are no upgrade issues if you are upgrading from version 4.3.0 to 4.3.1.

New and updated features

There are no new features in the Splunk Add-on for Check Point OPSEC LEA version 4.3.1.

Fixed issues

Version 4.3.1 of the Splunk Add-on for Check Point OPSEC LEA contains the following fixed issues.

Date resolved Issue number Description
2018-05-01 ADDON-17338 Unable to Forward Firewall Logs Check Point OPSEC LEA HF
2018-04-24 ADDON-17021 Splunk process starts lea_loggrabber, spawns many processes but does not exit properly, making the system inaccessible.

Known issues

Version 4.3.1 of the Splunk Add-on for Check Point OPSEC LEA has the following known issues.

Date filed Issue number Description
2019-09-16 ADDON-23313 Inputs are allowed to be created even when mandatory field "Interval" is empty
2018-09-11 ADDON-19506 New connections fail with "REST API ERROR 400" or "Fatal error: glibc detected an invalid stdio handle" on Linux with a glibc version higher than 2.17-196

Workaround:
1. Download [1]

2. replace $SPLUNK_HOME/etc/apps/Splunk_TA_checkpoint-opseclea/bin/opsec-tools binaries with the updated versions.

3. After you update the two binaries, you must reset the one time password.

2018-05-14 ADDON-18066 64bit systems: Unable to establish SIC due to Glibc errors

Workaround:
We consider the syslog approach a better strategy than the current OPSEC LEA add-on given the current limitations of this 3rd party tool regarding newer versions of RHEL/CentOS. It should be rather straight forward to get the log export utility installed, open the needed ports and configure the input. We aren't sure if they have normalization ready yet but, we will look into that further.
2017-03-26 ADDON-14240 The 'product' field is missing in some firewall events related to environment operations (example: logswitch, policy install/uninstall)
2017-03-21 ADDON-14201 Several products are not covered in loggrabber product filter logic
2017-03-19 ADDON-14171 Server name is not supported as orig filter

Workaround:
Use Ip address for orig values
2017-03-19 ADDON-14170 "Non-Audit" and "Firewall Audit" Events with no products won't be indexed when NOT IN product list is provided
2016-09-09 ADDON-11246 SHA1 is not supported

Workaround:
File a ticket with Splunk support to request version 3.1 of the add-on, which has SHA1 support.
2016-06-05 ADDON-10038, ADDON-13450 Enabled input will block app upgrade

Workaround:
Disable this add-on before upgrading and enable it after upgrading done.
2016-05-31 ADDON-9779 Error message occurs in log files when TA is installed without a configured connection
2016-05-27 ADDON-9728 Conflict "action" field value for eventtype "opsec_audit_authentication" mapped both to CIM: Authentication and Change Analysis
2016-05-24 ADDON-9680 Some vendor_action values are not in the lookup table "checkpoint_opsec_actions.csv" for eventtype "opsec_communicate"
2015-10-13 ADDON-8017 Numeric value misinterpreted

Workaround:
Convert bytes related values to INT_MAX(2147483647) if they're negative by EVAL.

If you extract the field, the negative value will switch to the positive value.

Third-party software attributions

Version 4.3.1 of the Splunk Add-on for Check Point OPSEC LEA incorporates the following third-party libraries:

Version 4.3.0

Version 4.3.0 of the Splunk Add-on for Check Point OPSEC LEA is compatible with the following software, CIM versions, and platforms.

Splunk platform versions 6.5 or later
CIM 4.4 or later
Platforms Linux (RHEL/CentOS 5.x, 6.x, 7.x) for forwarders
Platform independent for search heads and indexers
Vendor Products Check Point OPSEC LEA R77, R80

Upgrade instructions

If you are upgrading the Splunk Add-on for Check Point OPSEC LEA from 4.2.0 to 4.3.0, you will need to do one of the following.

Configure the Splunk Add-on for Check Point OPSEC LEA in the UI

If you have configured the Splunk Add-on for Check Point OPSEC LEA through the UI with excluded fields included, then there are no upgrade issues from version 4.2.0 to 4.3.0.

If you have configured the Splunk Add-on for Check Point OPSEC LEA through the UI without excluding fields, you may see additional fields in your events. To remove those fields, do the following steps.

  1. Navigate to the Inputs Page in the Splunk Add-on for Checkpoint OPSEC LEA.
  2. Select the Data input you would like to edit.
  3. Clear the Fetch all fields option and in the selection boxes that appear beneath the option, move unwanted fields from the Selected fields box to the Excluded fields box.
  4. Click Update.

Configure the Splunk Add-on for Check Point OPSEC LEA with the configuration files

Add the following inputs to upgrade from version 4.2.0 to 4.3.0.

  1. Modify the configuration to remove the fields property (list of fields to consider as whitelist).
  2. Add the new field_black_list property in each stanza with the list of fields that should be blacklisted.
    • For example, if you would like to blacklist the sent_bytes and short_desc fields, update the stanza to replace the fields line with:
    [<input-name>]
    field_black_list = sent_bytes,short_desc
    

For an example, see Create an input in the Configure inputs topic.

New and updated features

Version 4.3.0 of the Splunk Add-on for Check Point OPSEC LEA contains the following new features:

  • Upgraded the lealoggrabber utility from 1.11.1 to 2.1.
  • Added support of authentication type sslca_clear for data collection.

Fixed issues

Version 4.3.0 of the Splunk Add-on for Check Point OPSEC LEA contains the following fixed issues.


Known issues

Version 4.3.0 of the Splunk Add-on for Check Point OPSEC LEA has the following known issues.

Date filed Issue number Description
2018-09-11 ADDON-19506 New connections fail with "REST API ERROR 400" or "Fatal error: glibc detected an invalid stdio handle" on Linux with a glibc version higher than 2.17-196

Workaround:
1. Download [2]

2. replace $SPLUNK_HOME/etc/apps/Splunk_TA_checkpoint-opseclea/bin/opsec-tools binaries with the updated versions.

3. After you update the two binaries, you must reset the one time password.

2018-03-06 ADDON-17338 Unable to Forward Firewall Logs Check Point OPSEC LEA HF

Workaround:
Temporary workaround was to restart the forwarder every hour. This NO LONGER works.
2018-02-11 ADDON-17021 Splunk process starts lea_loggrabber, spawns many processes but does not exit properly, making the system inaccessible.

Workaround:
- Reboot system.
2017-03-26 ADDON-14240 The 'product' field is missing in some firewall events related to environment operations (example: logswitch, policy install/uninstall)
2017-03-21 ADDON-14201 Several products are not covered in loggrabber product filter logic
2017-03-19 ADDON-14171 Server name is not supported as orig filter

Workaround:
Use Ip address for orig values
2017-03-19 ADDON-14170 "Non-Audit" and "Firewall Audit" Events with no products won't be indexed when NOT IN product list is provided
2016-09-09 ADDON-11246 SHA1 is not supported

Workaround:
File a ticket with Splunk support to request version 3.1 of the add-on, which has SHA1 support.
2016-06-05 ADDON-10038, ADDON-13450 Enabled input will block app upgrade

Workaround:
Disable this add-on before upgrading and enable it after upgrading done.
2016-05-31 ADDON-9779 Error message occurs in log files when TA is installed without a configured connection
2016-05-27 ADDON-9728 Conflict "action" field value for eventtype "opsec_audit_authentication" mapped both to CIM: Authentication and Change Analysis
2016-05-24 ADDON-9680 Some vendor_action values are not in the lookup table "checkpoint_opsec_actions.csv" for eventtype "opsec_communicate"
2015-10-13 ADDON-8017 Numeric value misinterpreted

Workaround:
Convert bytes related values to INT_MAX(2147483647) if they're negative by EVAL.

If you extract the field, the negative value will switch to the positive value.

Third-party software attributions

Version 4.3.0 of the Splunk Add-on for Check Point OPSEC LEA incorporates the following third-party libraries:

Version 4.2.0

Version 4.2.0 of the Splunk Add-on for Check Point OPSEC LEA is compatible with the following software, CIM versions, and platforms.

Splunk platform versions 6.4 or later
CIM 4.4 or later
Platforms Linux (RHEL/CentOS 5.x, 6.x, 7.x) for forwarders
Platform independent for search heads and indexers
Vendor Products Check Point OPSEC LEA R76, R77, R80

Upgrade instructions

There are no upgrade issues if you are upgrading from version 4.1.0 to 4.2.0.

New and updated features

Version 4.2.0 of the Splunk Add-on for Check Point OPSEC LEA lets you reduce indexed data volume by configuring the following new settings when creating inputs:

  • Specify only the log fields you are interested in to collect data from
  • Filter events by common log fields - product and orig

Fixed issues

Version 4.2.0 of the Splunk Add-on for Check Point OPSEC LEA contains the following fixed issues.

Date resolved Issue number Description
2017-03-31 ADDON-14305 'dest', 'dvc_nt_host' field for eventtype "opsec_audit" is wrong
2017-03-30 ADDON-13253 value of field "dest", "src" in sourcetype "opsec:anti_virus" and "opsec:anti_malware" should be exchanged
2017-03-27 ADDON-12657 OPSEC Add-on calculated field does not include 'icmp' values for 'transport' field
2017-03-24 ADDON-14221 Data channel select and timestamp setting can not work at the same time
2017-03-22 ADDON-13276 Unable to collect data on search head
2017-03-20 ADDON-14168 Splunk start error message after connection is configured
2017-03-20 ADDON-14089, ADDON-11454 Input cannot work and be displayed when input number exceeds 30

Known issues

Version 4.2.0 of the Splunk Add-on for Check Point OPSEC LEA has the following known issues.

Date filed Issue number Description
2018-09-11 ADDON-19506 New connections fail with "REST API ERROR 400" or "Fatal error: glibc detected an invalid stdio handle" on Linux with a glibc version higher than 2.17-196

Workaround:
1. Download [3]

2. replace $SPLUNK_HOME/etc/apps/Splunk_TA_checkpoint-opseclea/bin/opsec-tools binaries with the updated versions.

3. After you update the two binaries, you must reset the one time password.

2018-01-08 ADDON-16520 Excluded field still showing up in a left side panel
2017-06-29 ADDON-15195, ADDON-16372 OPSEC App with hyphen in the name breaks integration
2017-03-26 ADDON-14240 The 'product' field is missing in some firewall events related to environment operations (example: logswitch, policy install/uninstall)
2017-03-21 ADDON-14201 Several products are not covered in loggrabber product filter logic
2017-03-19 ADDON-14171 Server name is not supported as orig filter

Workaround:
Use Ip address for orig values
2017-03-19 ADDON-14170 "Non-Audit" and "Firewall Audit" Events with no products won't be indexed when NOT IN product list is provided
2017-01-30 ADDON-13450, ADDON-10038 Enabled input will block app upgrade

Workaround:
Disable TA before upgrade, then enable it after upgrade is done
2016-12-27 ADDON-12958 Corrupted checkpoints breaks ingestion

Workaround:
- connect to the splunkweb GUI for the opsec-lea inputs.

- disable the old inputs which are stuck. - create new ones, with new names, but the same configuration as the disabled ones, and make sure that mode is offline (preferred option). - save the new inputs and then restart splunk.

2016-09-09 ADDON-11246 SHA1 is not supported

Workaround:
File a ticket with Splunk support to request version 3.1 of the add-on, which has SHA1 support.
2016-05-31 ADDON-9779 Error message occurs in log files when TA is installed without a configured connection
2016-05-27 ADDON-9728 Conflict "action" field value for eventtype "opsec_audit_authentication" mapped both to CIM: Authentication and Change Analysis
2016-05-24 ADDON-9680 Some vendor_action values are not in the lookup table "checkpoint_opsec_actions.csv" for eventtype "opsec_communicate"
2015-10-13 ADDON-8017 Numeric value misinterpreted

Workaround:
Convert bytes related values to INT_MAX(2147483647) if they're negative by EVAL.

If you extract the field, the negative value will switch to the positive value.

Third-party software attributions

Version 4.2.0 of the Splunk Add-on for Check Point OPSEC LEA incorporates the following third-party libraries:

Version 4.1.0

Version 4.1.0 of the Splunk Add-on for Check Point OPSEC LEA is compatible with the following software, CIM versions, and platforms.

Splunk platform versions 6.3 or later
CIM 4.4 or later
Platforms Linux (RHEL/CentOS 5.x, 6.x, 7.x) for forwarders
Platform independent for search heads and indexers
Vendor Products Check Point OPSEC LEA R76, R77, R80

Upgrade instructions

There are no upgrade issues if you are upgrading from version 4.0.0 to 4.1.0.

New and updated features

Version 4.1.0 of the Splunk Add-on for Check Point OPSEC LEA has the following new features.

Date Issue number Description
2016-09-23 ADDON-11399 Updated configuration UI and opseclea_connection.conf to support SIC certificate sharing or reuse among multiple connections.
2016-09-19 ADDON-10799, ADDON-9688 Added support for Splunk platform 6.5.0

Fixed issues

Version 4.1.0 of the Splunk Add-on for Check Point OPSEC LEA contains the following fixed issues.

Date Issue number Description
2016-09-21 ADDON-11401 Failed to ingest non-utf8 data

Known issues

Version 4.1.0 of the Splunk Add-on for Check Point OPSEC LEA has the following known issues.

Date Issue number Description
2016-09-09 ADDON-11246 SHA1 is not supported. Workaround: File a ticket with Splunk support to request version 3.1 of the add-on, which has SHA1 support.
2016-06-02 ADDON-10011 /SPL-122152 If a forwarder is stopped while collecting data from OPSEC LEA, events can be lost, particularly if the inputs use online mode. Workaround: If you need to stop a forwarder for any reason, first disable the Splunk Add-on for Check Point OPSEC LEA, since it might be collecting data, and wait for 10 seconds before stopping the forwarder.
2016-06-01 ADDON-9779 Error messages, including "Failed to send rest request", occur in log files after the add-on has been installed when no connection is configured. When Splunk is shutting down, the REST service may be terminated before the modular input, so the REST call initiated by the modular input will return an error.
2016-05-27 ADDON-9728 Event type "opsec_audit_authentication" mapped to both Authentication and Change Analysis CIM models resulting in conflicting "action" field value.
2016-05-24 ADDON-9680 Some vendor_action values are not in lookup table checkpoint_opsec_actions.csv for event type "opsec_communicate".
2015-10-13 ADDON-8017 Due to an OPSEC SDK limitation, some bytes values are beyond the range of the integer type. To work around this issue, bytes related values (e.g., bytes, send_bytes, client_inbound_bytes) that have a negative value as a result of EVAL will be converted to INT_MAX (2147483647) at search time.
2015-08-17 OPSEC-398 /ADDON-8053 When FIPs is enabled in a distributed Splunk Enterprise environment, the Manage Connections page cannot be accessed on the search head, even after restarting the Splunk platform.
2015-05-13 OPSEC-333 /ADDON-8012 lea_loggrabber does not support the --nofieldnames option. This limits firewall log data ingestion to key value pairs and prevents log data ingestion from CSV files.

Third-party software attributions

Version 4.1.0 of the Splunk Add-on for Check Point OPSEC LEA incorporates the following third-party libraries:

Version 4.0.0

Version 4.0.0 of the Splunk Add-on for Check Point OPSEC LEA was released on June 20, 2016. Version 4.0.0 of the Splunk Add-on for Check Point OPSEC LEA is compatible with the following software, CIM versions, and platforms.

Splunk platform versions 6.3 or later
CIM 4.4 or later
Platforms Linux (RHEL/CentOS 5.x, 6.x, 7.x) for forwarders
Platform independent for search heads and indexers
Vendor Products Check Point OPSEC LEA R76, R77, R80

Migration guide

The Splunk Add-on for Check Point OPSEC LEA 4.0.0 replaces the Splunk Add-on for Check Point OPSEC LEA 3.1.0.

Some features of the Splunk Add-on for Check Point OPSEC LEA 3.1.0 are not available in this add-on:

  • Support for Solaris has been removed.
  • Support for remote connections has been removed.
  • Support for OPSEC versions without vendor support has been removed.
  • The fw1-loggrabber.conf file has been removed as direct configuration of lea_loggrabber is no longer supported.


The Splunk Add-on for Check Point OPSEC LEA 4.0.0 add-on folder name is different than previous versions of the Splunk Add-on for Check Point OPSEC LEA, thus installing version 4.0.0 will not overwrite a previous version. You cannot upgrade from a previous version of the add-on. You must remove the previous version of the add-on before installing the new version.

All events indexed by previous versions are supported by this version. However, configurations in previous versions are not transferable to the new version. You must recreate your configurations in the Splunk Add-on for Check Point OPSEC LEA 4.0.0 using either the GUI or the configuration files.

You can choose to re-use the certificate files you used to connect to your OPSEC LEA servers in a previous version of the add-on if you create connections in the .conf file or you can pull the certificates again. If you pull the certificates again you will need to perform reconfiguration in OPSEC LEA.

To prevent duplicate events from being indexed, use the Start Time field when configuring the input using Splunk Web or in the .conf files.

New and removed features

Version 4.0.0 of the Splunk Add-on for Check Point OPSEC LEA has the following new features. Some features from the previous release have also been removed in this release.

Date Issue number Description
2016-05-20 ADDON-8448 Re-build the Splunk Add-on for Check Point OPSEC LEA to bring it into line with current standards for Splunk built add-ons, including standardizing logging and updating the UI, and add support for the 64bit/SHA2 opsec_pull_cert utility.
2016-05-05 ADDON-8447 Add support for R80.
2016-06-01 ADDON-8462 Add prebuilt panels.
2016-05-06 ADDON-8594 Support .conf file based configuration.
2016-05-09 ADDON-8029 Remove support for Solaris.
2016-05-05 ADDON-8588 Remove support for remote connections.
2016-05-05 ADDON-8446 Remove support for OPSEC versions without vendor support.
2016-06-02 ADDON-8992 Remove support for direct configuration of lea_loggrabber. fw1-loggrabber.conf has been removed.

Fixed issues

Version 4.0.0 of the Splunk Add-on for Check Point OPSEC LEA fixes the following issues.

Date Issue number Description
2016-05-20 ADDON-8448 Splunk Add-on for Check Point OPSEC LEA does not support the 6.4 release of the Splunk platform. The add-on requires version 6.3.
2016-05-05 ADDON-8447 Splunk Add-on for Check Point OPSEC LEA does not support the R80 release of Check Point. The add-on requires 77.3 or earlier.
2016-05-08 ADDON-8275 Splunk Add-on for Check Point OPSEC LEA does not support the SHA256 certificate. The add-on requires the SHA1 certificate.
2016-05-31 ADDON-9743 Incorrect "action" field value for event type "opsec_audit_authentication" mapped to Authentication CIM model.
2016-05-31 ADDON-9736 Incorrect "action" value for event type "opsec_audit_change".
2016-05-30 ADDON-8428 Performance issues in Splunk Enterprise Security related to tag expansions.
2016-05-30 ADDON-9742 Incorrect "change_type" value for event type "opsec_audit".
2016-05-30 ADDON-9737 Update "action" value for event type "opsec_communicate" from "blocked" to "dropped".
2016-05-30 ADDON-9729 Update event type "opsec_audit_authentication" definition to search = sourcetype=opsec:audit (Operation="Log In" OR Operation="Log Out" OR Operation="Force Log Out").
2016-05-30 ADDON-9660 Wrong "transport" field value for event type "opsec_communicate".
2016-05-26 ADDON-9661 Use "rule_id" instead of "rule" when it is an integer.
2016-05-25 ADDON-9681 Source type "opsec:vpn" is not in lookup table "checkpoint_vendor_info.csv".
2016-05-25 ADDON-9674 Some "te_action" values are not in lookup table for source type "opsec:smartdefense".
2016-05-25 ADDON-9664 Some "src_port" field values are not integers.
2016-05-25 ADDON-9658 "service" is not always a port value in source types "opsec" and "opsec:vpn".
2016-05-24 ADDON-9659 "dvc_ip" should be IP address.
2016-05-24 ADDON-9656 Add "db_tag_for_opsec" stanza to other source types.
2016-05-23 ADDON-9599 Some fields with ':' in the value are not extracted by DELIMS.
2016-05-23 ADDON-9597 Wrong "host" field value. The host value is the Splunk instance hostname instead of the physical device.
2016-05-18 ADDON-9420 The "src" field is overwritten by the "origin" field.
2016-05-18 ADDON-8018 Action values "drop" and "accept" are incorrect values for

Network Traffic data in the CIM.

2016-05-09 ADDON-8019 Informational message should appear when no certificates are available.
2016-05-08 ADDON-8275 OPSEC LEA fails to connect after changing certificate to SHA256.
2016-05-06 ADDON-8198 Include spec files to describe the configuration options offered.
2016-05-06 ADDON-8020 Checkpoint add-on does not alias "src" and "dest zones".
2016-05-05 OPSEC-402 /ADDON-8014 Making the Splunk Add-on for Check Point OPSEC LEA global can cause namespace conflicts with other apps and add-ons. On forwarders, use local to prevent conflict. On search heads, keep the add-on global to enable knowledge sharing, but disable the UI.
2104-04-07 OPSEC-208 /ADDON-8044 When migrating from 2.0.x, enabling Online mode immediately after upgrade might cause gaps in your data. This occurs because online mode collects new incoming logs only. It does not perform log look back. Therefore any data stored during the upgrade process will not be pulled into Splunk. We recommend that you do not enable online mode until after all log data generated during the upgrade period is indexed. This can also affect users who are editing connections while online mode is enabled. In the period between when the new configuration is reloaded and a new watchdog is started, some logs may be dropped. Note that this behavior can also occur when moving online connections.

Known issues

Version 4.0.0 of the Splunk Add-on for Check Point OPSEC LEA has the following known issues.

Date Issue number Description
2106-09-09 ADDON-11246 SHA1 is not supported. Workaround: File a ticket with Splunk support to request version 3.1 of the add-on, which has SHA1 support.
2106-07-12 ADDON-10514 Authentication fails on dedicated server. Workaround:


1. Create a single object in SmartDashboard for the LEA connection and initialize SIC with a one time password.
2. In Splunk UI, go to the OPSEC add-on and create a connection to the primary management server, using the one-time password to initialize the connection, and store the certificate file.
3. cd to the opsec TA local directory
4. Open the opsec_connection.conf file, make a copy of the working stanza and give it a new name.
5. Change the IP address to IP of the dedicated server, set lea_server_type=dedicated, and change the first section of the opsec_entity_sic_name field (CN name) to the name of the OPSEC LEA connection object.
6. Restart Splunk.
7. Go back into the configuration UI for this add-on and create an input for that connection.

2106-06-02 ADDON-10011 /SPL-122152 If a forwarder is stopped while collecting data from OPSEC LEA, events can be lost, particularly if the inputs use online mode. Workaround: If you need to stop a forwarder for any reason, first disable the Splunk Add-on for Check Point OPSEC LEA, since it might be collecting data, and wait for 10 seconds before stopping the forwarder.
2106-06-01 ADDON-9779 Error messages, including "Failed to send rest request", occur in log files after the add-on has been installed when no connection is configured. When Splunk is shutting down, the REST service may be terminated before the modular input, so the REST call initiated by the modular input will return an error.
2106-05-30 ADDON-9758 You may not see the latest events when searching the index for data gathered by inputs that use online mode. When using online mode, the add-on caches the fetched events in memory until the buffer is full. There can be latency if there are not enough new incoming events from Check Point as the last events will be held in buffer until enough new ones come in. However, the data is not lost.
2106-05-30 ADDON-9756 The data input page for the Splunk Add-on for Check Point OPSEC LEA should be disabled or hidden. You cannot configure inputs using the Settings > Data inputs > Splunk Add-on for Check Point OPSEC LEA page. You must use the add-on configuration page accessed by selecting Splunk Add-on for Check Point OPSEC LEA in the left side menu or by selecting Apps > Launch app next to Splunk Add-on for Check Point OPSEC LEA.
2106-05-27 ADDON-9728 Event type "opsec_audit_authentication" mapped to both Authentication and Change Analysis CIM models resulting in conflicting "action" field value.
2106-05-24 ADDON-9680 Some vendor_action values are not in lookup table checkpoint_opsec_actions.csv for event type "opsec_communicate".
2106-05-23 ADDON-9634 Errors about pam.i686 when pam.x86_64 is already installed on Linux 64-bit machine. See the workaround in the Troubleshooting section.
2105-10-13 ADDON-8017 Due to an OPSEC SDK limitation, some bytes values are beyond the range of the integer type. To work around this issue, bytes related values (e.g., bytes, send_bytes, client_inbound_bytes) that have a negative value as a result of EVAL will be converted to INT_MAX (2147483647) at search time.
2105-08-17 OPSEC-398 /ADDON-8053 When FIPs is enabled in a distributed Splunk Enterprise environment, the Manage Connections page cannot be accessed on the search head, even after restarting the Splunk platform.
2105-05-13 OPSEC-333 /ADDON-8012 lea_loggrabber does not support the --nofieldnames option. This limits firewall log data ingestion to key value pairs and prevents log data ingestion from CSV files.
2104-03-18 OPSEC-198 In Check Point version R77.10, Log Server stops forwarding logs to LEA clients. This occurs when switching the active log to new one (log switch) and the Log Server does not notify the LEA client about the new log file. Fix: Install hotfix on Check Point Multi-Domain Security Management Server/Log Server machine.

Third-party software attributions

Version 4.0.0 of the Splunk Add-on for Check Point OPSEC LEA incorporates the following third-party libraries:

PREVIOUS
Release notes for the Splunk Add-on for Check Point OPSEC LEA
  NEXT
Hardware and software requirements for the Splunk Add-on for Check Point OPSEC LEA

This documentation applies to the following versions of Splunk® Supported Add-ons: released


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters