The Check Point App for Splunk has replaced the Splunk Add-on for OPSEC LEA for data collection.
Release notes for the Splunk Add-on for Check Point OPSEC LEA
Version 4.3.1 of the Splunk Add-on for Check Point OPSEC LEA was released on May 9, 2018.
About this release
Version 4.3.1 of the Splunk Add-on for Check Point OPSEC LEA is compatible with the following software, CIM versions, and platforms.
|Splunk platform versions||6.5.x, 6.6.x, 7.0.x, 7.1.x, 7.2.x|
|Platforms|| Linux (RHEL/CentOS 5.x, 6.x, 7.x) for forwarders |
Linux kernel version 2.6.32 or later (x86_64)
Platform independent for search heads and indexers
|Vendor Products||Check Point OPSEC LEA R77, R80|
There are no upgrade issues if you are upgrading from version 4.3.0 to 4.3.1.
New and updated features
There are no new features in the Splunk Add-on for Check Point OPSEC LEA version 4.3.1.
Version 4.3.1 of the Splunk Add-on for Check Point OPSEC LEA contains the following fixed issues.
|Date resolved||Issue number||Description|
|2018-05-01||ADDON-17338||Unable to Forward Firewall Logs Check Point OPSEC LEA HF|
|2018-04-24||ADDON-17021||Splunk process starts lea_loggrabber, spawns many processes but does not exit properly, making the system inaccessible.|
Version 4.3.1 of the Splunk Add-on for Check Point OPSEC LEA has the following known issues.
|Date filed||Issue number||Description|
|2018-09-11||ADDON-19506||New connections fail with "REST API ERROR 400" or "Fatal error: glibc detected an invalid stdio handle" on Linux with a glibc version higher than 2.17-196|
1. Download 
2. replace $SPLUNK_HOME/etc/apps/Splunk_TA_checkpoint-opseclea/bin/opsec-tools binaries with the updated versions.
3. After you update the two binaries, you must reset the one time password.
|2018-05-14||ADDON-18066||64bit systems: Unable to establish SIC due to Glibc errors|
We consider the syslog approach a better strategy than the current OPSEC LEA add-on given the current limitations of this 3rd party tool regarding newer versions of RHEL/CentOS. It should be rather straight forward to get the log export utility installed, open the needed ports and configure the input. We aren't sure if they have normalization ready yet but, we will look into that further.
|2017-03-26||ADDON-14240||The 'product' field is missing in some firewall events related to environment operations (example: logswitch, policy install/uninstall)|
|2017-03-21||ADDON-14201||Several products are not covered in loggrabber product filter logic|
|2017-03-19||ADDON-14171||Server name is not supported as orig filter|
Use Ip address for orig values
|2017-03-19||ADDON-14170||"Non-Audit" and "Firewall Audit" Events with no products won't be indexed when NOT IN product list is provided|
|2016-09-09||ADDON-11246||SHA1 is not supported|
File a ticket with Splunk support to request version 3.1 of the add-on, which has SHA1 support.
|2016-06-05||ADDON-10038, ADDON-13450||Enabled input will block app upgrade|
Disable this add-on before upgrading and enable it after upgrading done.
|2016-05-31||ADDON-9779||Error message occurs in log files when TA is installed without a configured connection|
|2016-05-27||ADDON-9728||Conflict "action" field value for eventtype "opsec_audit_authentication" mapped both to CIM: Authentication and Change Analysis|
|2016-05-24||ADDON-9680||Some vendor_action values are not in the lookup table "checkpoint_opsec_actions.csv" for eventtype "opsec_communicate"|
|2015-10-13||ADDON-8017||Numeric value misinterpreted|
Convert bytes related values to INT_MAX(2147483647) if they're negative by EVAL.
If you extract the field, the negative value will switch to the positive value.
Third-party software attributions
Version 4.3.1 of the Splunk Add-on for Check Point OPSEC LEA incorporates the following third-party libraries:
Source types for the Splunk Add-on for Check Point OPSEC LEA
Release history for the Splunk Add-on for Check Point OPSEC LEA
This documentation applies to the following versions of Splunk® Supported Add-ons: released