The Check Point App for Splunk has replaced the Splunk Add-on for OPSEC LEA for data collection.
Release notes for the Splunk Add-on for Check Point OPSEC LEA
Version 5.0.0 of the Splunk Add-on for Check Point OPSEC LEA was released on October 21, 2019.
About this release
Version 5.0.0 of the Splunk Add-on for Check Point OPSEC LEA is compatible with the following software, CIM versions, and platforms.
|Splunk platform versions||7.0.x, 7.1.x, 7.2.x, 7.3.x, 8.0.x|
|Platforms||Linux (RHEL/CentOS 5.x, 6.x, 7.x) for forwarders |
Linux kernel version 2.6.32 or later (x86_64)
Platform independent for search heads and indexers
|Vendor Products||Check Point OPSEC LEA R77, R80|
The field alias functionality is compatible with the current version of this add-on. The current version of this add-on does not support older field alias configurations.
For more information about the field alias configuration change, refer to the Splunk Enterprise Release Notes.
New and updated features
The following are new features for the Splunk Add-on for Check Point OPSEC LEA version 5.0.0.
- Support for Python 3
Version 5.0.0 of the Splunk Add-on for Check Point OPSEC LEA contains the following fixed issues.
|Date resolved||Issue number||Description|
|2019-09-20||ADDON-23313||Inputs are allowed to be created even when mandatory field "Interval" is empty|
Version 5.0.0 of the Splunk Add-on for Check Point OPSEC LEA has the following known issues.
|Date filed||Issue number||Description|
|2018-09-11||ADDON-19506||New connections fail with "REST API ERROR 400" or "Fatal error: glibc detected an invalid stdio handle" on Linux with a glibc version higher than 2.17-196|
1. Download 
2. replace $SPLUNK_HOME/etc/apps/Splunk_TA_checkpoint-opseclea/bin/opsec-tools binaries with the updated versions.
3. After you update the two binaries, you must reset the one time password.
|2017-03-26||ADDON-14240||The 'product' field is missing in some firewall events related to environment operations (example: logswitch, policy install/uninstall)|
|2017-03-21||ADDON-14201||Several products are not covered in loggrabber product filter logic|
|2017-03-19||ADDON-14171||Server name is not supported as orig filter|
Use Ip address for orig values
|2017-03-19||ADDON-14170||"Non-Audit" and "Firewall Audit" Events with no products won't be indexed when NOT IN product list is provided|
|2016-09-09||ADDON-11246||SHA1 is not supported|
File a ticket with Splunk support to request version 3.1 of the add-on, which has SHA1 support.
|2016-06-05||ADDON-10038, ADDON-13450||Enabled input will block app upgrade|
Disable this add-on before upgrading and enable it after upgrading done.
|2016-05-31||ADDON-9779||Error message occurs in log files when TA is installed without a configured connection|
|2016-05-27||ADDON-9728||Conflict "action" field value for eventtype "opsec_audit_authentication" mapped both to CIM: Authentication and Change Analysis|
|2016-05-24||ADDON-9680||Some vendor_action values are not in the lookup table "checkpoint_opsec_actions.csv" for eventtype "opsec_communicate"|
|2015-10-13||ADDON-8017||Numeric value misinterpreted|
Convert bytes related values to INT_MAX(2147483647) if they're negative by EVAL.
If you extract the field, the negative value will switch to the positive value.
Third-party software attributions
Version 5.0.0 of the Splunk Add-on for Check Point OPSEC LEA incorporates the following third-party libraries:
Source types for the Splunk Add-on for Check Point OPSEC LEA
Release history for the Splunk Add-on for Check Point OPSEC LEA
This documentation applies to the following versions of Splunk® Supported Add-ons: released