Splunk® Supported Add-ons

Splunk Add-on for Check Point OPSEC LEA

Download manual as PDF

Download topic as PDF

The Check Point App for Splunk has replaced the Splunk Add-on for OPSEC LEA for data collection.

Release notes for the Splunk Add-on for Check Point OPSEC LEA

Version 4.3.1 of the Splunk Add-on for Check Point OPSEC LEA was released on May 9, 2018.

About this release

Version 4.3.1 of the Splunk Add-on for Check Point OPSEC LEA is compatible with the following software, CIM versions, and platforms.

Splunk platform versions 6.5.x, 6.6.x, 7.0.x, 7.1.x, 7.2.x
CIM 4.11
Platforms Linux (RHEL/CentOS 5.x, 6.x, 7.x) for forwarders
Linux kernel version 2.6.32 or later (x86_64)
Platform independent for search heads and indexers
Vendor Products Check Point OPSEC LEA R77, R80

Upgrade instructions

There are no upgrade issues if you are upgrading from version 4.3.0 to 4.3.1.

New and updated features

There are no new features in the Splunk Add-on for Check Point OPSEC LEA version 4.3.1.

Fixed issues

Version 4.3.1 of the Splunk Add-on for Check Point OPSEC LEA contains the following fixed issues.

Date resolved Issue number Description
2018-05-01 ADDON-17338 Unable to Forward Firewall Logs Check Point OPSEC LEA HF
2018-04-24 ADDON-17021 Splunk process starts lea_loggrabber, spawns many processes but does not exit properly, making the system inaccessible.

Known issues

Version 4.3.1 of the Splunk Add-on for Check Point OPSEC LEA has the following known issues.

Date filed Issue number Description
2018-09-11 ADDON-19506 New connections fail with "REST API ERROR 400" or "Fatal error: glibc detected an invalid stdio handle" on Linux with a glibc version higher than 2.17-196

1. Download [1]

2. replace $SPLUNK_HOME/etc/apps/Splunk_TA_checkpoint-opseclea/bin/opsec-tools binaries with the updated versions.

3. After you update the two binaries, you must reset the one time password.

2018-05-14 ADDON-18066 64bit systems: Unable to establish SIC due to Glibc errors

We consider the syslog approach a better strategy than the current OPSEC LEA add-on given the current limitations of this 3rd party tool regarding newer versions of RHEL/CentOS. It should be rather straight forward to get the log export utility installed, open the needed ports and configure the input. We aren't sure if they have normalization ready yet but, we will look into that further.
2017-03-26 ADDON-14240 The 'product' field is missing in some firewall events related to environment operations (example: logswitch, policy install/uninstall)
2017-03-21 ADDON-14201 Several products are not covered in loggrabber product filter logic
2017-03-19 ADDON-14171 Server name is not supported as orig filter

Use Ip address for orig values
2017-03-19 ADDON-14170 "Non-Audit" and "Firewall Audit" Events with no products won't be indexed when NOT IN product list is provided
2016-09-09 ADDON-11246 SHA1 is not supported

File a ticket with Splunk support to request version 3.1 of the add-on, which has SHA1 support.
2016-06-05 ADDON-10038, ADDON-13450 Enabled input will block app upgrade

Disable this add-on before upgrading and enable it after upgrading done.
2016-05-31 ADDON-9779 Error message occurs in log files when TA is installed without a configured connection
2016-05-27 ADDON-9728 Conflict "action" field value for eventtype "opsec_audit_authentication" mapped both to CIM: Authentication and Change Analysis
2016-05-24 ADDON-9680 Some vendor_action values are not in the lookup table "checkpoint_opsec_actions.csv" for eventtype "opsec_communicate"
2015-10-13 ADDON-8017 Numeric value misinterpreted

Convert bytes related values to INT_MAX(2147483647) if they're negative by EVAL.

If you extract the field, the negative value will switch to the positive value.

Third-party software attributions

Version 4.3.1 of the Splunk Add-on for Check Point OPSEC LEA incorporates the following third-party libraries:

Source types for the Splunk Add-on for Check Point OPSEC LEA
Release history for the Splunk Add-on for Check Point OPSEC LEA

This documentation applies to the following versions of Splunk® Supported Add-ons: released

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters