Splunk® Supported Add-ons

Splunk Add-on for Check Point OPSEC LEA

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

The Check Point App for Splunk has replaced the Splunk Add-on for OPSEC LEA for data collection.

Release notes for the Splunk Add-on for Check Point OPSEC LEA

Version 5.0.0 of the Splunk Add-on for Check Point OPSEC LEA was released on October 21, 2019.

About this release

Version 5.0.0 of the Splunk Add-on for Check Point OPSEC LEA is compatible with the following software, CIM versions, and platforms.

Splunk platform versions 7.0.x, 7.1.x, 7.2.x, 7.3.x, 8.0.x
CIM 4.11
Platforms Linux (RHEL/CentOS 5.x, 6.x, 7.x) for forwarders
Linux kernel version 2.6.32 or later (x86_64)
Platform independent for search heads and indexers
Vendor Products Check Point OPSEC LEA R77, R80

The field alias functionality is compatible with the current version of this add-on. The current version of this add-on does not support older field alias configurations.

For more information about the field alias configuration change, refer to the Splunk Enterprise Release Notes.

New and updated features

The following are new features for the Splunk Add-on for Check Point OPSEC LEA version 5.0.0.

  • Support for Python 3

Fixed issues

Version 5.0.0 of the Splunk Add-on for Check Point OPSEC LEA contains the following fixed issues.


Date resolved Issue number Description
2019-09-20 ADDON-23313 Inputs are allowed to be created even when mandatory field "Interval" is empty

Known issues

Version 5.0.0 of the Splunk Add-on for Check Point OPSEC LEA has the following known issues.


Date filed Issue number Description
2018-09-11 ADDON-19506 New connections fail with "REST API ERROR 400" or "Fatal error: glibc detected an invalid stdio handle" on Linux with a glibc version higher than 2.17-196

Workaround:
1. Download [1]

2. replace $SPLUNK_HOME/etc/apps/Splunk_TA_checkpoint-opseclea/bin/opsec-tools binaries with the updated versions.

3. After you update the two binaries, you must reset the one time password.

2017-03-26 ADDON-14240 The 'product' field is missing in some firewall events related to environment operations (example: logswitch, policy install/uninstall)
2017-03-21 ADDON-14201 Several products are not covered in loggrabber product filter logic
2017-03-19 ADDON-14171 Server name is not supported as orig filter

Workaround:
Use Ip address for orig values
2017-03-19 ADDON-14170 "Non-Audit" and "Firewall Audit" Events with no products won't be indexed when NOT IN product list is provided
2016-09-09 ADDON-11246 SHA1 is not supported

Workaround:
File a ticket with Splunk support to request version 3.1 of the add-on, which has SHA1 support.
2016-06-05 ADDON-10038, ADDON-13450 Enabled input will block app upgrade

Workaround:
Disable this add-on before upgrading and enable it after upgrading done.
2016-05-31 ADDON-9779 Error message occurs in log files when TA is installed without a configured connection
2016-05-27 ADDON-9728 Conflict "action" field value for eventtype "opsec_audit_authentication" mapped both to CIM: Authentication and Change Analysis
2016-05-24 ADDON-9680 Some vendor_action values are not in the lookup table "checkpoint_opsec_actions.csv" for eventtype "opsec_communicate"
2015-10-13 ADDON-8017 Numeric value misinterpreted

Workaround:
Convert bytes related values to INT_MAX(2147483647) if they're negative by EVAL.

If you extract the field, the negative value will switch to the positive value.

Third-party software attributions

Version 5.0.0 of the Splunk Add-on for Check Point OPSEC LEA incorporates the following third-party libraries:

Last modified on 04 January, 2021
PREVIOUS
Source types for the Splunk Add-on for Check Point OPSEC LEA
  NEXT
Release history for the Splunk Add-on for Check Point OPSEC LEA

This documentation applies to the following versions of Splunk® Supported Add-ons: released


Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters