Issue when importing audit logs
Opened this issue · 0 comments
Maybe this is not the best place to post this, as it is more a support request than a bug report, but I have no idea where to ask for support.
I I recently install the loggrabber via the slunk app.
I setup 2 inputs, one for non-audit event another for audit event.
The non audit is working fine, but I have an issue with the audit event:
/opt/splunk/etc/apps/Splunk_TA_checkpoint-opseclea/bin/../bin/lea_loggrabber --data audit --debug_level 2 --appname Splunk_TA_checkpoint-opseclea --lea_server_ip 192.168.169.12 --lea_server_auth_port 18184 --lea_server_auth_type sslca --opsec_sslca_file /opt/splunk/etc/apps/Splunk_TA_checkpoint-opseclea/certs/xxxxxxxx.p12 --opsec_sic_name CN=SplunkLEA,O=mgt..xxxxxx --opsec_entity_sic_name CN=xxxxx,O=mgt..xxxxxx --last_record_location -1:7 --no_online --no_resolve
The grabber seems to keep a context of where he left off, bu t I beleive that this is done by the slpunk app and not the grabber
[root@splunk-a checkpoint_opseclea]# ll /opt/splunk/var/lib/splunk/modinputs/checkpoint_opseclea/fw-audit_audit
-rw-------. 1 root root 32 Oct 9 11:31 /opt/splunk/var/lib/splunk/modinputs/checkpoint_opseclea/fw-audit_audit
[root@splunk-a checkpoint_opseclea]# cat /opt/splunk/var/lib/splunk/modinputs/checkpoint_opseclea/fw-audit_audit
{"last_record_location": "-1:7"}
When I create the input, it works like a charm, but after midnight, it stops working.
The only workaround I find out is to remove this fw-audit_audit file, then the grabber import the new logs...
I try to run the grabber to figure out the --get_current_fileid which always answer:
Current audit file FileId: -1
I start wondering if it might be a missconfiguration in SMS, but I do not know where to look anymore
Thanks in advance
FYI:
[root@splunk-a checkpoint_opseclea]# /opt/splunk/etc/apps/Splunk_TA_checkpoint-opseclea/bin/../bin/lea_loggrabber --help
FW1-LogGrabber v2.1
Copyright (c) 2003-2005 Torsten Fellhauer, Xiaodong Lin
Copyright (c) 2014-2016 CERTEGO s.r.l.