Running Splunk with add-on for Check Point OPSEC LEA on FreeBSD 10

Here is my set of notes to run latest Splunk with add-on for Check Point OPSEC LEA on FreeBSD 10.0-STABLE.

Splunk: 6.1.3 build 220630
Add-on for Check Point OPSEC LEA: 2.1.0
Check Point: R71.30

To install:

% tar xvzf splunk-6.1.3-220630-FreeBSD7-amd64.gz -C /opt

/boot/loader.conf changes:

# Splunk stuff
kern.maxdsiz="4294967296" # 4GB
kern.dfldsiz="4294967296" # 4GB

Execute the following to enable Splunk to start during boot:

% /opt/splunk/bin/splunk enable boot-start

Then edit /etc/rc.d/splunk file and replace:


The following entry will be added into /etc/rc.conf:


That will enable Splunk to start automatically along with ‘service splunk stop/start/status/…’.

In order to run add-on for Check Point OPSEC LEA you have to enable Linux compatibility in FreeBSD. Either load the module or recompile the kernel.

options         PROCFS                  # Process filesystem (requires PSEUDOFS)
options         PSEUDOFS                # Pseudo-filesystem framework
options         COMPAT_FREEBSD32        # Compatible with i386 binaries
options         COMPAT_FREEBSD4         # Compatible with FreeBSD4
options         SYSVSHM                 # SYSV-style shared memory
options         SYSVMSG                 # SYSV-style message queues
options         SYSVSEM                 # SYSV-style semaphores
options         COMPAT_LINUX32

Install required packages (bash will be later used with lea-* scripts):

% cd /usr/ports/emulators/linux_base-f10 && make install clean
% cd /usr/ports/shells/bash && make install clean

At this stage, if you run ‘ldd /opt/splunk/etc/apps/Splunk_TA_opseclea_linux22/opsec-tools/opsec_pull_cert’ it will complain about two missing libraries: and opsec_pull_cert is a utility used to get the certificate from Check Point, so we need to fix it first. is shipped with the Check Point OPSEC LEA add-on:

% cp /opt/splunk/etc/apps/Splunk_TA_opseclea_linux22/bin/ /compat/linux/lib/ could be copied from any Linux machine. In my case it was Linux Ubuntu 12.04.4:

% cp /mnt/share/srv1204/lib/i386-linux-gnu/ /compat/linux/lib/
% ldd /opt/splunk/etc/apps/Splunk_TA_opseclea_linux22/opsec-tools/opsec_pull_cert
opsec_pull_cert: => /lib/ (0x28272000) => /lib/ (0x2828d000) => /lib/ (0x282a4000) => /lib/ (0x282a9000) => /lib/ (0x282b7000) => /lib/ (0x282d1000) => /lib/ (0x28319000)
        /lib/ (0x2824e000) => /lib/ (0x28492000)
% ldd /opt/splunk/etc/apps/Splunk_TA_opseclea_linux22/bin/lea_loggrabber
lea_loggrabber: => /lib/ (0x282e7000) => /lib/ (0x28302000) => /lib/ (0x28307000)
        /lib/ (0x282c3000)

Modify file located under /opt/splunk/etc/apps/Splunk_TA_opseclea_linux22/bin directory:


Do the same changes for file located under /opt/splunk/etc/apps/Splunk_TA_opseclea_linux22/bin directory (in case you want to debug later on).

Now you should be able to configure add-on via Splunk web interface, pull the certificate and start fetching logs from the Check Point Management instance.


Here is the update procedure:

% tar xvzf splunk-6.2.1-245427-FreeBSD7-amd64.gz -C /opt

% /opt/splunk/bin/splunk start ----accept-license

Tags: , ,

Leave a Reply