Running Splunk with add-on for Check Point OPSEC LEA on FreeBSD 10

Here is my set of notes to run latest Splunk with add-on for Check Point OPSEC LEA on FreeBSD 10.0-STABLE.

Splunk: 6.1.3 build 220630
Add-on for Check Point OPSEC LEA: 2.1.0
Check Point: R71.30

To install:

  1. % tar xvzf splunk-6.1.3-220630-FreeBSD7-amd64.gz -C /opt

/boot/loader.conf changes:

  1. # Splunk stuff
  2. kern.maxdsiz="4294967296" # 4GB
  3. kern.dfldsiz="4294967296" # 4GB
  4. machdep.hlt_cpus=0

Execute the following to enable Splunk to start during boot:

  1. % /opt/splunk/bin/splunk enable boot-start

Then edit /etc/rc.d/splunk file and replace:

  1. -rcvar=`set_rcvar`
  2. +rcvar=splunk_enable

The following entry will be added into /etc/rc.conf:

  1. splunk_enable="YES"

That will enable Splunk to start automatically along with ‘service splunk stop/start/status/…’.

In order to run add-on for Check Point OPSEC LEA you have to enable Linux compatibility in FreeBSD. Either load the module or recompile the kernel.

  1. options         PROCFS                  # Process filesystem (requires PSEUDOFS)
  2. options         PSEUDOFS                # Pseudo-filesystem framework
  3. options         COMPAT_FREEBSD32        # Compatible with i386 binaries
  4. options         COMPAT_FREEBSD4         # Compatible with FreeBSD4
  5. options         SYSVSHM                 # SYSV-style shared memory
  6. options         SYSVMSG                 # SYSV-style message queues
  7. options         SYSVSEM                 # SYSV-style semaphores
  8. options         COMPAT_LINUX32

Install required packages (bash will be later used with lea-* scripts):

  1. % cd /usr/ports/emulators/linux_base-f10 && make install clean
  2. % cd /usr/ports/shells/bash && make install clean

At this stage, if you run ‘ldd /opt/splunk/etc/apps/Splunk_TA_opseclea_linux22/opsec-tools/opsec_pull_cert’ it will complain about two missing libraries: libcpc++-libc6.1-2.so.3 and libpam.so.0. opsec_pull_cert is a utility used to get the certificate from Check Point, so we need to fix it first.

libcpc++-libc6.1-2.so.3 is shipped with the Check Point OPSEC LEA add-on:

  1. % cp /opt/splunk/etc/apps/Splunk_TA_opseclea_linux22/bin/libcpc++-libc6.1-2.so.3 /compat/linux/lib/

libpam.so.0 could be copied from any Linux machine. In my case it was Linux Ubuntu 12.04.4:

  1. % cp /mnt/share/srv1204/lib/i386-linux-gnu/libpam.so.0.83.0 /compat/linux/lib/libpam.so.0
  1. % ldd /opt/splunk/etc/apps/Splunk_TA_opseclea_linux22/opsec-tools/opsec_pull_cert
  2. opsec_pull_cert:
  3.         libpthread.so.0 => /lib/libpthread.so.0 (0x28272000)
  4.         libresolv.so.2 => /lib/libresolv.so.2 (0x2828d000)
  5.         libdl.so.2 => /lib/libdl.so.2 (0x282a4000)
  6.         libpam.so.0 => /lib/libpam.so.0 (0x282a9000)
  7.         libnsl.so.1 => /lib/libnsl.so.1 (0x282b7000)
  8.         libcpc++-libc6.1-2.so.3 => /lib/libcpc++-libc6.1-2.so.3 (0x282d1000)
  9.         libc.so.6 => /lib/libc.so.6 (0x28319000)
  10.         /lib/ld-linux.so.2 (0x2824e000)
  11.         libm.so.6 => /lib/libm.so.6 (0x28492000)
  1. % ldd /opt/splunk/etc/apps/Splunk_TA_opseclea_linux22/bin/lea_loggrabber
  2. lea_loggrabber:
  3.         libpthread.so.0 => /lib/libpthread.so.0 (0x282e7000)
  4.         libdl.so.2 => /lib/libdl.so.2 (0x28302000)
  5.         libc.so.6 => /lib/libc.so.6 (0x28307000)
  6.         /lib/ld-linux.so.2 (0x282c3000)

Modify lea-loggrabber.sh file located under /opt/splunk/etc/apps/Splunk_TA_opseclea_linux22/bin directory:

  1. -#!/bin/bash
  2. +#!/usr/local/bin/bash
  3. +SPLUNK_HOME=/opt/splunk
  4. +export SPLUNK_HOME

Do the same changes for lea-loggrabber-debug.sh file located under /opt/splunk/etc/apps/Splunk_TA_opseclea_linux22/bin directory (in case you want to debug later on).

Now you should be able to configure add-on via Splunk web interface, pull the certificate and start fetching logs from the Check Point Management instance.

2014093001

Here is the update procedure:

  1. % tar xvzf splunk-6.2.1-245427-FreeBSD7-amd64.gz -C /opt
  2.  
  3. % /opt/splunk/bin/splunk start —-accept-license

Tags: , ,

Leave a Reply