Running Splunk with add-on for Check Point OPSEC LEA on FreeBSD 10

Here is my set of notes to run latest Splunk with add-on for Check Point OPSEC LEA on FreeBSD 10.0-STABLE.

Splunk: 6.1.3 build 220630
Add-on for Check Point OPSEC LEA: 2.1.0
Check Point: R71.30

To install:

% tar xvzf splunk-6.1.3-220630-FreeBSD7-amd64.gz -C /opt

/boot/loader.conf changes:

# Splunk stuff
kern.maxdsiz="4294967296" # 4GB
kern.dfldsiz="4294967296" # 4GB
machdep.hlt_cpus=0

Execute the following to enable Splunk to start during boot:

% /opt/splunk/bin/splunk enable boot-start

Then edit /etc/rc.d/splunk file and replace:

-rcvar=`set_rcvar`
+rcvar=splunk_enable

The following entry will be added into /etc/rc.conf:

splunk_enable="YES"

That will enable Splunk to start automatically along with ‘service splunk stop/start/status/…’.

In order to run add-on for Check Point OPSEC LEA you have to enable Linux compatibility in FreeBSD. Either load the module or recompile the kernel.

options         PROCFS                  # Process filesystem (requires PSEUDOFS)
options         PSEUDOFS                # Pseudo-filesystem framework
options         COMPAT_FREEBSD32        # Compatible with i386 binaries
options         COMPAT_FREEBSD4         # Compatible with FreeBSD4
options         SYSVSHM                 # SYSV-style shared memory
options         SYSVMSG                 # SYSV-style message queues
options         SYSVSEM                 # SYSV-style semaphores
options         COMPAT_LINUX32

Install required packages (bash will be later used with lea-* scripts):

% cd /usr/ports/emulators/linux_base-f10 && make install clean
% cd /usr/ports/shells/bash && make install clean

At this stage, if you run ‘ldd /opt/splunk/etc/apps/Splunk_TA_opseclea_linux22/opsec-tools/opsec_pull_cert’ it will complain about two missing libraries: libcpc++-libc6.1-2.so.3 and libpam.so.0. opsec_pull_cert is a utility used to get the certificate from Check Point, so we need to fix it first.

libcpc++-libc6.1-2.so.3 is shipped with the Check Point OPSEC LEA add-on:

% cp /opt/splunk/etc/apps/Splunk_TA_opseclea_linux22/bin/libcpc++-libc6.1-2.so.3 /compat/linux/lib/

libpam.so.0 could be copied from any Linux machine. In my case it was Linux Ubuntu 12.04.4:

% cp /mnt/share/srv1204/lib/i386-linux-gnu/libpam.so.0.83.0 /compat/linux/lib/libpam.so.0
% ldd /opt/splunk/etc/apps/Splunk_TA_opseclea_linux22/opsec-tools/opsec_pull_cert
opsec_pull_cert:
        libpthread.so.0 => /lib/libpthread.so.0 (0x28272000)
        libresolv.so.2 => /lib/libresolv.so.2 (0x2828d000)
        libdl.so.2 => /lib/libdl.so.2 (0x282a4000)
        libpam.so.0 => /lib/libpam.so.0 (0x282a9000)
        libnsl.so.1 => /lib/libnsl.so.1 (0x282b7000)
        libcpc++-libc6.1-2.so.3 => /lib/libcpc++-libc6.1-2.so.3 (0x282d1000)
        libc.so.6 => /lib/libc.so.6 (0x28319000)
        /lib/ld-linux.so.2 (0x2824e000)
        libm.so.6 => /lib/libm.so.6 (0x28492000)
% ldd /opt/splunk/etc/apps/Splunk_TA_opseclea_linux22/bin/lea_loggrabber
lea_loggrabber:
        libpthread.so.0 => /lib/libpthread.so.0 (0x282e7000)
        libdl.so.2 => /lib/libdl.so.2 (0x28302000)
        libc.so.6 => /lib/libc.so.6 (0x28307000)
        /lib/ld-linux.so.2 (0x282c3000)

Modify lea-loggrabber.sh file located under /opt/splunk/etc/apps/Splunk_TA_opseclea_linux22/bin directory:

-#!/bin/bash
+#!/usr/local/bin/bash
+SPLUNK_HOME=/opt/splunk
+export SPLUNK_HOME

Do the same changes for lea-loggrabber-debug.sh file located under /opt/splunk/etc/apps/Splunk_TA_opseclea_linux22/bin directory (in case you want to debug later on).

Now you should be able to configure add-on via Splunk web interface, pull the certificate and start fetching logs from the Check Point Management instance.

2014093001

Here is the update procedure:

% tar xvzf splunk-6.2.1-245427-FreeBSD7-amd64.gz -C /opt

% /opt/splunk/bin/splunk start ----accept-license

Tags: , ,

Leave a Reply