IBM QRadar

IBM QRadar

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only
Back to discussions
Expand all | Collapse all

Checkpoint log source via OPSEC/LEA error

  • 1.  Checkpoint log source via OPSEC/LEA error

    Posted Tue December 20, 2022 04:35 AM
    Hello, 3 of checkpoint log sources stopped sending events to Qradar. Its connected vis OPSEC/LEA. The certificate for these log sources wasn't valid anymore, so I asked checkpoint admin to export new one based on this IBM guideline which we used for other checkpoints without problems. After uploading new certificate to /trusted certificates folder and adding the name of certificate to Qradar log source configuration the checkpoints did start send the logs again. After around 4 hours they stopped and I see following error when using the LEAPIPE2SYSLOG Binary. Any advice?

    [20 Dec 8:31:19] fwCert_OurValCerts: validation OK
    [20 Dec 8:31:19] T_event_do_del: no event for socket/type: 13/0
    [20 Dec 8:31:19] fwasync_conn_get: get max buffer size (4194304) .
    [20 Dec 8:31:19] sic_client_end_handler: for conn id = 13
    [20 Dec 8:31:19] opsec_auth_client_connected: connect failed (147)
    [20 Dec 8:31:19] opsec_auth_client_connected: SIC Error for lea: Authentication error
    [20 Dec 8:31:19] opsec_auth_client_connected:conn=(nil) opaque=0x96e4560 err=0 comm=0x96f4248
    [20 Dec 8:31:19] comm failed to connect 0x96f4248
    [20 Dec 8:31:19] OPSEC_SET_ERRNO: err = 8 Comm is not connected/Unable to connect (pre = 0)
    [20 Dec 8:31:19] COM 0x96f4248 got signal 131075
    [20 Dec 8:31:19] destroying comm 0x96f4248
    [20 Dec 8:31:19] Destroying comm 0x96f4248 with 2 active sessions
    [20 Dec 8:31:19] Destroying session (96e5eb8) id 3 (ent=96e59a8) reason=SIC_FAILURE
    [20 Dec 8:31:19] SESSION ID:3 is sending DG_TYPE=3

    LeaEndHandler: end handler has been called for session 0x96e5eb8.
    [20 Dec 8:31:19] opsec_comm_is_needed:comm 0x96f4248 2/2 sessions need the comm.
    [20 Dec 8:31:19] Destroying session (96e5f48) id 5 (ent=96e59a8) reason=SIC_FAILURE
    [20 Dec 8:31:19] SESSION ID:5 is sending DG_TYPE=3

    LeaEndHandler: end handler has been called for session 0x96e5f48.
    [20 Dec 8:31:19] opsec_comm_is_needed:comm 0x96f4248 1/2 sessions need the comm.
    [20 Dec 8:31:19] pulling dgtype=1 len=0 to list=0x96f4264
    [20 Dec 8:31:19] pulling dgtype=402 len=27 to list=0x96f4264
    [20 Dec 8:31:19] pulling dgtype=1 len=0 to list=0x96f4264
    [20 Dec 8:31:19] pulling dgtype=402 len=30 to list=0x96f4264
    [20 Dec 8:31:19] pulling dgtype=40c len=0 to list=0x96f4264
    [20 Dec 8:31:19] pulling dgtype=40c len=0 to list=0x96f4264
    [20 Dec 8:31:19] pulling dgtype=ffffffff len=-1 to list=0x96f4264
    [20 Dec 8:31:19] REMOVING comm=0x96f4248 from ent=0x96e59a8 with key=2
    [20 Dec 8:31:19] fwasync_do_end_conn: 13: calling 0x808c760 to free opaque 0x96e0cf0
    [20 Dec 8:31:19] ckpSSL_fwasync_close: start shutdown
    [20 Dec 8:31:19] ckpSSL_StartShutdown: fd=13, peer already closed
    [20 Dec 8:31:19] ckpSSL_ShutdownHandler: state is ckpSSL_St_PeerClosed
    [20 Dec 8:31:19] ckpSSL_Destroy: closed fd 13
    [20 Dec 8:31:19] T_event_mainloop_e: T_event_mainloop_iter returns 0
    Finished opsec_mainloop.
    [20 Dec 8:31:19] Destroying entity 1 with 0 active comms
    [20 Dec 8:31:19] opsec_destroy_entity_sic: deleting sic rules for entity 0x96e59a8
    [20 Dec 8:31:19] Destroying entity 2 with 0 active comms
    [20 Dec 8:31:19] opsec_destroy_entity_sic: deleting sic rules for entity 0x96e4670

    ------------------------------
    tysa
    ------------------------------