Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Checkpoint LEA App working issue: all logs entries are downloaded at each script execution

LauMat
Engager
‎06-01-2010 04:50 PM

Hello,

We are a consulting firm and I am assessing the Splunk solution for one of my customer.

The LEA application for Checkpoint is not working correctly : each time the script is called, it downloads the complete fw.log file. It results with a huge data indexing activity - and license expiration warnings!

I assume the script should normally download the difference since last LEA download.

Could somebody help to clarify how it works and what might going wrong with our installation?

Your help appreciated. Many thanks.

Laurent

Reply

treyka
Path Finder
‎09-07-2010 01:05 PM

Hey, LauMat, did you solve this problem? If not, double-check the permissions on your lea_loggrabber app(s) - the lea app stores its state in bin/ but whatever user this app is running as needs write permission to some of the files in this directory. In your case I believe that it is (or was) unable to write to lea_log_rec_num.cache which is where it keeps track of the last line read off the wire.

Reply

treyka
Path Finder
‎09-07-2010 01:06 PM

(For debugging lea_loggrabber issues it can be useful to execute the command with strace (plus the lea_loggrabber --debug flag).

Reply

Lowell
Super Champion
‎06-02-2010 06:09 PM

If you don't get an answer here, you should try contacting splunk support: Simply email support@splunk.com, or give them a call.

0 Karma
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...