000026985 - How to run the Check Point collection service from command line for troubleshooting on an RSA Security Analytics or NetWitness Platform Log Collector

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support on Sep 26, 2019
Version 3Show Document
  • View in full screen mode

Article Content

Article Number000026985
Applies ToRSA Product Set: Security Analytics, NetWitness Logs & Network
RSA Product/Service Type: Log Collector
RSA Version/Condition: 10.x, 11.x
Platform: CentOS

OS Version: EL6, El7
IssueHow to run the Check Point collection service from the command line for troubleshooting on an RSA Security Analytics or NetWitness Log Collector.
Resolution

The NwCheckpointProcess program is used by the NwLogCollector to collect events from Checkpoint servers using the OPSEC LEA API. It can also be used as a command-line utility to probe a Checkpoint server, verifying connectivity and debugging connection problems. The following is an example of the syntax:




/usr/sbin/NwCheckpointProcess --ip 192.168.1.1 --name Test --port 18184 --sdn CN=MyCheckpoint,o=test.lab.org --cdn CN=enVision_OPSEC,o=test.lab.org --cen enVision_OPSEC --kfp /etc/netwitness/ng/truststore/MyCertificate.p12 --count 10 --time 120 --timeout 30




There are some options to the NwCheckpointProcess that have no value. The presence of the option causes a configuration action. For example, to show the log files on the server, the following would be entered: NwCheckpointProcess --showlogs



If you are unsure of any of the steps above or experience any issues, contact RSA Support and quote this article ID for further assistance.

Notes

The text below is an example of the NwCheckpointProcess --help output.
 




General:
  --help                show help
  --debug               verbose output for Nw Checkpoint Process
  --odebug              verbose output for OPSEC LEA protocol
  --config arg          configuration file

Required:
  --name arg            checkpoint server name
  --ip arg              checkpoint server ip
  --port arg            server port
  --sdn arg             server distinguished name
                        obtained from the Checkpoint Management Console
                        For example:
                           cn=cp_mgmt,o=cpfw.cpfw.abc.net.ckbe7u
  --cdn arg             client distinguished name
                        this is obtained from the Checkpoint Management Console
                        For example:
                           CN=NEXTGEN1,O=cpfw.cpfw.abc.net.ckbe7u
  --cen arg             client entity name
                        obtained from the Checkpoint Management Console when
                        creating the client
  --kfp arg             key file path (obtained by using the utility
                        opsec_get_key

Optional:
  --audit               Read the audit records
  --online              Continue to read the next log file when the end of the
                        current one is reached
  --offline             Stop reading when the end of the current log file is
                        reached
  --timeout arg         Time period (seconds) in which if no events are
                        collected, the session is ended
  --count arg           Events to collect before ending the session
  --time arg            Time to collect (seconds) before ending the session
  --file arg            The file id to read from
  --log arg             The log file name to read from
  --record arg          The record to start reading from
  --start               Start reading from the start of the file
  --end                 Start reading from the end of the file
  --showlogs            Show logs on checkpoint server
  --showfiles           Show files on checkpoint server
  --pretty              Format event output
  --forwarder           forwarding i.e. replace *deviceAddr with orig or
                        reverse lookup of orig_name if it exists
Legacy Article IDa66617

Attachments

    Outcomes