Issue when importing audit logs

[bmx0r]

Maybe this is not the best place to post this, as it is more a support request than a bug report, but I have no idea where to ask for support. I I recently install the loggrabber via the slunk app. I setup 2 inputs, one for non-audit event another for audit event.

The non audit is working fine, but I have an issue with the audit event:

/opt/splunk/etc/apps/Splunk_TA_checkpoint-opseclea/bin/../bin/lea_loggrabber --data audit --debug_level 2 --appname Splunk_TA_checkpoint-opseclea --lea_server_ip 192.168.169.12 --lea_server_auth_port 18184 --lea_server_auth_type sslca --opsec_sslca_file /opt/splunk/etc/apps/Splunk_TA_checkpoint-opseclea/certs/xxxxxxxx.p12 --opsec_sic_name CN=SplunkLEA,O=mgt..xxxxxx --opsec_entity_sic_name CN=xxxxx,O=mgt..xxxxxx --last_record_location -1:7 --no_online --no_resolve

The grabber seems to keep a context of where he left off, bu t I beleive that this is done by the slpunk app and not the grabber

[root@splunk-a checkpoint_opseclea]# ll /opt/splunk/var/lib/splunk/modinputs/checkpoint_opseclea/fw-audit_audit
-rw-------. 1 root root 32 Oct  9 11:31 /opt/splunk/var/lib/splunk/modinputs/checkpoint_opseclea/fw-audit_audit
[root@splunk-a checkpoint_opseclea]# cat /opt/splunk/var/lib/splunk/modinputs/checkpoint_opseclea/fw-audit_audit
{"last_record_location": "-1:7"}

When I create the input, it works like a charm, but after midnight, it stops working. The only workaround I find out is to remove this fw-audit_audit file, then the grabber import the new logs...

I try to run the grabber to figure out the --get_current_fileid which always answer:

Current audit file FileId: -1

I start wondering if it might be a missconfiguration in SMS, but I do not know where to look anymore

Thanks in advance

FYI:

[root@splunk-a checkpoint_opseclea]# /opt/splunk/etc/apps/Splunk_TA_checkpoint-opseclea/bin/../bin/lea_loggrabber --help

FW1-LogGrabber v2.1
    Copyright (c) 2003-2005 Torsten Fellhauer, Xiaodong Lin
    Copyright (c) 2014-2016 CERTEGO s.r.l.