https://community.splunk.com/t5/Security/Cisco-IPS-Python-Error/m-p/148431#M14608 <P>Hi,</P> <P>I'm wondering if anyone could help - seem to be getting into real trouble with Cisco IPS feeds. I have the Splunk add-on for Cisco IPS 2.11 installed on my Search Head, two Indexers and a Heavy Forwarder. As per the configuration guide, no configuration has been performed within the app on the search head or indexers. I have set the app up via the GUI on the heavy forwarder entering the host, username, password and interval (default value of 15).</P> <P>I am seeing lots of erros from python in splunkd.log on the heavy forwarder, such as:</P> <PRE><CODE>12-10-2014 17:22:55.390 +0000 ERROR ExecProcessor - message from "python "C:\Program Files\Splunk\etc\apps\Splunk_TA_cisco-ips\bin\get_ips_feed.py" 10.1.1.50 15" IOError: [Errno 2] No such file or directory: 'C:\\Program Files\\Splunk\\etc\\apps\\Splunk_TA_cisco-ips\\var\\log\\ips_sdee.log.10.1.1.50' 12-10-2014 17:22:55.390 +0000 ERROR ExecProcessor - message from "python "C:\Program Files\Splunk\etc\apps\Splunk_TA_cisco-ips\bin\get_ips_feed.py" 10.1.1.50 15" stream = open(self.baseFilename, self.mode) 12-10-2014 17:22:55.390 +0000 ERROR ExecProcessor - message from "python "C:\Program Files\Splunk\etc\apps\Splunk_TA_cisco-ips\bin\get_ips_feed.py" 10.1.1.50 15" File "C:\Program Files\Splunk\Python-2.7\Lib\logging\__init__.py", line 925, in _open 12-10-2014 17:22:55.390 +0000 ERROR ExecProcessor - message from "python "C:\Program Files\Splunk\etc\apps\Splunk_TA_cisco-ips\bin\get_ips_feed.py" 10.1.1.50 15" StreamHandler.__init__(self, self._open()) </CODE></PRE> <P>I would paste more errors, but after the first line they don't appear to be useful. This is happening at each interval (which in the inputs.conf seems to be every second).</P> <P>It is also very strange that there is only one entry in sdee_connection.log:</P> <PRE><CODE>Wed Dec 10 16:52:21 2014 - Could not get IPS 10.1.1.50 credentials from splunk: ResponseNotReady </CODE></PRE> <P>I have checked and the credentials are valid for the IPS that Splunk is connecting to.</P> <P>Why is the app not able to create a log file ips_sdee.log.10.1.1.50? </P> <P>Any help is apreciated as I don't know how to troubleshoot from here...</P> <P>Thanks,<BR /> DS</P> Wed, 10 Dec 2014 17:33:24 GMT darthsplunk 2014-12-10T17:33:24Z https://community.splunk.com/t5/Security/Cisco-IPS-Python-Error/m-p/148431#M14608 <P>Hi,</P> <P>I'm wondering if anyone could help - seem to be getting into real trouble with Cisco IPS feeds. I have the Splunk add-on for Cisco IPS 2.11 installed on my Search Head, two Indexers and a Heavy Forwarder. As per the configuration guide, no configuration has been performed within the app on the search head or indexers. I have set the app up via the GUI on the heavy forwarder entering the host, username, password and interval (default value of 15).</P> <P>I am seeing lots of erros from python in splunkd.log on the heavy forwarder, such as:</P> <PRE><CODE>12-10-2014 17:22:55.390 +0000 ERROR ExecProcessor - message from "python "C:\Program Files\Splunk\etc\apps\Splunk_TA_cisco-ips\bin\get_ips_feed.py" 10.1.1.50 15" IOError: [Errno 2] No such file or directory: 'C:\\Program Files\\Splunk\\etc\\apps\\Splunk_TA_cisco-ips\\var\\log\\ips_sdee.log.10.1.1.50' 12-10-2014 17:22:55.390 +0000 ERROR ExecProcessor - message from "python "C:\Program Files\Splunk\etc\apps\Splunk_TA_cisco-ips\bin\get_ips_feed.py" 10.1.1.50 15" stream = open(self.baseFilename, self.mode) 12-10-2014 17:22:55.390 +0000 ERROR ExecProcessor - message from "python "C:\Program Files\Splunk\etc\apps\Splunk_TA_cisco-ips\bin\get_ips_feed.py" 10.1.1.50 15" File "C:\Program Files\Splunk\Python-2.7\Lib\logging\__init__.py", line 925, in _open 12-10-2014 17:22:55.390 +0000 ERROR ExecProcessor - message from "python "C:\Program Files\Splunk\etc\apps\Splunk_TA_cisco-ips\bin\get_ips_feed.py" 10.1.1.50 15" StreamHandler.__init__(self, self._open()) </CODE></PRE> <P>I would paste more errors, but after the first line they don't appear to be useful. This is happening at each interval (which in the inputs.conf seems to be every second).</P> <P>It is also very strange that there is only one entry in sdee_connection.log:</P> <PRE><CODE>Wed Dec 10 16:52:21 2014 - Could not get IPS 10.1.1.50 credentials from splunk: ResponseNotReady </CODE></PRE> <P>I have checked and the credentials are valid for the IPS that Splunk is connecting to.</P> <P>Why is the app not able to create a log file ips_sdee.log.10.1.1.50? </P> <P>Any help is apreciated as I don't know how to troubleshoot from here...</P> <P>Thanks,<BR /> DS</P> Wed, 10 Dec 2014 17:33:24 GMT https://community.splunk.com/t5/Security/Cisco-IPS-Python-Error/m-p/148431#M14608 darthsplunk 2014-12-10T17:33:24Z https://community.splunk.com/t5/Security/Cisco-IPS-Python-Error/m-p/148432#M14609 <P>Try to use a versión of splunk before 6.</P> <P>Its looks like there is a problem with the phyton version includen in versión 6.</P> Wed, 10 Dec 2014 23:39:23 GMT https://community.splunk.com/t5/Security/Cisco-IPS-Python-Error/m-p/148432#M14609 jmallorquin 2014-12-10T23:39:23Z