topic Splunk for Cisco IPS - exception thrown in sdee-get() in All Apps and Add-ons

Splunk for Cisco IPS - exception thrown in sdee-get()

crob6281 — Fri, 19 Aug 2011 16:45:08 GMT

I'm setting up Splunk for Cisco IPS for the first time. It looks like it's able to connect, but seems to not be able to retrieve events.

sdee_get.log:

Fri Aug 19 12:00:41 2011 - INFO - Checking for exsisting SubscriptionID on host: x.x.x.x
Fri Aug 19 12:00:41 2011 - INFO - SubscriptionID: sub-3-adf9579a found for host: x.x.x.x
Fri Aug 19 12:00:41 2011 - INFO - Attempting to connect to sensor: x.x.x.x
Fri Aug 19 12:00:41 2011 - INFO - Successfully connected to: x.x.x.x
Fri Aug 19 12:00:41 2011 - ERROR - Exception thrown in sdee.get(): HTTPError: HTTP Error 400: Bad Request

The IDS model is ASA_SSM-10.

Suggestions?

Re: Splunk for Cisco IPS - exception thrown in sdee-get()

kenson — Fri, 09 Dec 2011 06:20:53 GMT

This error happens when the subscription id for some reason is no longer valid on the device end. You need to delete your x.x.x.x.run file(s) and allow the script to attempt to open a new session without an existing subscription id.

Re: Splunk for Cisco IPS - exception thrown in sdee-get()

asrozar — Wed, 11 Jul 2012 14:46:13 GMT

how do you "delete your x.x.x.x.run file(s)"? What subscription ID is this referring too?

Re: Splunk for Cisco IPS - exception thrown in sdee-get()

kenson — Tue, 31 Jul 2012 08:45:48 GMT

Just stop the script and rm the *.run files in the apps var/run directory. Then start it again. The subscription id refers to some internal mechanism that supposedly helps the ips to remember which events you already fetched..