topic Re: Cisco IPS app not working in Getting Data In

Cisco IPS app not working

rbw78 — Wed, 10 Oct 2012 13:20:07 GMT

Hello

I have issue to make work the Cisco IPS app under splunk.

I made it works the first time indexing correctly the IPS logs.
I did a lot of register script under the set up menu on the Cisco IPS.
I tried to delete the wrong one but i was unable to do it because i did get an error message everytime.
So i decided to uninstall the app by removing the Splunk_CiscoIPS folder under $SPLUNK/etc/apps/ and restart splunk to make a fresh install.
I'd also deleted the CiscoIPS folder I founded under $SPLUNK/etc/users/%user%/

I made a fresh install and now i'm unable to get the IPS events after doing the set up.

Here's the log i have in $SPLUNK/var/log/splunk/sdee_get.log
Wed Oct 10 15:00:22 2012 - INFO - No exsisting SubscriptionID for host: 1.2.3.4
Wed Oct 10 15:00:22 2012 - INFO - Attempting to connect to sensor: 1.2.3.4
Wed Oct 10 15:00:22 2012 - INFO - Successfully connected to: 1.2.3.4
Wed Oct 10 15:00:22 2012 - INFO - Checking for exsisting SubscriptionID on host: 1.2.3.4
Wed Oct 10 15:00:22 2012 - INFO - No exsisting SubscriptionID for host: 1.2.3.4
Wed Oct 10 15:00:22 2012 - INFO - Attempting to connect to sensor: 1.2.3.4
Wed Oct 10 15:00:22 2012 - INFO - Successfully connected to: 1.2.3.4
Wed Oct 10 15:00:23 2012 - ERROR - Connecting to sensor - 1.2.3.4: HTTPError: HTTP Error 401: Unauthorized
Wed Oct 10 15:00:24 2012 - ERROR - Connecting to sensor - 1.2.3.4: HTTPError: HTTP Error 400: Bad Request
Wed Oct 10 15:05:23 2012 - INFO - Checking for exsisting SubscriptionID on host: 1.2.3.4
Wed Oct 10 15:05:23 2012 - INFO - No exsisting SubscriptionID for host: 1.2.3.4
Wed Oct 10 15:05:23 2012 - INFO - Attempting to connect to sensor: 1.2.3.4
Wed Oct 10 15:05:23 2012 - INFO - Successfully connected to: 1.2.3.4
Wed Oct 10 15:05:24 2012 - ERROR - Connecting to sensor - 1.2.3.4: HTTPError: HTTP Error 401: Unauthorized
Wed Oct 10 15:05:25 2012 - INFO - Checking for exsisting SubscriptionID on host: 1.2.3.4
Wed Oct 10 15:05:25 2012 - INFO - No exsisting SubscriptionID for host: 1.2.3.4
Wed Oct 10 15:05:25 2012 - INFO - Attempting to connect to sensor: 1.2.3.4
Wed Oct 10 15:05:25 2012 - INFO - Successfully connected to: 1.2.3.4
Wed Oct 10 15:05:26 2012 - ERROR - Connecting to sensor - 1.2.3.4: HTTPError: HTTP Error 400: Bad Request

It seems to be my credentials which aren't correct but i'd already tried to make another account unsuccessfully.

Do you have any idea ?

Thanks.

Re: Cisco IPS app not working

rbw78 — Wed, 10 Oct 2012 15:16:49 GMT

Up, i really need some help on it 🙂

Re: Cisco IPS app not working

andrew_garvin — Mon, 28 Sep 2020 12:37:03 GMT

When you initially setup the app and added the IPS sensors, it created a subscription on the sensor and put the subscription information in the $SPLUNK_HOME\etc\apps\Splunk_CiscoIPS\var\run directory. There should be one file for each sensor named Sensor_IP.run. When you deleted the app and re-installed it and tried to re-add the sensors, it tried to re-setup a new subscription. But, the IPS sensor knew that there was already a subscription created and does not want to create another. There are three ways to fix this:

Go back to the original copy of the IPS app (hopefully you still have it in a recycle bin) and put the run files back into $SPLUNK_HOME\etc\apps\Splunk_CiscoIPS\var\run. You only need the run file(s), nothing else. Make sure you stop Splunk before overwriting them with the old files and then start it back up again.
Login into the IPS sensor via the command line and delete the subscriptions created earlier. First do a "show statistics sdee-server" to view the existing SDEE subscriptions. Find the old one from before and then navigate to https://Sensor_IP/cgi-bin/sdee-server/?action=close&subscriptionId=SUB_ID. For example: https://10.1.1.1/cgi-bin/sdee-server/?action=close&subscriptionId=sub-16-a64a8e10.
Wait for a few days. I believe the subscriptions will time out after 7 days. So if you wait they will expire and then it will start working again.

If that does not work, let me know and there are a few other things we can check on the IPS sensor.

Re: Cisco IPS app not working

evgenyp — Mon, 28 Sep 2020 15:14:38 GMT

Hello, could you help me with the same situation, one time after PSOD of my esxi where virtual splunk is working, i saw that ips logs stopped to go to the splunk. i updated cisco_ips to 2.0.0 and used the old script for ips in splunk (because with web splunk cisco_ips configuration i'm getting the following error:

Encountered the following error while trying to update: In handler 'localapps': Error while posting to url=/servicesNS/nobody/Splunk_CiscoIPS/admin/cisco_ips_setup/cisco_ips_setup_settings

then i just changed configured to 1)

in Cisco IPS sensor:

ips# sh statistics sdee-server
General
Open Subscriptions = 0
Blocked Subscriptions = 0
Maximum Available Subscriptions = 5
Maximum Events Per Retrieval = 500
Subscriptions

On the splunk:

Sun Nov 10 21:43:32 2013 - INFO - Checking for exsisting SubscriptionID on host: 192.168.1.2

host = seclog
source = /opt/splunk/var/log/splunk/sdee_get.log
sourcetype = sdee_connection

Sun Nov 10 21:43:32 2013 - INFO - No exsisting SubscriptionID for host: 192.168.1.2

host = seclog
source = /opt/splunk/var/log/splunk/sdee_get.log
sourcetype = sdee_connection

Sun Nov 10 21:43:32 2013 - INFO - Attempting to connect to sensor: 192.168.1.2

host = seclog
source = /opt/splunk/var/log/splunk/sdee_get.log
sourcetype = sdee_connection

Sun Nov 10 21:43:32 2013 - INFO - Successfully connected to: 192.168.1.2

host = seclog
source = /opt/splunk/var/log/splunk/sdee_get.log
sourcetype = sdee_connection

Sun Nov 10 21:43:32 2013 - ERROR - Connecting to sensor - 192.168.1.2: URLError:

Re: Cisco IPS app not working

evgenyp — Mon, 11 Nov 2013 09:28:26 GMT

Really need your help!

Re: Cisco IPS app not working

andrew_garvin — Mon, 18 Nov 2013 04:45:51 GMT

That message would seem to indicate that the Splunk server cannot connect to the IPS. I think you need to start with the basics. Can you ping the IPS from the Splunk server? Can you navigate to https://Sensor_IP/cgi-bin/sdee-server from the Splunk server?

Re: Cisco IPS app not working

evgenyp — Mon, 18 Nov 2013 11:58:04 GMT

Yes, i can do ping, get https from ips it seems that it is ok everything and that was working during year, but after that psod, everything stopped. think maybe i should to reboot the asa IPS module i already rebooted.