Splunk_CiscoIPS app does not work (or partial working)

blebit — Mon, 28 Sep 2020 16:42:53 GMT

Hi splunkers,
i have a problem with CiscoIPS application. i cant collect logs. the connection is but the logs not.

Splunk version Splunk 6.0.3 (build 204106)

Search:
index="_internal" sourcetype="sdee_connection"

Message:

5/23/14
10:17:03.000 AM 
Fri May 23 10:17:03 2014 - ERROR - Exception thrown in sdee.get(): URLError: <urlopen error [Errno 8] _ssl.c:521: EOF occurred in violation of protocol>
host=splunk Options|  sourcetype=sdee_connection Options|  source=/opt/splunk/var/log/splunk/sdee_get.log Options
7   »  5/23/14
10:16:59.000 AM 
Fri May 23 10:16:59 2014 - INFO - Successfully connected to: 192.168.x.x
host=splunk Options|  sourcetype=sdee_connection Options|  source=/opt/splunk/var/log/splunk/sdee_get.log Options
8   »  5/23/14
10:16:59.000 AM 
Fri May 23 10:16:59 2014 - INFO - Attempting to connect to sensor: 192.168.x.x
host=splunk Options|  sourcetype=sdee_connection Options|  source=/opt/splunk/var/log/splunk/sdee_get.log Options
9   »  5/23/14
10:16:59.000 AM 
Fri May 23 10:16:59 2014 - INFO - SubscriptionID: sub-1-393c8920 found for host: 192.168.x.x
host=splunk Options|  sourcetype=sdee_connection Options|  source=/opt/splunk/var/log/splunk/sdee_get.log Options
10  »  5/23/14
10:16:59.000 AM 
Fri May 23 10:16:59 2014 - INFO - Checking for exsisting SubscriptionID on host: 192.168.x.x
host=splunk Options|  sourcetype=sdee_connection Options|  source=/opt/splunk/var/log/splunk/sdee_get.log Options
11  »  5/23/14
10:16:59.000 AM 
Fri May 23 10:16:59 2014 - ERROR - Attempting to re-connect to the sensor: 192.168.x.x
host=splunk Options|  sourcetype=sdee_connection Options|  source=/opt/splunk/var/log/splunk/sdee_get.log Options
12  »  5/23/14
10:16:59.000 AM 
Fri May 23 10:16:59 2014 - ERROR - Exception thrown in sdee.get(): URLError: <urlopen error [Errno 8] _ssl.c:521: EOF occurred in violation of protocol>
host=splunk Options|  sourcetype=sdee_connection Options|  source=/opt/splunk/var/log/splunk/sdee_get.log Options

any idea ????
Thanks

Re: Splunk_CiscoIPS app does not work (or partial working)

Ayn — Fri, 23 May 2014 13:42:37 GMT

The problem lies in how Cisco IPS units establish SSL connections. Basically they do so incorrectly. Older versions of OpenSSL were able to cope with this, however newer versions don't. As Splunk 6.x uses newer OpenSSL versions the effect is that the Cisco IPS app doesn't work in 6.x but works in 5.x (which uses an older OpenSSL version).

I haven't heard of any other viable workarounds than to simply run the app on a 5.x instance.

Re: Splunk_CiscoIPS app does not work (or partial working)

jconger — Tue, 27 May 2014 15:58:11 GMT

You have 2 options.

Option 1 - use a Splunk 5.x Heavy Forwarder to connect to your IPS and forward the logs to your Splunk 6 instance.

Option 2 - there is a potential workaround to get IPS working on Splunk 6 here -> http://answers.splunk.com/answers/105193/cisco-ips-error-errno-8?page=1&focusedAnswerId=135759#135759

topic Splunk_CiscoIPS app does not work (or partial working) in Getting Data In

Splunk_CiscoIPS app does not work (or partial working)

Re: Splunk_CiscoIPS app does not work (or partial working)

Re: Splunk_CiscoIPS app does not work (or partial working)