topic Re: Problem mionitor cisco IPS in Monitoring Splunk

Problem mionitor cisco IPS

mbattaglia — Mon, 28 Sep 2020 09:46:05 GMT

I have a problem to monitor the module Cisco IPS ASA5585-SSP-IPS10

From the IPS I see this error ; the state remain in state Read Pending;

sub-8-9480fcb4
State = Read Pending
Last Read Time = 13:22:42 UTC Mon Aug 01 2011
Last Read Time (nanoseconds) = 1312204962229391000

From the splunk server I see this error:

tail -f /opt/splunk/var/log/splunk/sdee_get.log

Fri Jul 29 14:26:45 2011 - ERROR - Exception thrown while parsing SDEE payload: Traceback (most recent call last):
File "/opt/splunk/etc/apps/Splunk_CiscoIPS/bin/get_ips_feed.py", line 74, in run
alert_obj_list = idsmxml.parse_alerts( result_xml )
File "/opt/splunk/etc/apps/Splunk_CiscoIPS/bin/pysdee/idsmxml.py",
line 243, in parse_alerts alert_obj.signature = build_sig(sig[0])
File "/opt/splunk/etc/apps/Splunk_CiscoIPS/bin/pysdee/idsmxml.py", line 190, in build_sig
signature.marscategory = node.getElementsByTagName('marsCategory')[0].firstChild.wholeText
IndexError: list index out of range

There's a solution to resolve this problem?

Re: Problem mionitor cisco IPS

troywollenslege — Fri, 03 Feb 2012 18:55:23 GMT

we are getting the same error, did you find a solution?

Re: Problem mionitor cisco IPS

Will_Hayes — Wed, 08 Feb 2012 20:14:01 GMT

We were recently made aware of this issue caused by an un-annouced change in the SDEE payload with the latest software update. We will be pushing a fix to Splunkbase soon but in the mean time please feel free to contact me directly and I will send you an update. You can reach me at: will (at) splunk.com
Thanks!

Re: Problem mionitor cisco IPS

mwong — Tue, 08 May 2012 08:35:23 GMT

Please update the Cisco IPS apps to latest version, it should fix the error.