All Apps and Add-ons

Cisco IPS logs in spunk issue

raomu
Explorer

Hello,

I have installed Cisco TA 2.1.6 on HFW and trying to get logs from CISCO IPS devices.

I have configured the settings under inputs.conf :

[script://$SPLUNK_HOME/etc/apps/Splunk_CiscoIPS/bin/get_ips_feed.py ]
sourcetype = cisco_ips_syslog
source = SDEE
disabled = false
interval = 1

I don't see any logs under - sensor_ip.run

I execute this as per troubleshooting docs-

index="_internal" sourcetype="sdee_connection" ERROR | rex "Connecting to sensor - (?[^:]+)" | rex "[Errno\s+(?[^]]+)" | stats count values(EN) as error_number by sensor

error_number= 110

when I run -

index="_internal" sourcetype="sdee_connection"

on Mar 5 21:37:35 2018 - ERROR - Connecting to sensor - X.XX.XXX.X: Traceback (most recent call last): File "/data/splunk/etc/apps/Splunk_TA_cisco-ips/bin/get_ips_feed.py", line 103, in run sdee.open() File "/data/splunk/etc/apps/Splunk_TA_cisco-ips/bin/pysdee/pySDEE.py", line 191, in open self._request(params) File "/data/splunk/etc/apps/Splunk_TA_cisco-ips/bin/pysdee/pySDEE.py", line 167, in _request data = urllib2.urlopen(req) File "/data/splunk/lib/python2.7/urllib2.py", line 154, in urlopen return opener.open(url, data, timeout) File "/data/splunk/lib/python2.7/urllib2.py", line 429, in open response = self._open(req, data) File "/data/splunk/lib/python2.7/urllib2.py", line 447, in _open '_open', req) File "/data/splunk/lib/python2.7/urllib2.py", line 407, in _call_chain result = func(*args) File "/data/splunk/lib/python2.7/urllib2.py", line 1241, in https_open context=self._context) File "/data/splunk/lib/python2.7/urllib2.py", line 1198, in do_open raise URLError(err) URLError:

Also tried - wget https://X.X.X.X/cgi-bin/sdee-server/

--2018-03-05 21:06:17-- https://X.X.X.X/cgi-bin/sdee-server/
Connecting to X.X.X.X:443... failed: Connection timed out.
Retrying.

Please suggest

Tags (1)
0 Karma

deepashri_123
Motivator

Hey@raomu,

Your inputs mention sourcetype as cisco_ips_syslog.
And you are checking sourcetype=sdee_connection

Can you check sourcetype=cisco_ips_syslog.
Let me know if this helps!!

0 Karma

hortonew
Builder

Take a look through here. I had a similar issue years ago - maybe it still applies? http://blog.hortonew.com/splunk-ciscoips-app-no-longer-pulls-from-ips

0 Karma

p_gurav
Champion

You have to permit the Splunk box to connect on the IPS device. You can do this by re-running the setup from the command line or by clicking Sensor Setup > Allowed Hosts/Networks > Add in IME or IDM.

Also go through this link:
https://answers.splunk.com/answers/376881/splunk-add-on-for-cisco-ips-215-has-error-connetin.html

0 Karma

raomu
Explorer

Thanks Gaurav, but permission is already grated for spunk box.

0 Karma

p_gurav
Champion

Please go through that link.

0 Karma

raomu
Explorer

Gaurav, I am using the latest version of TA so this link is not of much help.

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!