All Apps and Add-ons

Cisco IPS logs in spunk issue

raomu
Explorer

Hello,

I have installed Cisco TA 2.1.6 on HFW and trying to get logs from CISCO IPS devices.

I have configured the settings under inputs.conf :

[script://$SPLUNK_HOME/etc/apps/Splunk_CiscoIPS/bin/get_ips_feed.py ]
sourcetype = cisco_ips_syslog
source = SDEE
disabled = false
interval = 1

I don't see any logs under - sensor_ip.run

I execute this as per troubleshooting docs-

index="_internal" sourcetype="sdee_connection" ERROR | rex "Connecting to sensor - (?[^:]+)" | rex "[Errno\s+(?[^]]+)" | stats count values(EN) as error_number by sensor

error_number= 110

when I run -

index="_internal" sourcetype="sdee_connection"

on Mar 5 21:37:35 2018 - ERROR - Connecting to sensor - X.XX.XXX.X: Traceback (most recent call last): File "/data/splunk/etc/apps/Splunk_TA_cisco-ips/bin/get_ips_feed.py", line 103, in run sdee.open() File "/data/splunk/etc/apps/Splunk_TA_cisco-ips/bin/pysdee/pySDEE.py", line 191, in open self._request(params) File "/data/splunk/etc/apps/Splunk_TA_cisco-ips/bin/pysdee/pySDEE.py", line 167, in _request data = urllib2.urlopen(req) File "/data/splunk/lib/python2.7/urllib2.py", line 154, in urlopen return opener.open(url, data, timeout) File "/data/splunk/lib/python2.7/urllib2.py", line 429, in open response = self._open(req, data) File "/data/splunk/lib/python2.7/urllib2.py", line 447, in _open '_open', req) File "/data/splunk/lib/python2.7/urllib2.py", line 407, in _call_chain result = func(*args) File "/data/splunk/lib/python2.7/urllib2.py", line 1241, in https_open context=self._context) File "/data/splunk/lib/python2.7/urllib2.py", line 1198, in do_open raise URLError(err) URLError:

Also tried - wget https://X.X.X.X/cgi-bin/sdee-server/

--2018-03-05 21:06:17-- https://X.X.X.X/cgi-bin/sdee-server/
Connecting to X.X.X.X:443... failed: Connection timed out.
Retrying.

Please suggest

Tags (1)
0 Karma

deepashri_123
Motivator

Hey@raomu,

Your inputs mention sourcetype as cisco_ips_syslog.
And you are checking sourcetype=sdee_connection

Can you check sourcetype=cisco_ips_syslog.
Let me know if this helps!!

0 Karma

hortonew
Builder

Take a look through here. I had a similar issue years ago - maybe it still applies? http://blog.hortonew.com/splunk-ciscoips-app-no-longer-pulls-from-ips

0 Karma

p_gurav
Champion

You have to permit the Splunk box to connect on the IPS device. You can do this by re-running the setup from the command line or by clicking Sensor Setup > Allowed Hosts/Networks > Add in IME or IDM.

Also go through this link:
https://answers.splunk.com/answers/376881/splunk-add-on-for-cisco-ips-215-has-error-connetin.html

0 Karma

raomu
Explorer

Thanks Gaurav, but permission is already grated for spunk box.

0 Karma

p_gurav
Champion

Please go through that link.

0 Karma

raomu
Explorer

Gaurav, I am using the latest version of TA so this link is not of much help.

0 Karma
Get Updates on the Splunk Community!

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

The Splunk Success Framework: Your Guide to Successful Splunk Implementations

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...