Are you a member of the Splunk Community?
- Find Answers
- :
- Apps & Add-ons
- :
- All Apps and Add-ons
- :
- Cisco Security Suite and Splunk Add-on for Cisco A...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Cisco Security Suite and Splunk Add-on for Cisco ASA: Why am I not seeing any IPS events?
Hello,
I set Cisco Security Suite and Splunk Add-on for Cisco ASA. I set connection parameters. In IPS logs I see messages
description: User logged into HTTP server
userName: cisco
userAddress: 172.16.19.30
But in the dashboards it is empty!!! though alerts in IPS are.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It looks like you see the data in $SPLUNK_HOME/etc/apps/Splunk_TA_cisco-ips/var/log, so the polling appears to be working correctly, which is good. You're almost there.
You'll also need to enable monitoring: You can copy pasta this into $SPLUNK_HOME/etc/apps/Splunk_TA_cisco-ips/local/inputs.conf
[monitor://$SPLUNK_HOME/etc/apps/Splunk_TA_cisco-ips/var/log/ips_sdee.log*]
disabled = 0
...and then restart.
Alternatively, you can avoid a restart by enabling the monitor via the UI by clicking Enable for $SPLUNK_HOME/etc/apps/Splunk_TA_cisco-ips/var/log/ips_sdee.log* after navigating to Settings -> Data Inputs -> Files & directories.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I found an error, after installation of addon input was switched off
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Vinchakov_a,
Thanks for the comment. In this case, the input is shipped in the off-state by design. It is not desireable to have inputs enabled for a few reasons. One reason is distributed environments. In a distributed environment, the TA should be installed on search heads because it contains search knowledge and also on heavy forwarders & indexers for its parsing and indexing configurations.
The input should only be enabled on the instance that is doing the polling/collection. So it is shipped in the disabled state intentionally.
The installation instructions including enabling the input: http://docs.splunk.com/Documentation/AddOns/released/CiscoIPS/Configureinputs#Use_Splunk_Web
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I found in / opt/splunk/etc/apps/Splunk_TA_cisco-ips/var/log the file with IPS logs. But they aren't present in Splunk.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try adding the following to you inputs.conf in the "local" directory for the Splunk_TA_cisco-ips.
For Linux Indexer add:
When adding a sensor please run setup or enable below monitor in this app's local directory for Linux hosts
[monitor://$SPLUNK_HOME/etc/apps/Splunk_TA_cisco-ips/var/log/ips_sdee.log*]
sourcetype = cisco:ips:syslog
disabled = 0
For Windows Indexer Add:
When adding a sensor please run setup or enable below monitor in this app's local directory for Windows hosts
[monitor://$SPLUNK_HOME\etc\apps\Splunk_TA_cisco-ips\var\log\ips_sdee.log*]
sourcetype = cisco:ips:syslog
disabled = 0
Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain
Splunk Lantern’s Guide to The Most Popular .conf25 Sessions
Unlock What’s Next: The Splunk Cloud Platform at .conf25
