All Apps and Add-ons
Highlighted

Cisco Security Suite and Splunk Add-on for Cisco ASA: Why am I not seeing any IPS events?

Path Finder

Hello,

I set Cisco Security Suite and Splunk Add-on for Cisco ASA. I set connection parameters. In IPS logs I see messages

  description: User logged into HTTP server  
        userName: cisco  
        userAddress: 172.16.19.30

But in the dashboards it is empty!!! though alerts in IPS are.

0 Karma
Highlighted

Re: Cisco Security Suite and Splunk Add-on for Cisco ASA: Why am I not seeing any IPS events?

Path Finder

I found in / opt/splunk/etc/apps/SplunkTAcisco-ips/var/log the file with IPS logs. But they aren't present in Splunk.

0 Karma
Highlighted

Re: Cisco Security Suite and Splunk Add-on for Cisco ASA: Why am I not seeing any IPS events?

Contributor

Try adding the following to you inputs.conf in the "local" directory for the SplunkTAcisco-ips.

For Linux Indexer add:

When adding a sensor please run setup or enable below monitor in this app's local directory for Linux hosts

[monitor://$SPLUNKHOME/etc/apps/SplunkTAcisco-ips/var/log/ipssdee.log*]
sourcetype = cisco:ips:syslog
disabled = 0

For Windows Indexer Add:

When adding a sensor please run setup or enable below monitor in this app's local directory for Windows hosts

[monitor://$SPLUNKHOME\etc\apps\SplunkTAcisco-ips\var\log\ipssdee.log*]
sourcetype = cisco:ips:syslog
disabled = 0

0 Karma
Highlighted

Re: Cisco Security Suite and Splunk Add-on for Cisco ASA: Why am I not seeing any IPS events?

Splunk Employee
Splunk Employee

It looks like you see the data in $SPLUNK_HOME/etc/apps/Splunk_TA_cisco-ips/var/log, so the polling appears to be working correctly, which is good. You're almost there.

You'll also need to enable monitoring: You can copy pasta this into $SPLUNK_HOME/etc/apps/Splunk_TA_cisco-ips/local/inputs.conf

[monitor://$SPLUNK_HOME/etc/apps/Splunk_TA_cisco-ips/var/log/ips_sdee.log*]
disabled = 0

...and then restart.

Alternatively, you can avoid a restart by enabling the monitor via the UI by clicking Enable for $SPLUNK_HOME/etc/apps/Splunk_TA_cisco-ips/var/log/ips_sdee.log* after navigating to Settings -> Data Inputs -> Files & directories.

0 Karma
Highlighted

Re: Cisco Security Suite and Splunk Add-on for Cisco ASA: Why am I not seeing any IPS events?

Path Finder

I found an error, after installation of addon input was switched off

0 Karma
Highlighted

Re: Cisco Security Suite and Splunk Add-on for Cisco ASA: Why am I not seeing any IPS events?

Splunk Employee
Splunk Employee

Hi Vinchakov_a,

Thanks for the comment. In this case, the input is shipped in the off-state by design. It is not desireable to have inputs enabled for a few reasons. One reason is distributed environments. In a distributed environment, the TA should be installed on search heads because it contains search knowledge and also on heavy forwarders & indexers for its parsing and indexing configurations.

The input should only be enabled on the instance that is doing the polling/collection. So it is shipped in the disabled state intentionally.

The installation instructions including enabling the input: http://docs.splunk.com/Documentation/AddOns/released/CiscoIPS/Configureinputs#Use_Splunk_Web

0 Karma