I have Splunk 4.2 and have installed Splunk for Cisco IPS version 1.0.1 and I'm running this on Ubuntu.
I have successfully set up an IPS SDEE connection and am receiving events into Splunk. However I'm now looking to make things more pretty. For instance, the "source" of my data is coming from:
/opt/splunk/etc/apps/Splunk_CiscoIPS/var/log/ips_sdee.log.172.16.200.3
Well I have about 20 IPS units and don't want to see 20 sources all listed. It would be nice if the source for all of these was just "SDEE". Maybe there's a way to inject the SDEE data straight into splunk instead of dumping it into a text file then having Splunk monitoring the text file?
Secondly, some of my IPS units use the same password specific for Splunk to use. Instead of modifying all of the stanzas every time we make a password change it would be nice to have a central place for the script to check the credentials. Furthermore I don't like the storage of credentials in clear text. Is there a way to encrypt this data yet either through an option or use of a special addon?
Unencrypted Passwords
Splunk 4.2 does include a feature that allows you to store passwords in an encrypted state. However, this functionality is not used by the Cisco IPS/SDEE app because this would break backwards compatibility with older versions of Splunk. The app will be changed in the near future to use encrypted passwords (once people have more time to upgrade).
Modifying the Passwords for Multiple Sensors
We have plans to update the Cisco IPS and this includes changes to the setup screen. I added your request as comment to the feature request so that we will consider it.
I also added a note about changing the source too. Specifically, to look into having the script send the events directly to Splunk, skipping the intermediate file.
Thanks Luke. I'm glad there will be an update to the Cisco IPS app. I would in fact like to see from the UI all the IPS units I have configured instead of editing files on the OS to configure this.
What about sending the SDEE events straight into Splunk instead of making a text file and then having Splunk monitoring that file for events?