All Apps and Add-ons

Help with hardening the Cisco IPS SDEE add-on

yumology
Path Finder

I have Splunk 4.2 and have installed Splunk for Cisco IPS version 1.0.1 and I'm running this on Ubuntu.

I have successfully set up an IPS SDEE connection and am receiving events into Splunk. However I'm now looking to make things more pretty. For instance, the "source" of my data is coming from:

/opt/splunk/etc/apps/Splunk_CiscoIPS/var/log/ips_sdee.log.172.16.200.3
Well I have about 20 IPS units and don't want to see 20 sources all listed. It would be nice if the source for all of these was just "SDEE". Maybe there's a way to inject the SDEE data straight into splunk instead of dumping it into a text file then having Splunk monitoring the text file?

Secondly, some of my IPS units use the same password specific for Splunk to use. Instead of modifying all of the stanzas every time we make a password change it would be nice to have a central place for the script to check the credentials. Furthermore I don't like the storage of credentials in clear text. Is there a way to encrypt this data yet either through an option or use of a special addon?

LukeMurphey
Champion

Unencrypted Passwords

Splunk 4.2 does include a feature that allows you to store passwords in an encrypted state. However, this functionality is not used by the Cisco IPS/SDEE app because this would break backwards compatibility with older versions of Splunk. The app will be changed in the near future to use encrypted passwords (once people have more time to upgrade).

Modifying the Passwords for Multiple Sensors

We have plans to update the Cisco IPS and this includes changes to the setup screen. I added your request as comment to the feature request so that we will consider it.

LukeMurphey
Champion

I also added a note about changing the source too. Specifically, to look into having the script send the events directly to Splunk, skipping the intermediate file.

0 Karma

yumology
Path Finder

Thanks Luke. I'm glad there will be an update to the Cisco IPS app. I would in fact like to see from the UI all the IPS units I have configured instead of editing files on the OS to configure this.
What about sending the SDEE events straight into Splunk instead of making a text file and then having Splunk monitoring that file for events?

0 Karma
.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!