I am using Splunk Managed cloud service ( SH and Indexers are in Cloud)
I have 2 Heavy forwarder in my environment ( on premises )
I am trying to install and configure CISCO IPS logs in Spunk and have few questions:
Step 1) IPS and Splunk are pingable with no firewall between them. Do I also need to check for any specific also ports to opened ?
Step 2) I have installed CISCO IPS add on to my heavy forwarder. Do I also need to install the add-on on Indexers and SH as well ?
Setp 3) Do we also have any app for supporting this Add-on ? ( Although, I have Enterprise Security installed already )
Step 4) If I have more than 1 IPS devices, how I am going to configure them ?
You need to install this add-on indexers and search-head as well. refer this doc for the same.
No, I can not see any app for supporting add-on
To configure this add-on you should follow this doc.
I think referring below doc will solve all your problems.Read it carefully and follow steps.
let me know if this helps!