I'm using the Splunk Add-On for Cisco IPS to pull data from a number of IPS machines, but it seems like none of them are able to hold a connection, and I'm not getting any logs from them. Looking at Splunk's internal logs, it shows that Splunk connects successfully, but then immediately following every connection is an HTTP Error 401: Unauthorized...
Wed Sep 16 15:53:56 2015 - INFO - Attempting to connect to sensor: xx.xx.xx.14
Wed Sep 16 15:53:56 2015 - INFO - Successfully connected to: xx.xx.xx.14
Wed Sep 16 15:54:01 2015 - ERROR - Connecting to sensor - xx.xx.xx.14: Traceback (most recent call last): File "C:\Program Files\Splunk\etc\apps\Splunk_TA_cisco-ips\bin\get_ips_feed.py", line 99, in run sdee.open() File "C:\Program Files\Splunk\etc\apps\Splunk_TA_cisco-ips\bin\pysdee\pySDEE.py", line 187, in open self._request(params) File "C:\Program Files\Splunk\etc\apps\Splunk_TA_cisco-ips\bin\pysdee\pySDEE.py", line 163, in _request data = urllib2.urlopen(req) File "C:\Program Files\Splunk\Python-2.7\Lib\urllib2.py", line 127, in urlopen return _opener.open(url, data, timeout) File "C:\Program Files\Splunk\Python-2.7\Lib\urllib2.py", line 410, in open response = meth(req, response) File "C:\Program Files\Splunk\Python-2.7\Lib\urllib2.py", line 523, in http_response 'http', request, response, code, msg, hdrs) File "C:\Program Files\Splunk\Python-2.7\Lib\urllib2.py", line 448, in error return self._call_chain(*args) File "C:\Program Files\Splunk\Python-2.7\Lib\urllib2.py", line 382, in _call_chain result = func(*args) File "C:\Program Files\Splunk\Python-2.7\Lib\urllib2.py", line 531, in http_error_default raise HTTPError(req.get_full_url(), code, msg, hdrs, fp) HTTPError: HTTP Error 401: Unauthorized
Does anyone know what might be causing this problem?
I ended up hard-coding the credentials into the python because Splunk was munging them.
I am receiving this error as well. Was a conclusion ever reached?
I agree that it's connecting to the sensor... that looks to me like it's then timing out on the next step. I'd increase Splunk's timeout period in web.conf.
I'm assuming the timeout was no the answer. OP, did you get this to work?