All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Splunk for Cisco IPS: How to troubleshoot why Splunk is not Indexing SDEE log data?

jeremyarcher
Path Finder
‎12-30-2014 09:45 AM

We are using the Cisco IPS app. The connection from the Splunk server to the IPS appears to be working normally. I can see events properly downloaded to the ips_sdee.log.x.x.x.x file every 15 minutes per our configuration.

However, the events are not being indexed by the Splunk server.

Reply

JSkier
Communicator
‎01-22-2015 07:12 AM

Working with support, you need to edit the inputs.conf file in the local directory and monitor the file, as you did. Apparently this behavior is not default like it was in previous versions. I also set this up, and have data flowing. The result was malformed results getting indexed due to improper parsing. Support is still looking into this. I'm going to try to index the sample files next in a test index to see if the same thing happens.

Something like this in addition to the scripted inputs you have :

    [monitor://$SPLUNK_HOME/etc/apps/Splunk_TA_cisco-ips/var/log/ips_sdee.log.*]
    index = ips_devices
    sourcetype = cisco:ips:syslog
    disabled = 0

In addition, you will need to create a local props.conf, like below, to get it to properly linebreak:

    [cisco:ips:syslog]
    LINE_BREAKER=([\r\n]+)[\d-:\s]{10,30}\seventid="?\d+"?
Reply

JSkier
Communicator
‎01-27-2015 05:22 AM

I tried indexing the sample files, these work. Still waiting for support to get back about improperly parsed data. My guess is it doesn't like the encoded packet information I have in the feeds, which is odd, the older versions didn't have an issue with this.

0 Karma
Reply

jeremyarcher
Path Finder
‎03-05-2015 09:12 PM

Thanks for the help. I finally got around to trying this tonight and this worked for me too. But like you I'm getting some junk data. Did you get that resolved?

0 Karma
Reply

JSkier
Communicator
‎03-06-2015 05:39 AM

I added the last change above, hopefully that works for you. Sorry for the late response, it took some time from support. Also, support said this is a bug that will be fixed in a future release of the app.

Reply

JSkier
Communicator
‎01-15-2015 11:08 AM

I am also having this issue with a heavy forwarder and splunk6. I have a ticket in with splunk support, I'll update once I get a solution, or stumble upon one.

What version of splunk are you running?

0 Karma
Reply

jeremyarcher
Path Finder
‎01-15-2015 11:45 AM

We ended up setting up a local file collector to index the log file that was created on the local system. That seemed to work but I'm not sure what other potential issues it may cause. I'm particularly wondering if it will cause issues with the Cisco Security Suite as it has no IPS data at all currently (but it appears that it may be unsupported).

0 Karma
Reply

ppablo
Retired
‎01-26-2015 07:58 PM

Hi @jeremyarcher

Did @JSkier's answer below help with your issue?

0 Karma
Reply
Get Updates on the Splunk Community!

CX Day is Coming!

Customer Experience (CX) Day is on October 7th!! We're so excited to bring back another day full of wonderful ...

Strengthen Your Future: A Look Back at Splunk 10 Innovations and .conf25 Highlights!

The Big One: Splunk 10 is Here!  The moment many of you have been waiting for has arrived! We are thrilled to ...

Now Offering the AI Assistant Usage Dashboard in Cloud Monitoring Console

Today, we’re excited to announce the release of a brand new AI assistant usage dashboard in Cloud Monitoring ...