I have the Splunk Add-on for Cisco IPS installed and am receiving data from some Cisco IPS devices. I can add additional connections configured which is successful, but I do not receive any data from them. I see a number of the following error messages in sdee_get.log.
Mon Apr 13 16:35:50 2015 - No credentials for IPS xxx.xxx.xxx.xxx were found!
I have confirmed the credentials are entered correctly, and that they are properly created in the app.conf file. Why can't the Add-on get them?
Why don’t I receive data from new sensors added to the Splunk Add-on for Cisco IPS?
There is a limitation in the number of credentials the Splunk Add-on for Cisco IPS is able to retrieve. This issue is being tracked on ADDON-3724 and SPL-99756. Until the next release of the add-on, You may use the following work-around to resolve this.
1. Navigate to the $SPLUNK_HOME/etc/apps/Splunk_TA_cisco-ips/bin/ directory
2. Edit the get_ips_feed.py file
3. Line 55 should look like the following:
entities = entity.getEntities(['storage', 'passwords'],
namespace=APPNAME, owner='nobody', sessionKey=sessionKey)
4. Add count=’-1’ after the sessionKey entity so the line looks like the line below.
entities = entity.getEntities(['storage', 'passwords'],
namespace=APPNAME, owner='nobody', sessionKey=sessionKey, count='-1')
5. Save the file.
6. Restart Splunk
You should no longer receive the error messages in the sdee_get.log file, and your data should start getting indexed.
Why don’t I receive data from new sensors added to the Splunk Add-on for Cisco IPS?
There is a limitation in the number of credentials the Splunk Add-on for Cisco IPS is able to retrieve. This issue is being tracked on ADDON-3724 and SPL-99756. Until the next release of the add-on, You may use the following work-around to resolve this.
1. Navigate to the $SPLUNK_HOME/etc/apps/Splunk_TA_cisco-ips/bin/ directory
2. Edit the get_ips_feed.py file
3. Line 55 should look like the following:
entities = entity.getEntities(['storage', 'passwords'],
namespace=APPNAME, owner='nobody', sessionKey=sessionKey)
4. Add count=’-1’ after the sessionKey entity so the line looks like the line below.
entities = entity.getEntities(['storage', 'passwords'],
namespace=APPNAME, owner='nobody', sessionKey=sessionKey, count='-1')
5. Save the file.
6. Restart Splunk
You should no longer receive the error messages in the sdee_get.log file, and your data should start getting indexed.
Note, this applies to problems retrieiving credentials in Splunk Add-on for Cisco IPS 2.1.3 and below. As bpaul_splunk mentions, the next version will ship with this update.