Archive
Highlighted

Adding Cisco IPS into Splunk

Explorer

Hi, while trying to add Cisco IPS module SSM-20 into Splunk I encountered following problem: No route to host.

This is what I checked:

  1. IPS and Splunk are pingable with no firewall between them
  2. sdee_connection.log -> there is above error
  3. apps/Splunk_CiscoIPS/var/log/.run -> file is empty. Erased and restarted Splunk produces new empty file again
  4. I removed Splunk_CiscoIPS dir a installed it again, same error

Could you please suggest me, what else can I do? Is it a bug or misconfig? Thanks so much for any advice.

btw. exactly same scenario I installed before with slightly different version of IPS engine and everything worked, I don't know where is the difference, hope won't have to reinstall whole server 😞

0 Karma
Highlighted

Re: Adding Cisco IPS into Splunk

Explorer

Hi, I got something new, somehow the SubscriptionID appeared in .run file, now is the log producing following error:

Thu Aug 23 08:32:04 2012 - INFO - Attempting to connect to sensor: 20.20.20.3
Thu Aug 23 08:32:04 2012 - INFO - Successfully connected to: 20.20.20.3
Thu Aug 23 08:32:22 2012 - ERROR - Exception thrown in sdee.get(): URLError:
Thu Aug 23 08:32:22 2012 - ERROR - Attempting to re-connect to the sensor: 20.20.20.3
Thu Aug 23 08:32:25 2012 - INFO - Checking for exsisting SubscriptionID on host: 20.20.20.3
Thu Aug 23 08:32:25 2012 - INFO - SubscriptionID: sub-2-e865675f found for host: 20.20.20.3
Thu Aug 23 08:32:25 2012 - INFO - Attempting to connect to sensor: 20.20.20.3
Thu Aug 23 08:32:25 2012 - INFO - Successfully connected to: 20.20.20.3
Thu Aug 23 08:32:43 2012 - ERROR - Exception thrown in sdee.get(): URLError:
Thu Aug 23 08:32:43 2012 - ERROR - Attempting to re-connect to the sensor: 20.20.20.3
Thu Aug 23 08:32:46 2012 - INFO - Checking for exsisting SubscriptionID on host: 20.20.20.3
Thu Aug 23 08:32:46 2012 - INFO - SubscriptionID: sub-2-e865675f found for host: 20.20.20.3
Thu Aug 23 08:32:46 2012 - INFO - Attempting to connect to sensor: 20.20.20.3
Thu Aug 23 08:32:46 2012 - INFO - Successfully connected to: 20.20.20.3
Thu Aug 23 08:33:04 2012 - ERROR - Exception thrown in sdee.get(): URLError:
Thu Aug 23 08:33:04 2012 - ERROR - Attempting to re-connect to the sensor: 20.20.20.3
Thu Aug 23 08:33:07 2012 - INFO - Checking for exsisting SubscriptionID on host: 20.20.20.3
Thu Aug 23 08:33:07 2012 - INFO - SubscriptionID: sub-2-e865675f found for host: 20.20.20.3
Thu Aug 23 08:33:07 2012 - INFO - Attempting to connect to sensor: 20.20.20.3
Thu Aug 23 08:33:07 2012 - INFO - Successfully connected to: 20.20.20.3

0 Karma
Highlighted

Re: Adding Cisco IPS into Splunk

Explorer

OK, i finally did it. Problem was in routing, arp table and http_proxy variable. Now is everything working correctly. Sorry for disturbing 😉

0 Karma