I have installed the Cisco IPS app (as well as the Cisco Security Suite app) and I'm experiencing issues getting IPS events to populate in the Apps -> Search -> Dashboards/Views -> IPS Alerts page and the Apps -> Cisco Security Suite -> Intrusion Prevention -> IPS Alerts page.
There is an SDEE connection to the IPS as seen in the sdee.log
Tue Oct 23 09:56:26 2012 - INFO - Checking for exsisting SubscriptionID on host: 126.96.36.199
Tue Oct 23 09:56:26 2012 - INFO - SubscriptionID: sub-6-cd127b3e found for host: 188.8.131.52
Tue Oct 23 09:56:26 2012 - INFO - Attempting to connect to sensor: 184.108.40.206
Tue Oct 23 09:56:26 2012 - INFO - Successfully connected to: 220.127.116.11
There are IPS events in the /opt/splunk/etc/apps/Splunk_CiscoIPS/var/log/ips_sdee.log.18.104.22.168 file and the events continue to be updated in this file.
I can run a search (eventtype="cisco_ips" | bin _time span=15m) and see the events in the Search page.
[script://$SPLUNK_HOME/etc/apps/Splunk_CiscoIPS/bin/get_ips_feed.py user password 22.214.171.124]
disabled = 0
index = main
interval = 1
source = SDEE
sourcetype = cisco_ips_syslog
I'd appreciate some help in getting the events to display within the Cisco Security Suite and the IPS Alerts page. I have the data (events) in Splunk, I just can't get it to display.
Cisco IPS app doesn't extract the field "context" from IPS events, which is necessary to populate IPS Alerts dashboard.
I experienced the same issue and fixed it by directly editing inline search in a view "ips_overview" (simply removed the "context" field). The new version looks like:
eventtype="cisco_ips" | bin _time span=15m | stats count by severity, description, attacker, target, hostId, _time
also you have to disable monitoring panel in a view "ips_overview" that shows context data.
Alternatively, if you have context data in your IPS events you could add an appropriate field extraction to props.conf in Cisco IPS app.