Cisco IPS App

New Member

I have installed the Cisco IPS app (as well as the Cisco Security Suite app) and I'm experiencing issues getting IPS events to populate in the Apps -> Search -> Dashboards/Views -> IPS Alerts page and the Apps -> Cisco Security Suite -> Intrusion Prevention -> IPS Alerts page.

There is an SDEE connection to the IPS as seen in the sdee.log
Tue Oct 23 09:56:26 2012 - INFO - Checking for exsisting SubscriptionID on host:
Tue Oct 23 09:56:26 2012 - INFO - SubscriptionID: sub-6-cd127b3e found for host:
Tue Oct 23 09:56:26 2012 - INFO - Attempting to connect to sensor:
Tue Oct 23 09:56:26 2012 - INFO - Successfully connected to:

There are IPS events in the /opt/splunk/etc/apps/Splunk_CiscoIPS/var/log/ips_sdee.log. file and the events continue to be updated in this file.

I can run a search (eventtype="cisco_ips" | bin _time span=15m) and see the events in the Search page.

Inputs.conf file

[script://$SPLUNK_HOME/etc/apps/Splunk_CiscoIPS/bin/ user password]
disabled = 0
index = main
interval = 1
source = SDEE
sourcetype = cisco_ips_syslog

I'd appreciate some help in getting the events to display within the Cisco Security Suite and the IPS Alerts page. I have the data (events) in Splunk, I just can't get it to display.


0 Karma


Cisco IPS app doesn't extract the field "context" from IPS events, which is necessary to populate IPS Alerts dashboard.
I experienced the same issue and fixed it by directly editing inline search in a view "ips_overview" (simply removed the "context" field). The new version looks like:

eventtype="cisco_ips" | bin _time span=15m | stats count by severity, description, attacker, target, hostId, _time

also you have to disable monitoring panel in a view "ips_overview" that shows context data.
Alternatively, if you have context data in your IPS events you could add an appropriate field extraction to props.conf in Cisco IPS app.

0 Karma