- Apps and Add-ons
- :
- All Apps and Add-ons
- :
- Re: Cisco IPS logs in spunk issue
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Cisco IPS logs in spunk issue
Hello,
I have installed Cisco TA 2.1.6 on HFW and trying to get logs from CISCO IPS devices.
I have configured the settings under inputs.conf :
[script://$SPLUNK_HOME/etc/apps/Splunk_CiscoIPS/bin/get_ips_feed.py ]
sourcetype = cisco_ips_syslog
source = SDEE
disabled = false
interval = 1
I don't see any logs under - sensor_ip.run
I execute this as per troubleshooting docs-
index="_internal" sourcetype="sdee_connection" ERROR | rex "Connecting to sensor - (?[^:]+)" | rex "[Errno\s+(?[^]]+)" | stats count values(EN) as error_number by sensor
error_number= 110
when I run -
index="_internal" sourcetype="sdee_connection"
on Mar 5 21:37:35 2018 - ERROR - Connecting to sensor - X.XX.XXX.X: Traceback (most recent call last): File "/data/splunk/etc/apps/Splunk_TA_cisco-ips/bin/get_ips_feed.py", line 103, in run sdee.open() File "/data/splunk/etc/apps/Splunk_TA_cisco-ips/bin/pysdee/pySDEE.py", line 191, in open self._request(params) File "/data/splunk/etc/apps/Splunk_TA_cisco-ips/bin/pysdee/pySDEE.py", line 167, in _request data = urllib2.urlopen(req) File "/data/splunk/lib/python2.7/urllib2.py", line 154, in urlopen return opener.open(url, data, timeout) File "/data/splunk/lib/python2.7/urllib2.py", line 429, in open response = self._open(req, data) File "/data/splunk/lib/python2.7/urllib2.py", line 447, in _open '_open', req) File "/data/splunk/lib/python2.7/urllib2.py", line 407, in _call_chain result = func(*args) File "/data/splunk/lib/python2.7/urllib2.py", line 1241, in https_open context=self._context) File "/data/splunk/lib/python2.7/urllib2.py", line 1198, in do_open raise URLError(err) URLError:
Also tried - wget https://X.X.X.X/cgi-bin/sdee-server/
--2018-03-05 21:06:17-- https://X.X.X.X/cgi-bin/sdee-server/
Connecting to X.X.X.X:443... failed: Connection timed out.
Retrying.
Please suggest
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey@raomu,
Your inputs mention sourcetype as cisco_ips_syslog.
And you are checking sourcetype=sdee_connection
Can you check sourcetype=cisco_ips_syslog.
Let me know if this helps!!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Take a look through here. I had a similar issue years ago - maybe it still applies? http://blog.hortonew.com/splunk-ciscoips-app-no-longer-pulls-from-ips
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You have to permit the Splunk box to connect on the IPS device. You can do this by re-running the setup from the command line or by clicking Sensor Setup > Allowed Hosts/Networks > Add in IME or IDM.
Also go through this link:
https://answers.splunk.com/answers/376881/splunk-add-on-for-cisco-ips-215-has-error-connetin.html
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks Gaurav, but permission is already grated for spunk box.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Please go through that link.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Gaurav, I am using the latest version of TA so this link is not of much help.
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!
New in Observability Cloud - Explicit Bucket Histograms
