Archive
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

CiscoIPS Script not working in Splunk Universal Forwarder

ppurokit
Path Finder
‎09-29-2014 07:16 AM

Hi All,

I have installed the universal forwarder and im planning to install the Cisco IPS Script as part of the universal forwarder.

So under /home/splunkforwarder/etc/apps/Splunk_CiscoIPS/local

I created a new file called inputs.conf and added the below content

[script:///home/splunkforwarder/etc/apps/Splunk_CiscoIPS/bin/get_ips_feed.py dev XXXXXX X.X.X.X 30]
disabled = 0
interval = 30
passAuth = splunk-system-user
source = SDEE
sourcetype = cisco_ips_syslog
host = 10.201.79.43
index = main

I restarted the splunk forwarder and checked if the script has got triggered.

I dint see Splunk triggering the script. Hence tried to manually run the script.

-bash-4.1$ vi get_ips_feed.py
-bash-4.1$ python /home/splunkforwarder/etc/apps/Splunk_CiscoIPS/bin/get_ips_feed.py dev Cisco@123 10.201.79.43 30
Traceback (most recent call last):
  File "/home/splunkforwarder/etc/apps/Splunk_CiscoIPS/bin/get_ips_feed.py", line 8, in <module>
    import splunk.entity as entity
ImportError: No module named splunk.entity

Can someone please tell me how to overcome this Import Error as i'm trying to trigger the script from the Splunk Forwarder.

All your suggestions will help me overcome this issue and proceed further.

0 Karma
Reply

jcoates_splunk
Splunk Employee
Splunk Employee
‎01-13-2015 10:18 AM

As of Splunk_TA_cisco-ips 2.1.2 this modification should no longer be necessary. https://apps.splunk.com/app/1903/

0 Karma
Reply

datasearchninja
Communicator
‎09-29-2014 03:53 PM

As well as needing a Splunk Heavy Forwarder, you also will need to modify the Cisco IPS app, as it has not been updated to run with Splunk 6.

Edit Splunk_CiscoIPS/bin/pysdee/pySDEE.py and add this block below the imports at the top of the file

# The section below is to override the default socket connection
# which will fail with these devices. The newer version of openssl
# in Python does not support the ciphers these devices would like to use
import httplib
from httplib import HTTPConnection, HTTPS_PORT
import ssl
import socket

class HTTPSConnection(HTTPConnection):
    "This class allows communication via SSL."
    default_port = HTTPS_PORT

    def __init__(self, host, port=None, key_file=None, cert_file=None,
        strict=None, timeout=socket._GLOBAL_DEFAULT_TIMEOUT,
        source_address=None):
        HTTPConnection.__init__(self, host, port, strict, timeout,
            source_address)
        self.key_file = key_file
        self.cert_file = cert_file

    def connect(self):
        "Connect to a host on a given (SSL) port."
        sock = socket.create_connection((self.host, self.port),
            self.timeout, self.source_address)
        if self._tunnel_host:
            self.sock = sock
            self._tunnel()
        # this is the only line we modified from the httplib.py file
        # we added the ssl_version variable
        self.sock = ssl.wrap_socket(sock, self.key_file, self.cert_file, ssl_version=ssl.PROTOCOL_SSLv3)

#now we override the one in httplib
httplib.HTTPSConnection = HTTPSConnection
# ssl_version corrections are done
0 Karma
Reply

jconger
Splunk Employee
Splunk Employee
‎09-29-2014 04:00 PM

You can make these changes or use a 5.x version of the Heavy Forwarder. Either way should work.

0 Karma
Reply

jconger
Splunk Employee
Splunk Employee
‎09-29-2014 08:57 AM

The Splunk Universal Forwarder does not ship with Python, so you won't have the necessary Python modules needed (like splunk.entity). Download and install the Splunk Heavy Forwarder and you should be good to go.

Reply
Don’t Miss Global Splunk
User Groups Week!

Free LIVE events worldwide 2/8-2/12
Connect, learn, and collect rad prizes
and swag!