I have installed the universal forwarder and im planning to install the Cisco IPS Script as part of the universal forwarder.
So under /home/splunkforwarder/etc/apps/Splunk_CiscoIPS/local
I created a new file called inputs.conf and added the below content
[script:///home/splunkforwarder/etc/apps/Splunk_CiscoIPS/bin/get_ips_feed.py dev XXXXXX X.X.X.X 30]
disabled = 0
interval = 30
passAuth = splunk-system-user
source = SDEE
sourcetype = cisco_ips_syslog
host = 10.201.79.43
index = main
I restarted the splunk forwarder and checked if the script has got triggered.
I dint see Splunk triggering the script. Hence tried to manually run the script.
-bash-4.1$ vi get_ips_feed.py -bash-4.1$ python /home/splunkforwarder/etc/apps/Splunk_CiscoIPS/bin/get_ips_feed.py dev Cisco@123 10.201.79.43 30 Traceback (most recent call last): File "/home/splunkforwarder/etc/apps/Splunk_CiscoIPS/bin/get_ips_feed.py", line 8, in <module> import splunk.entity as entity ImportError: No module named splunk.entity
Can someone please tell me how to overcome this Import Error as i'm trying to trigger the script from the Splunk Forwarder.
All your suggestions will help me overcome this issue and proceed further.
As well as needing a Splunk Heavy Forwarder, you also will need to modify the Cisco IPS app, as it has not been updated to run with Splunk 6.
Edit Splunk_CiscoIPS/bin/pysdee/pySDEE.py and add this block below the imports at the top of the file
# The section below is to override the default socket connection # which will fail with these devices. The newer version of openssl # in Python does not support the ciphers these devices would like to use import httplib from httplib import HTTPConnection, HTTPS_PORT import ssl import socket class HTTPSConnection(HTTPConnection): "This class allows communication via SSL." default_port = HTTPS_PORT def __init__(self, host, port=None, key_file=None, cert_file=None, strict=None, timeout=socket._GLOBAL_DEFAULT_TIMEOUT, source_address=None): HTTPConnection.__init__(self, host, port, strict, timeout, source_address) self.key_file = key_file self.cert_file = cert_file def connect(self): "Connect to a host on a given (SSL) port." sock = socket.create_connection((self.host, self.port), self.timeout, self.source_address) if self._tunnel_host: self.sock = sock self._tunnel() # this is the only line we modified from the httplib.py file # we added the ssl_version variable self.sock = ssl.wrap_socket(sock, self.key_file, self.cert_file, ssl_version=ssl.PROTOCOL_SSLv3) #now we override the one in httplib httplib.HTTPSConnection = HTTPSConnection # ssl_version corrections are done
The Splunk Universal Forwarder does not ship with Python, so you won't have the necessary Python modules needed (like splunk.entity). Download and install the Splunk Heavy Forwarder and you should be good to go.