I have a problem to monitor the module Cisco IPS ASA5585-SSP-IPS10
From the IPS I see this error ; the state remain in state Read Pending;
sub-8-9480fcb4
State = Read Pending
Last Read Time = 13:22:42 UTC Mon Aug 01 2011
Last Read Time (nanoseconds) = 1312204962229391000
From the splunk server I see this error:
tail -f /opt/splunk/var/log/splunk/sdee_get.log
Fri Jul 29 14:26:45 2011 - ERROR - Exception thrown while parsing SDEE payload: Traceback (most recent call last):
File "/opt/splunk/etc/apps/Splunk_CiscoIPS/bin/get_ips_feed.py", line 74, in run
alert_obj_list = idsmxml.parse_alerts( result_xml )
File "/opt/splunk/etc/apps/Splunk_CiscoIPS/bin/pysdee/idsmxml.py",
line 243, in parse_alerts alert_obj.signature = build_sig(sig[0])
File "/opt/splunk/etc/apps/Splunk_CiscoIPS/bin/pysdee/idsmxml.py", line 190, in build_sig
signature.marscategory = node.getElementsByTagName('marsCategory')[0].firstChild.wholeText
IndexError: list index out of range
There's a solution to resolve this problem?
Please update the Cisco IPS apps to latest version, it should fix the error.
We were recently made aware of this issue caused by an un-annouced change in the SDEE payload with the latest software update. We will be pushing a fix to Splunkbase soon but in the mean time please feel free to contact me directly and I will send you an update. You can reach me at: will (at) splunk.com
Thanks!
we are getting the same error, did you find a solution?