Archive

Splunk for Cisco IPS: How to troubleshoot why Splunk is not Indexing SDEE log data?

jeremyarcher
Path Finder

We are using the Cisco IPS app. The connection from the Splunk server to the IPS appears to be working normally. I can see events properly downloaded to the ips_sdee.log.x.x.x.x file every 15 minutes per our configuration.

However, the events are not being indexed by the Splunk server.

JSkier
Communicator

Working with support, you need to edit the inputs.conf file in the local directory and monitor the file, as you did. Apparently this behavior is not default like it was in previous versions. I also set this up, and have data flowing. The result was malformed results getting indexed due to improper parsing. Support is still looking into this. I'm going to try to index the sample files next in a test index to see if the same thing happens.

Something like this in addition to the scripted inputs you have :

    [monitor://$SPLUNK_HOME/etc/apps/Splunk_TA_cisco-ips/var/log/ips_sdee.log.*]
    index = ips_devices
    sourcetype = cisco:ips:syslog
    disabled = 0

In addition, you will need to create a local props.conf, like below, to get it to properly linebreak:

    [cisco:ips:syslog]
    LINE_BREAKER=([\r\n]+)[\d-:\s]{10,30}\seventid="?\d+"?

JSkier
Communicator

I tried indexing the sample files, these work. Still waiting for support to get back about improperly parsed data. My guess is it doesn't like the encoded packet information I have in the feeds, which is odd, the older versions didn't have an issue with this.

0 Karma

jeremyarcher
Path Finder

Thanks for the help. I finally got around to trying this tonight and this worked for me too. But like you I'm getting some junk data. Did you get that resolved?

0 Karma

JSkier
Communicator

I added the last change above, hopefully that works for you. Sorry for the late response, it took some time from support. Also, support said this is a bug that will be fixed in a future release of the app.

JSkier
Communicator

I am also having this issue with a heavy forwarder and splunk6. I have a ticket in with splunk support, I'll update once I get a solution, or stumble upon one.

What version of splunk are you running?

0 Karma

jeremyarcher
Path Finder

We ended up setting up a local file collector to index the log file that was created on the local system. That seemed to work but I'm not sure what other potential issues it may cause. I'm particularly wondering if it will cause issues with the Cisco Security Suite as it has no IPS data at all currently (but it appears that it may be unsupported).

0 Karma

ppablo
Community Manager
Community Manager

Hi @jeremyarcher

Did @JSkier's answer below help with your issue?

0 Karma