We are using the Cisco IPS app. The connection from the Splunk server to the IPS appears to be working normally. I can see events properly downloaded to the ips_sdee.log.x.x.x.x file every 15 minutes per our configuration.
However, the events are not being indexed by the Splunk server.
Working with support, you need to edit the inputs.conf file in the local directory and monitor the file, as you did. Apparently this behavior is not default like it was in previous versions. I also set this up, and have data flowing. The result was malformed results getting indexed due to improper parsing. Support is still looking into this. I'm going to try to index the sample files next in a test index to see if the same thing happens.
Something like this in addition to the scripted inputs you have :
[monitor://$SPLUNK_HOME/etc/apps/Splunk_TA_cisco-ips/var/log/ips_sdee.log.*] index = ips_devices sourcetype = cisco:ips:syslog disabled = 0
In addition, you will need to create a local props.conf, like below, to get it to properly linebreak:
I tried indexing the sample files, these work. Still waiting for support to get back about improperly parsed data. My guess is it doesn't like the encoded packet information I have in the feeds, which is odd, the older versions didn't have an issue with this.
I added the last change above, hopefully that works for you. Sorry for the late response, it took some time from support. Also, support said this is a bug that will be fixed in a future release of the app.
I am also having this issue with a heavy forwarder and splunk6. I have a ticket in with splunk support, I'll update once I get a solution, or stumble upon one.
What version of splunk are you running?
We ended up setting up a local file collector to index the log file that was created on the local system. That seemed to work but I'm not sure what other potential issues it may cause. I'm particularly wondering if it will cause issues with the Cisco Security Suite as it has no IPS data at all currently (but it appears that it may be unsupported).