Archive
Highlighted

splunk does not show any sdee log from ips

New Member

Hi Sirs,

I have downloaded splunk cisco ips add-on and installed it , after restarting my splunk server , this sentence

[script://$SPLUNK_HOME/etc/apps/Splunk_CiscoIPS/bin/get_ips_feed.py "user" "pass" "ips-ip"]

disabled = 0
index = main
interval = 1
source = SDEE
sourcetype = cisco_ips_syslog

was added to "C:\Program Files\Splunk\etc\apps\Splunk_CiscoIPS\local\inputs.conf"
,

I used index="_internal" sourcetype="sdee_connection" for troubleshooting , but it doesnot any output ,

where is my problem ?

thank

Tags (1)
0 Karma
Highlighted

Re: splunk does not show any sdee log from ips

Splunk Employee
Splunk Employee

Perhaps it needs the userid, password, and the ip address of the IPS to the script?

Installation Instructions

The Cisco IPS add-on can be downloaded, installed, and a connection made to your Cisco IPS sensor(s) by either using the Splunk app setup screen or by manually installing and configuring the add-on. Instructions for both methods are described.

+++ Automated setup using the add-on setup +++

The automated setup is designed to walk you through the configuration of the Cisco IPS add-on once the add-on is installed on your Splunk deployment. The setup screen can be accessed in one of the following ways:

  1. Click the "Setup" button on the add-on from within the Splunk Home page.
  2. Click the Welcome > Add data > Cisco device logs
  3. Click Manager > Apps > Cisco IPS > "Set up"

The setup of the app will require the IP Address or hostname of the sensor you wish to configure and the username/password that will be used to connect to the sensor and pull the data. You also have an option to specify a local file source input for the data. Once the desired configuration options are selected, click the "Save" button. The setup program will create and/or update the inputs.conf file to include the desired input configuration.

+++ Manual setup and configuration +++

  1. Open the inputs.conf file located at $SPLUNKHOME/etc/apps/SplunkCiscoIPS/local/inputs.conf
  2. Modify the inputs.conf file to include the following stanza for each IPS sensor that needs to be configured

[script://$SPLUNKHOME/etc/apps/SplunkCiscoIPS/bin/getipsfeed.py ]
sourcetype = ciscoipssyslog
source = SDEE
disabled = false
interval = 1

  1. Save the changes made to the inputs.conf file.

Splunk requires a restart before the scripted input will take effect.

This add-on has been renamed from previous versions (namely "addon" has been removed). Optionally you may choose to manually remove the "ciscoips_addon" add-on from the file system. If any changes exist in local they will need to be manually migrated over to this add-on.