Hello
I have issue to make work the Cisco IPS app under splunk.
I made it works the first time indexing correctly the IPS logs.
I did a lot of register script under the set up menu on the Cisco IPS.
I tried to delete the wrong one but i was unable to do it because i did get an error message everytime.
So i decided to uninstall the app by removing the Splunk_CiscoIPS folder under $SPLUNK/etc/apps/ and restart splunk to make a fresh install.
I'd also deleted the CiscoIPS folder I founded under $SPLUNK/etc/users/%user%/
I made a fresh install and now i'm unable to get the IPS events after doing the set up.
Here's the log i have in $SPLUNK/var/log/splunk/sdee_get.log
Wed Oct 10 15:00:22 2012 - INFO - No exsisting SubscriptionID for host: 1.2.3.4
Wed Oct 10 15:00:22 2012 - INFO - Attempting to connect to sensor: 1.2.3.4
Wed Oct 10 15:00:22 2012 - INFO - Successfully connected to: 1.2.3.4
Wed Oct 10 15:00:22 2012 - INFO - Checking for exsisting SubscriptionID on host: 1.2.3.4
Wed Oct 10 15:00:22 2012 - INFO - No exsisting SubscriptionID for host: 1.2.3.4
Wed Oct 10 15:00:22 2012 - INFO - Attempting to connect to sensor: 1.2.3.4
Wed Oct 10 15:00:22 2012 - INFO - Successfully connected to: 1.2.3.4
Wed Oct 10 15:00:23 2012 - ERROR - Connecting to sensor - 1.2.3.4: HTTPError: HTTP Error 401: Unauthorized
Wed Oct 10 15:00:24 2012 - ERROR - Connecting to sensor - 1.2.3.4: HTTPError: HTTP Error 400: Bad Request
Wed Oct 10 15:05:23 2012 - INFO - Checking for exsisting SubscriptionID on host: 1.2.3.4
Wed Oct 10 15:05:23 2012 - INFO - No exsisting SubscriptionID for host: 1.2.3.4
Wed Oct 10 15:05:23 2012 - INFO - Attempting to connect to sensor: 1.2.3.4
Wed Oct 10 15:05:23 2012 - INFO - Successfully connected to: 1.2.3.4
Wed Oct 10 15:05:24 2012 - ERROR - Connecting to sensor - 1.2.3.4: HTTPError: HTTP Error 401: Unauthorized
Wed Oct 10 15:05:25 2012 - INFO - Checking for exsisting SubscriptionID on host: 1.2.3.4
Wed Oct 10 15:05:25 2012 - INFO - No exsisting SubscriptionID for host: 1.2.3.4
Wed Oct 10 15:05:25 2012 - INFO - Attempting to connect to sensor: 1.2.3.4
Wed Oct 10 15:05:25 2012 - INFO - Successfully connected to: 1.2.3.4
Wed Oct 10 15:05:26 2012 - ERROR - Connecting to sensor - 1.2.3.4: HTTPError: HTTP Error 400: Bad Request
It seems to be my credentials which aren't correct but i'd already tried to make another account unsuccessfully.
Do you have any idea ?
Thanks.
Yes, i can do ping, get https from ips it seems that it is ok everything and that was working during year, but after that psod, everything stopped. think maybe i should to reboot the asa IPS module i already rebooted.
Really need your help!
Hello, could you help me with the same situation, one time after PSOD of my esxi where virtual splunk is working, i saw that ips logs stopped to go to the splunk. i updated cisco_ips to 2.0.0 and used the old script for ips in splunk (because with web splunk cisco_ips configuration i'm getting the following error:
Encountered the following error while trying to update: In handler 'localapps': Error while posting to url=/servicesNS/nobody/Splunk_CiscoIPS/admin/cisco_ips_setup/cisco_ips_setup_settings
then i just changed configured to 1)
in Cisco IPS sensor:
ips# sh statistics sdee-server
General
Open Subscriptions = 0
Blocked Subscriptions = 0
Maximum Available Subscriptions = 5
Maximum Events Per Retrieval = 500
Subscriptions
On the splunk:
Sun Nov 10 21:43:32 2013 - INFO - Checking for exsisting SubscriptionID on host: 192.168.1.2
host = seclog
source = /opt/splunk/var/log/splunk/sdee_get.log
sourcetype = sdee_connection
Sun Nov 10 21:43:32 2013 - INFO - No exsisting SubscriptionID for host: 192.168.1.2
host = seclog
source = /opt/splunk/var/log/splunk/sdee_get.log
sourcetype = sdee_connection
Sun Nov 10 21:43:32 2013 - INFO - Attempting to connect to sensor: 192.168.1.2
host = seclog
source = /opt/splunk/var/log/splunk/sdee_get.log
sourcetype = sdee_connection
Sun Nov 10 21:43:32 2013 - INFO - Successfully connected to: 192.168.1.2
host = seclog
source = /opt/splunk/var/log/splunk/sdee_get.log
sourcetype = sdee_connection
Sun Nov 10 21:43:32 2013 - ERROR - Connecting to sensor - 192.168.1.2: URLError:
That message would seem to indicate that the Splunk server cannot connect to the IPS. I think you need to start with the basics. Can you ping the IPS from the Splunk server? Can you navigate to https://Sensor_IP/cgi-bin/sdee-server from the Splunk server?
When you initially setup the app and added the IPS sensors, it created a subscription on the sensor and put the subscription information in the $SPLUNK_HOME\etc\apps\Splunk_CiscoIPS\var\run directory. There should be one file for each sensor named Sensor_IP.run. When you deleted the app and re-installed it and tried to re-add the sensors, it tried to re-setup a new subscription. But, the IPS sensor knew that there was already a subscription created and does not want to create another. There are three ways to fix this:
If that does not work, let me know and there are a few other things we can check on the IPS sensor.
Up, i really need some help on it 🙂