- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: Cisco IPS app not working
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Cisco IPS app not working
Hello
I have issue to make work the Cisco IPS app under splunk.
I made it works the first time indexing correctly the IPS logs.
I did a lot of register script under the set up menu on the Cisco IPS.
I tried to delete the wrong one but i was unable to do it because i did get an error message everytime.
So i decided to uninstall the app by removing the Splunk_CiscoIPS folder under $SPLUNK/etc/apps/ and restart splunk to make a fresh install.
I'd also deleted the CiscoIPS folder I founded under $SPLUNK/etc/users/%user%/
I made a fresh install and now i'm unable to get the IPS events after doing the set up.
Here's the log i have in $SPLUNK/var/log/splunk/sdee_get.log
Wed Oct 10 15:00:22 2012 - INFO - No exsisting SubscriptionID for host: 1.2.3.4
Wed Oct 10 15:00:22 2012 - INFO - Attempting to connect to sensor: 1.2.3.4
Wed Oct 10 15:00:22 2012 - INFO - Successfully connected to: 1.2.3.4
Wed Oct 10 15:00:22 2012 - INFO - Checking for exsisting SubscriptionID on host: 1.2.3.4
Wed Oct 10 15:00:22 2012 - INFO - No exsisting SubscriptionID for host: 1.2.3.4
Wed Oct 10 15:00:22 2012 - INFO - Attempting to connect to sensor: 1.2.3.4
Wed Oct 10 15:00:22 2012 - INFO - Successfully connected to: 1.2.3.4
Wed Oct 10 15:00:23 2012 - ERROR - Connecting to sensor - 1.2.3.4: HTTPError: HTTP Error 401: Unauthorized
Wed Oct 10 15:00:24 2012 - ERROR - Connecting to sensor - 1.2.3.4: HTTPError: HTTP Error 400: Bad Request
Wed Oct 10 15:05:23 2012 - INFO - Checking for exsisting SubscriptionID on host: 1.2.3.4
Wed Oct 10 15:05:23 2012 - INFO - No exsisting SubscriptionID for host: 1.2.3.4
Wed Oct 10 15:05:23 2012 - INFO - Attempting to connect to sensor: 1.2.3.4
Wed Oct 10 15:05:23 2012 - INFO - Successfully connected to: 1.2.3.4
Wed Oct 10 15:05:24 2012 - ERROR - Connecting to sensor - 1.2.3.4: HTTPError: HTTP Error 401: Unauthorized
Wed Oct 10 15:05:25 2012 - INFO - Checking for exsisting SubscriptionID on host: 1.2.3.4
Wed Oct 10 15:05:25 2012 - INFO - No exsisting SubscriptionID for host: 1.2.3.4
Wed Oct 10 15:05:25 2012 - INFO - Attempting to connect to sensor: 1.2.3.4
Wed Oct 10 15:05:25 2012 - INFO - Successfully connected to: 1.2.3.4
Wed Oct 10 15:05:26 2012 - ERROR - Connecting to sensor - 1.2.3.4: HTTPError: HTTP Error 400: Bad Request
It seems to be my credentials which aren't correct but i'd already tried to make another account unsuccessfully.
Do you have any idea ?
Thanks.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, i can do ping, get https from ips it seems that it is ok everything and that was working during year, but after that psod, everything stopped. think maybe i should to reboot the asa IPS module i already rebooted.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Really need your help!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello, could you help me with the same situation, one time after PSOD of my esxi where virtual splunk is working, i saw that ips logs stopped to go to the splunk. i updated cisco_ips to 2.0.0 and used the old script for ips in splunk (because with web splunk cisco_ips configuration i'm getting the following error:
Encountered the following error while trying to update: In handler 'localapps': Error while posting to url=/servicesNS/nobody/Splunk_CiscoIPS/admin/cisco_ips_setup/cisco_ips_setup_settings
then i just changed configured to 1)
in Cisco IPS sensor:
ips# sh statistics sdee-server
General
Open Subscriptions = 0
Blocked Subscriptions = 0
Maximum Available Subscriptions = 5
Maximum Events Per Retrieval = 500
Subscriptions
On the splunk:
Sun Nov 10 21:43:32 2013 - INFO - Checking for exsisting SubscriptionID on host: 192.168.1.2
host = seclog
source = /opt/splunk/var/log/splunk/sdee_get.log
sourcetype = sdee_connection
Sun Nov 10 21:43:32 2013 - INFO - No exsisting SubscriptionID for host: 192.168.1.2
host = seclog
source = /opt/splunk/var/log/splunk/sdee_get.log
sourcetype = sdee_connection
Sun Nov 10 21:43:32 2013 - INFO - Attempting to connect to sensor: 192.168.1.2
host = seclog
source = /opt/splunk/var/log/splunk/sdee_get.log
sourcetype = sdee_connection
Sun Nov 10 21:43:32 2013 - INFO - Successfully connected to: 192.168.1.2
host = seclog
source = /opt/splunk/var/log/splunk/sdee_get.log
sourcetype = sdee_connection
Sun Nov 10 21:43:32 2013 - ERROR - Connecting to sensor - 192.168.1.2: URLError:
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That message would seem to indicate that the Splunk server cannot connect to the IPS. I think you need to start with the basics. Can you ping the IPS from the Splunk server? Can you navigate to https://Sensor_IP/cgi-bin/sdee-server from the Splunk server?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
When you initially setup the app and added the IPS sensors, it created a subscription on the sensor and put the subscription information in the $SPLUNK_HOME\etc\apps\Splunk_CiscoIPS\var\run directory. There should be one file for each sensor named Sensor_IP.run. When you deleted the app and re-installed it and tried to re-add the sensors, it tried to re-setup a new subscription. But, the IPS sensor knew that there was already a subscription created and does not want to create another. There are three ways to fix this:
- Go back to the original copy of the IPS app (hopefully you still have it in a recycle bin) and put the run files back into $SPLUNK_HOME\etc\apps\Splunk_CiscoIPS\var\run. You only need the run file(s), nothing else. Make sure you stop Splunk before overwriting them with the old files and then start it back up again.
- Login into the IPS sensor via the command line and delete the subscriptions created earlier. First do a "show statistics sdee-server" to view the existing SDEE subscriptions. Find the old one from before and then navigate to https://Sensor_IP/cgi-bin/sdee-server/?action=close&subscriptionId=SUB_ID. For example: https://10.1.1.1/cgi-bin/sdee-server/?action=close&subscriptionId=sub-16-a64a8e10.
- Wait for a few days. I believe the subscriptions will time out after 7 days. So if you wait they will expire and then it will start working again.
If that does not work, let me know and there are a few other things we can check on the IPS sensor.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Up, i really need some help on it 🙂
Introducing Splunk Enterprise 9.2
Adoption of RUM and APM at Splunk
Routing logs with Splunk OTel Collector for Kubernetes
