I have installed the IPS Collector app and I am now receiving events from my sensors. However the client requires that all events/alerts be logged so that monthly reports can be created and presented to them. So basically I'm looking for a way to take all the info that the add-on is giving me and have it automatically saved in some sort of file (perhaps a new file per day?) or database.
Does anyone know if Splunk can do this, and if not, of a solution that can?
I have added three sensors to the inputs.conf file, but I am only able to see events from the first one. I can see Splunk is querying the other two and getting responses, but the data is not showing up. Is there something special I need to do for more than one sensor?
Thanks, this is awesome and fills a major gap in the Cisco IPS system. Splunk and this add-in are much better than MARS.
Hi Ericb, Thank you for the feedback. Can you send me a note will at Splunk about the new line character you are adding to the header. I have not experienced an issue with connections to the sensors in our lab. The script uses the force function which should force a subscription and cancel the oldest one. If this is not what's happening for you we should investigate that as well.
Can anyone else confirm this works? The md5 function used to create the Authorization header would introduce an extra \n in the http headers. I had to change the code to make it work. In addition, when you restart Splunk, it never closes the subscription. That subscription stays there for a very long time. The sensor could run out available subscriptions and you have to either reboot the sensor or manually issue curl requests to clear the stale subscriptions. How does one go by submitting patches for this?
The Cisco IPS add-on found here on Splunkbase: http://www.splunkbase.com/apps/All/4.x/Add-On/app:Cisco+IPS+SDEE+Data+Collector
To install this add-on, unpack this file into $SPLUNK_HOME/etc/apps and restart.
To configure the SDEE input, copy the following stanza for each sensor you would like to monitor into local/inputs.conf.
#The arguments must be in the following order: <user> <pass> <host> [script://$SPLUNK_HOME/etc/apps/cisco_ips_addon/bin/get_ips_feed.py cisco cisco 10.0.0.1] sourcetype = cisco_ips_syslog source = SDEE disabled = false interval = 1