Getting Data In

How do I install the Cisco IPS add-on?

Will_Hayes
Splunk Employee
Splunk Employee

How do I install and configure the Cisco SDEE data input and IPS add-on on SplunkBase:

http://www.splunkbase.com/apps/All/4.x/app:Cisco+IPS+SDEE+Data+Collector

0 Karma

supernana
New Member

how do i filter so splunk only accept/get high and medium alert ?

thx

0 Karma

Will_Hayes
Splunk Employee
Splunk Employee

To install this add-on, you will need to unpack this file into $SPLUNK_HOME/etc/apps create or modify local/inputs.conf and restart.

Modifying inputs.conf:

Open the inputs.conf file located at $SPLUNK_HOME/etc/apps/cisco_ips_addon/local/inputs.conf

You will need to create an entry for each sensor you would like to monitor using the following stanza:


[script://$SPLUNK_HOME/etc/apps/cisco_ips_addon/bin/get_ips_feed.py user pass sensor_ip]
sourcetype = cisco_ips_syslog
source = SDEE
disabled = false
interval = 1

The scripted input creates sensor_ip.run file in the $SPLUNK_HOME/etc/apps/cisco_ips_addon/var/run directory which is updated each time Splunk attempts to connect to a sensor. If you are having issues connecting to a sensor or are not seeing IPS data in Splunk the following search may be used for troubleshooting: index="_internal" sourcetype="sdee_connection"

The real time and overview dashboards as well as the included searches and reports in this add-on rely on the search: eventtype=cisco_ips in order to report on Cisco IPS data.

There is one scheduled search included in this add-on which creates an cache for the dashboard every 3 hours with a Splunk enterprise license.

To change the schedule you can edit the following search under the manager:

Cisco IPS - DataCube

For help getting set up e-mail me at: [email protected]

dleung
Splunk Employee
Splunk Employee

I believe that search should produce the app's scripted input connection status messages. The scripted input connects to a Cisco IPS sensor/device.

The app's inputs.conf has stanza:

[monitor://$SPLUNK_HOME/var/log/splunk/sdee_get.log]
index = _internal
sourcetype = sdee_connection

The sdee_get log file is actually written out by the scripted input - get_ips_feed.py, mentioned above. It looks like that script output two log files - sdee_get.log and ips_sdee.log.

The sdee_get.log contains the script's connection status messages. The ips_sdee.log contains the actual IPS related data.

0 Karma

Mick
Splunk Employee
Splunk Employee

What is the search - index="_internal" sourcetype="sdee_connection" supposed to produce?

0 Karma
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

From Data to Insight: Announcing the Winners of the Splunk Dashboard Contest

Hi Splunkers, First off, thank you to everyone who participated in our very first From Data to Insight: The ...

Splunk Developers: Construct Your Future at the .conf26 Builder Bar

Calling all Splunk architects, platform admins, and app developers: the site is open, and the blueprints are ...

Quick connection discovery mode for forwarders

When a Splunk forwarder loses connectivity to its indexers, it does not always reconnect immediately. In many ...