Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How do I install the Cisco IPS add-on?

Will_Hayes
Splunk Employee
Splunk Employee
‎06-06-2010 07:14 PM

How do I install and configure the Cisco SDEE data input and IPS add-on on SplunkBase:

http://www.splunkbase.com/apps/All/4.x/app:Cisco+IPS+SDEE+Data+Collector

0 Karma
Reply

supernana
New Member
‎10-19-2012 05:28 AM

how do i filter so splunk only accept/get high and medium alert ?

thx

0 Karma
Reply

Will_Hayes
Splunk Employee
Splunk Employee
‎06-06-2010 07:15 PM

To install this add-on, you will need to unpack this file into $SPLUNK_HOME/etc/apps create or modify local/inputs.conf and restart.

Modifying inputs.conf:

Open the inputs.conf file located at $SPLUNK_HOME/etc/apps/cisco_ips_addon/local/inputs.conf

You will need to create an entry for each sensor you would like to monitor using the following stanza:


[script://$SPLUNK_HOME/etc/apps/cisco_ips_addon/bin/get_ips_feed.py user pass sensor_ip]
sourcetype = cisco_ips_syslog
source = SDEE
disabled = false
interval = 1

The scripted input creates sensor_ip.run file in the $SPLUNK_HOME/etc/apps/cisco_ips_addon/var/run directory which is updated each time Splunk attempts to connect to a sensor. If you are having issues connecting to a sensor or are not seeing IPS data in Splunk the following search may be used for troubleshooting: index="_internal" sourcetype="sdee_connection"

The real time and overview dashboards as well as the included searches and reports in this add-on rely on the search: eventtype=cisco_ips in order to report on Cisco IPS data.

There is one scheduled search included in this add-on which creates an cache for the dashboard every 3 hours with a Splunk enterprise license.

To change the schedule you can edit the following search under the manager:

Cisco IPS - DataCube

For help getting set up e-mail me at: will@splunk.com

Reply

dleung
Splunk Employee
Splunk Employee
‎12-27-2010 07:18 PM

I believe that search should produce the app's scripted input connection status messages. The scripted input connects to a Cisco IPS sensor/device.

The app's inputs.conf has stanza:

[monitor://$SPLUNK_HOME/var/log/splunk/sdee_get.log]
index = _internal
sourcetype = sdee_connection

The sdee_get log file is actually written out by the scripted input - get_ips_feed.py, mentioned above. It looks like that script output two log files - sdee_get.log and ips_sdee.log.

The sdee_get.log contains the script's connection status messages. The ips_sdee.log contains the actual IPS related data.

0 Karma
Reply

Mick
Splunk Employee
Splunk Employee
‎11-03-2010 03:43 PM

What is the search - index="_internal" sourcetype="sdee_connection" supposed to produce?

0 Karma
Reply
Get Updates on the Splunk Community!

Dashboards: Hiding charts while search is being executed and other uses for tokens

There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...

Brains, Bytes, and Boston: Learn from the Best at .conf25

When you think of Boston, you might picture colonial charm, world-class universities, or even the crack of a ...
Top