Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How do I install the Cisco IPS add-on?

Will_Hayes
Splunk Employee
Splunk Employee
‎06-06-2010 07:14 PM

How do I install and configure the Cisco SDEE data input and IPS add-on on SplunkBase:

http://www.splunkbase.com/apps/All/4.x/app:Cisco+IPS+SDEE+Data+Collector

0 Karma
Reply

supernana
New Member
‎10-19-2012 05:28 AM

how do i filter so splunk only accept/get high and medium alert ?

thx

0 Karma
Reply

Will_Hayes
Splunk Employee
Splunk Employee
‎06-06-2010 07:15 PM

To install this add-on, you will need to unpack this file into $SPLUNK_HOME/etc/apps create or modify local/inputs.conf and restart.

Modifying inputs.conf:

Open the inputs.conf file located at $SPLUNK_HOME/etc/apps/cisco_ips_addon/local/inputs.conf

You will need to create an entry for each sensor you would like to monitor using the following stanza:


[script://$SPLUNK_HOME/etc/apps/cisco_ips_addon/bin/get_ips_feed.py user pass sensor_ip]
sourcetype = cisco_ips_syslog
source = SDEE
disabled = false
interval = 1

The scripted input creates sensor_ip.run file in the $SPLUNK_HOME/etc/apps/cisco_ips_addon/var/run directory which is updated each time Splunk attempts to connect to a sensor. If you are having issues connecting to a sensor or are not seeing IPS data in Splunk the following search may be used for troubleshooting: index="_internal" sourcetype="sdee_connection"

The real time and overview dashboards as well as the included searches and reports in this add-on rely on the search: eventtype=cisco_ips in order to report on Cisco IPS data.

There is one scheduled search included in this add-on which creates an cache for the dashboard every 3 hours with a Splunk enterprise license.

To change the schedule you can edit the following search under the manager:

Cisco IPS - DataCube

For help getting set up e-mail me at: will@splunk.com

Reply

dleung
Splunk Employee
Splunk Employee
‎12-27-2010 07:18 PM

I believe that search should produce the app's scripted input connection status messages. The scripted input connects to a Cisco IPS sensor/device.

The app's inputs.conf has stanza:

[monitor://$SPLUNK_HOME/var/log/splunk/sdee_get.log]
index = _internal
sourcetype = sdee_connection

The sdee_get log file is actually written out by the scripted input - get_ips_feed.py, mentioned above. It looks like that script output two log files - sdee_get.log and ips_sdee.log.

The sdee_get.log contains the script's connection status messages. The ips_sdee.log contains the actual IPS related data.

0 Karma
Reply

Mick
Splunk Employee
Splunk Employee
‎11-03-2010 03:43 PM

What is the search - index="_internal" sourcetype="sdee_connection" supposed to produce?

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability Cloud’s AI Assistant in Action Series: Analyzing and ...

This is the second post in our Splunk Observability Cloud’s AI Assistant in Action series, in which we look at ...

Elevate Your Organization with Splunk’s Next Platform Evolution

 Thursday, July 10, 2025  |  11AM PDT / 2PM EDT Whether you're managing complex deployments or looking to ...

Splunk Answers Content Calendar, June Edition

Get ready for this week’s post dedicated to Splunk Dashboards! We're celebrating the power of community by ...
Top