Getting Data In

How do I install the Cisco IPS add-on?

Splunk Employee
Splunk Employee

How do I install and configure the Cisco SDEE data input and IPS add-on on SplunkBase:

http://www.splunkbase.com/apps/All/4.x/app:Cisco+IPS+SDEE+Data+Collector

0 Karma

New Member

how do i filter so splunk only accept/get high and medium alert ?

thx

0 Karma

Splunk Employee
Splunk Employee

To install this add-on, you will need to unpack this file into $SPLUNK_HOME/etc/apps create or modify local/inputs.conf and restart.

Modifying inputs.conf:

Open the inputs.conf file located at $SPLUNK_HOME/etc/apps/cisco_ips_addon/local/inputs.conf

You will need to create an entry for each sensor you would like to monitor using the following stanza:


[script://$SPLUNK_HOME/etc/apps/cisco_ips_addon/bin/get_ips_feed.py user pass sensor_ip]
sourcetype = cisco_ips_syslog
source = SDEE
disabled = false
interval = 1

The scripted input creates sensor_ip.run file in the $SPLUNK_HOME/etc/apps/cisco_ips_addon/var/run directory which is updated each time Splunk attempts to connect to a sensor. If you are having issues connecting to a sensor or are not seeing IPS data in Splunk the following search may be used for troubleshooting: index="_internal" sourcetype="sdee_connection"

The real time and overview dashboards as well as the included searches and reports in this add-on rely on the search: eventtype=cisco_ips in order to report on Cisco IPS data.

There is one scheduled search included in this add-on which creates an cache for the dashboard every 3 hours with a Splunk enterprise license.

To change the schedule you can edit the following search under the manager:

Cisco IPS - DataCube

For help getting set up e-mail me at: will@splunk.com

Splunk Employee
Splunk Employee

I believe that search should produce the app's scripted input connection status messages. The scripted input connects to a Cisco IPS sensor/device.

The app's inputs.conf has stanza:

[monitor://$SPLUNKHOME/var/log/splunk/sdeeget.log]
index = internal
sourcetype = sdee
connection

The sdeeget log file is actually written out by the scripted input - getipsfeed.py, mentioned above. It looks like that script output two log files - sdeeget.log and ips_sdee.log.

The sdeeget.log contains the script's connection status messages. The ipssdee.log contains the actual IPS related data.

0 Karma

Splunk Employee
Splunk Employee

What is the search - index="_internal" sourcetype="sdee_connection" supposed to produce?

0 Karma