We're running a script that's used in the CiscoIPS app to pull event data from our IPS. Initially the interval was set at 1 (should be every 1 second) which was hitting our IPS more than we'd like. We then changed it to 300 (should be every 5 minutes), however after restarting both splunk services, it's still hitting the IPS every second. Any ideas?
The script used by the Cisco IPS addon is actually running indefinitely once it's been started, so it won't matter what interval you will set for it to run. The timing is performed internally instead. I had a quick look at the script (
get_ips_feed.py) and it seems there is no pause between its requests at all - once it's done with one connection it just keeps hammering away with the next.
You could modify the script to sleep at the end of its while loop, one suggestion would be to add a
ipsLogger.info(syslog_msg) (line 231).
It didn't affect the script at all. I tried restarting the entire server after implementing it, in case it was still running in memory, but no luck. Any other ideas?
Did you pay attention to the indentation level when you modified the script? Python interprets different indentation levels differently. The
time.sleep line should be one level "up" (= less indentation) than the
ipsLogger.info line. This should make the script sleep for 300 seconds after each run of its main loop.
You don't need to restart Splunk, scripts are called directly each time they're run rather than being kept in memory.
With the release of version 1.1.1 of the Cisco IPS app, you can now specify a polling interval in the inputs.conf. Below is an example that causes the script to wait 30 seconds in between polls of the Cisco IPS appliance. You must be running version 1.1.1 or higher to use this additional option at the end of the script. Changing the "interval" underneath the script command will not affect the polling of the IPS.
[script://$SPLUNK_HOME\etc\apps\Splunk_CiscoIPS\bin\get_ips_feed.py "username" "password" "IPS_IP" "30"] disabled = 0 index = main interval = 1 source = SDEE sourcetype = cisco_ips_syslog