Getting Data In

Splunk for Cisco IPS - connects to IPS every second regardless of "interval" setting

joshd
Builder

Hello,

I've noticed after changing the interval setting within the inputs.conf for our various IPS' it still connects to the IPS' every 1 second regardless of what I set the interval to. Is there a reason for it not respecting this value? or is there a setting that I may be missing?

Thanks, Josh

0 Karma

ysouchon
Explorer

Hi Josh,

I have the same troubles than you. After a quick look, I think I found the mistake :

File get_ips_feed.py :

[...]
58 while 1:

59 try:

60 sdee.get()

61 except:

[...]

I do not know why, but the loop runs forever, there is no exit / break into this loop.
We should ask Splunk why....maybe it's a bug.

A quick and dirty fix, add a break at the end of the loop :

167 ### Commen/Uncomment to write to stdout

168 # print syslog_msg +"\n"

169 break

It seems to work for me. Do not forget to change the "interval" option to 60 for example.
Let me know if it works for you too.

0 Karma

dleung
Splunk Employee
Splunk Employee

Hey Josh, the SDEE connection module, used by get_ips_feed.py, has a default 1 second retry on unsuccessful connections. As such, it sounds like it might be a connection issue.

The scripted input writes to log file $SPLUNK_HOME/var/log/splunk/sdee_get.log which contains status information for the connection. Have you tried checking that to see if there's any information there?

0 Karma

joshd
Builder

Yeah, I looked into the sdee_get.log initially and it does not report any issues, it shows successful connections to the IPS and then no more repeat messages. When I actually look at the process list on the machine (ps aux), I see the processes constantly running, should this be the case or should I only see them in the process list every X-minutes as they are configured within the inputs.conf

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...