I'm trying to get the trial of Splunk up and running on an Windows 2008 std 64bit Sp2 server; 16GB RAM, dual quad core 3.0ghz processors; I'm starting with Cisco Security app and am running into an issue on the IPS setup. I've installed and setup the Splunk for Cisco IPS app v. 1.0.1 but I'm running into the following issues that I can't seem to get past: (Sorry for the long post but I wasn't sure what would be most useful)
First after install and setup I receive the following errors in splunkd.log:
03-28-2011 23:13:14.084 -0400 ERROR FrameworkUtils - Incorrect path to script: E:\Program Files\Splunk/etc/apps/Splunk_CiscoIPS/bin/get_ips_feed.py. Script must be in a bin subdirectory in $SPLUNK_HOME.
03-28-2011 23:13:14.084 -0400 ERROR ExecProcessor - Ignoring: ""E:\Program Files\Splunk/etc/apps/Splunk_CiscoIPS/bin/get_ips_feed.py" username password 10.1.1.1"
I took a guess that it may be because the slashes after the Splunk directory are the wrong way; if I change them in the E:\Program Files\Splunk\etc\apps\Splunk_CiscoIPS\local\inputs.conf file to:
script://$SPLUNK_HOME/etc\apps\Splunk_CiscoIPS\bin\get_ips_feed.py it gets past the last error but now the following 4 lines repeat in splunkd.log and no data is indexed:
03-28-2011 23:26:24.333 -0400 ERROR ExecProcessor - message from "python "E:\Program Files\Splunk\etc\apps\Splunk_CiscoIPS\bin\get_ips_feed.py" username pasword 10.1.1.1" Traceback (most recent call last):
03-28-2011 23:26:24.333 -0400 ERROR ExecProcessor - message from "python "E:\Program Files\Splunk\etc\apps\Splunk_CiscoIPS\bin\get_ips_feed.py" username password 10.1.1.1" File "E:\Program Files\Splunk\etc\apps\Splunk_CiscoIPS\bin\get_ips_feed.py", line 2, in
03-28-2011 23:26:24.333 -0400 ERROR ExecProcessor - message from "python "E:\Program Files\Splunk\etc\apps\Splunk_CiscoIPS\bin\get_ips_feed.py" username password 10.1.1.1" from pysdee.pySDEE import SDEE
03-28-2011 23:26:24.333 -0400 ERROR ExecProcessor - message from "python "E:\Program Files\Splunk\etc\apps\Splunk_CiscoIPS\bin\get_ips_feed.py" username password 10.1.1.1" OverflowError: modification time overflows a 4 byte field
I don't know if it's a python issue or something else. I've tried w/ the latest release the previous release, 32 bit and the old version of the IPS app all with the same result. We're pretty new to Splunk and are just starting to trial it so hopefully I've missed some thing simple.
Thanks!
... View more