Hello, could you help me with the same situation, one time after PSOD of my esxi where virtual splunk is working, i saw that ips logs stopped to go to the splunk. i updated cisco_ips to 2.0.0 and used the old script for ips in splunk (because with web splunk cisco_ips configuration i'm getting the following error:
Encountered the following error while trying to update: In handler 'localapps': Error while posting to url=/servicesNS/nobody/Splunk_CiscoIPS/admin/cisco_ips_setup/cisco_ips_setup_settings
then i just changed configured to 1)
in Cisco IPS sensor:
ips# sh statistics sdee-server
General
Open Subscriptions = 0
Blocked Subscriptions = 0
Maximum Available Subscriptions = 5
Maximum Events Per Retrieval = 500
Subscriptions
On the splunk:
Sun Nov 10 21:43:32 2013 - INFO - Checking for exsisting SubscriptionID on host: 192.168.1.2
host = seclog
source = /opt/splunk/var/log/splunk/sdee_get.log
sourcetype = sdee_connection
Sun Nov 10 21:43:32 2013 - INFO - No exsisting SubscriptionID for host: 192.168.1.2
host = seclog
source = /opt/splunk/var/log/splunk/sdee_get.log
sourcetype = sdee_connection
Sun Nov 10 21:43:32 2013 - INFO - Attempting to connect to sensor: 192.168.1.2
host = seclog
source = /opt/splunk/var/log/splunk/sdee_get.log
sourcetype = sdee_connection
Sun Nov 10 21:43:32 2013 - INFO - Successfully connected to: 192.168.1.2
host = seclog
source = /opt/splunk/var/log/splunk/sdee_get.log
sourcetype = sdee_connection
Sun Nov 10 21:43:32 2013 - ERROR - Connecting to sensor - 192.168.1.2: URLError:
... View more
