I recently migrated my Splunk from Windows 2012 to Linux (CentOS). I am currently running Splunk Enterprise 6.3.2. I added the Splunk add on for Cisco IPS ver. 2.1.5 and had to manually configure the inputs.conf file just to get Splunk to do a successful connection to the IPS. Now that the SDEE subscription is valid, I get this error:
ERROR - Connecting to sensor - X.X.X.2: Traceback (most recent call last): File "/opt/splunk/etc/apps/Splunk_TA_cisco-ips/bin/get_ips_feed.py", line 99, in run sdee.open() File "/opt/splunk/etc/apps/Splunk_TA_cisco-ips/bin/pysdee/pySDEE.py", line 187, in open self._request(params) File "/opt/splunk/etc/apps/Splunk_TA_cisco-ips/bin/pysdee/pySDEE.py", line 163, in _request data = urllib2.urlopen(req) File "/opt/splunk/lib/python2.7/urllib2.py", line 154, in urlopen return opener.open(url, data, timeout) File "/opt/splunk/lib/python2.7/urllib2.py", line 431, in open response = self._open(req, data) File "/opt/splunk/lib/python2.7/urllib2.py", line 449, in _open '_open', req) File "/opt/splunk/lib/python2.7/urllib2.py", line 409, in _call_chain result = func(*args) File "/opt/splunk/lib/python2.7/urllib2.py", line 1240, in https_open context=self._context) File "/opt/splunk/lib/python2.7/urllib2.py", line 1197, in do_open raise URLError(err) URLError:
Klaxdal's fix works. Why hasn't it been integrated into the stock TA yet? It's been almost a year!
Are your using Splunk 6.4 ?
If so the new python 2.7.11 libs seem to bork out the Base64 password conversion section of pySDEE.py located in:
/opt/splunk/etc/apps/Splunk_TA_cisco-ips/bin/pysdee
So... here is what I did do change it:
Replace 164 of the file with the following:
req.add_header('Authorization', "BASIC %s" % (self._b64pass.replace('\n', '')))
Worked like a charm
- INFO - Attempting to connect to sensor: ips-2
Wed Apr 27 09:35:57 2016 - INFO - Successfully connected to: -ips-2
Wed Apr 27 09:35:57 2016 - INFO - Checking for existing SubscriptionID on host: ips-1
Wed Apr 27 09:35:57 2016 - INFO - No existing SubscriptionID for host: -ips-1
Wed Apr 27 09:35:57 2016 - INFO - Attempting to connect to sensor: -ips-1
Wed Apr 27 09:35:57 2016 - INFO - Successfully connected to: -ips-1
Wed Apr 27 09:35:59 2016 - INFO - Successfully connected to: ips-1
Wed Apr 27 09:35:59 2016 - INFO - host="candeal-ips-1" SessionID="48436f106cdef9a21176c4151b7bfacd" SubscriptionID="sub-3-5bae0fff"
Wed Apr 27 09:35:59 2016 - INFO - Successfully connected to: - INFO - Attempting to connect to sensor: candeal-ips-2
Wed Apr 27 09:35:57 2016 - INFO - Successfully connected to: candeal-ips-2
Wed Apr 27 09:35:57 2016 - INFO - Checking for existing SubscriptionID on host: candeal-ips-1
Wed Apr 27 09:35:57 2016 - INFO - No existing SubscriptionID for host: candeal-ips-1
Wed Apr 27 09:35:57 2016 - INFO - Attempting to connect to sensor: candeal-ips-1
Wed Apr 27 09:35:57 2016 - INFO - Successfully connected to: candeal-ips-1
Wed Apr 27 09:35:59 2016 - INFO - Successfully connected to: candeal-ips-1
Wed Apr 27 09:35:59 2016 - INFO - host="candeal-ips-1" SessionID="48436f106cdef9a21176c4151b7bfacd" SubscriptionID="sub-3-5bae0fff"
Wed Apr 27 09:35:59 2016 - INFO - Successfully connected to: ips-2
Wed Apr 27 09:35:59 2016 - INFO - host="candeal-ips-2" SessionID="92422ed39a6138baab166b468b6d532c" SubscriptionID="sub-3-848eb720"
Let me know how you make out .
Klaxdal,
Your answer should really be its own question and answer. It solved my issue with Cisco IPS with Splunk 6.4. One thing to note is I had to restart Splunk twice for it to start working, the first restart it threw an error, but the second restart it worked.
Error after first restart
ERROR - Exception thrown in sdee.get(): Traceback (most recent call last): File "/opt/splunk/etc/apps/Splunk_TA_cisco-ips/bin/get_ips_feed.py", line 117, in run sdee.get() File "/opt/splunk/etc/apps/Splunk_TA_cisco-ips/bin/pysdee/pySDEE.py", line 211, in get self._request(params, **kwargs) File "/opt/splunk/etc/apps/Splunk_TA_cisco-ips/bin/pysdee/pySDEE.py", line 163, in _request data = urllib2.urlopen(req) File "/opt/splunk/lib/python2.7/urllib2.py", line 154, in urlopen return opener.open(url, data, timeout) File "/opt/splunk/lib/python2.7/urllib2.py", line 437, in open response = meth(req, response) File "/opt/splunk/lib/python2.7/urllib2.py", line 550, in http_response 'http', request, response, code, msg, hdrs) File "/opt/splunk/lib/python2.7/urllib2.py", line 475, in error return self._call_chain(*args) File "/opt/splunk/lib/python2.7/urllib2.py", line 409, in _call_chain result = func(*args) File "/opt/splunk/lib/python2.7/urllib2.py", line 558, in http_error_default raise HTTPError(req.get_full_url(), code, msg, hdrs, fp) HTTPError: HTTP Error 400: Bad Request
Changed to TLSv1 and changed line per your instructions. Worked like a champ!
Thanks!!
You have an email address ? I will just email you the .py file ...
Create a throw away gmail account and I will send the .py to you . Replace the one you have .
Got it, tequilalinux@gmail.com
Just sent ...
Thanks klaxdal, I replaced the file and now I get this error:
Sat Jun 4 13:27:37 2016 - ERROR - Connecting to sensor - X.X.X.X : Traceback (most recent call last): File "/opt/splunk/etc/apps/Splunk_TA_cisco-ips/bin/get_ips_feed.py", line 99, in run sdee.open() File "/opt/splunk/etc/apps/Splunk_TA_cisco-ips/bin/pysdee/pySDEE.py", line 188, in open self._request(params) File "/opt/splunk/etc/apps/Splunk_TA_cisco-ips/bin/pysdee/pySDEE.py", line 164, in _request data = urllib2.urlopen(req) File "/opt/splunk/lib/python2.7/urllib2.py", line 154, in urlopen return opener.open(url, data, timeout) File "/opt/splunk/lib/python2.7/urllib2.py", line 431, in open response = self._open(req, data) File "/opt/splunk/lib/python2.7/urllib2.py", line 449, in _open '_open', req) File "/opt/splunk/lib/python2.7/urllib2.py", line 409, in _call_chain result = func(*args) File "/opt/splunk/lib/python2.7/urllib2.py", line 1240, in https_open context=self._context) File "/opt/splunk/lib/python2.7/urllib2.py", line 1197, in do_open raise URLError(err) URLError:
Sat Jun 4 13:27:34 2016 - INFO - Successfully connected to: X.X.X.X
Sat Jun 4 13:27:34 2016 - INFO - Attempting to connect to sensor: X.X.X.X
Oh ya and either try connecting with TLSv1_1 or TLSv1 first .
Hi, could you please clarify this change:
Replace 164 of the file with the following :
req.add_header('Authorization', "BASIC %s" % (self._b64pass.replace('\n', '')))
This means that the original line:
req.add_header('Authorization', "BASIC %s" % (self._b64pass))
Will be replaced with:
req.add_header('Authorization', "BASIC %s" % (self._b64pass.replace('\n', '')))
??
Yes your assumption is correct -this should fix the issue when running 6.4
Let me know how you make out .
Kristofer
Hi Kristofer,
I still have this issue and no data coming from CISCO IPS
Sat Jun 4 11:57:09 2016 - ERROR - Connecting to sensor - X.X.X.X: Traceback (most recent call last): File "/opt/splunk/etc/apps/Splunk_TA_cisco-ips/bin/get_ips_feed.py", line 99, in run sdee.open() File "/opt/splunk/etc/apps/Splunk_TA_cisco-ips/bin/pysdee/pySDEE.py", line 187, in open self._request(params) File "/opt/splunk/etc/apps/Splunk_TA_cisco-ips/bin/pysdee/pySDEE.py", line 163, in _request data = urllib2.urlopen(req) File "/opt/splunk/lib/python2.7/urllib2.py", line 154, in urlopen return opener.open(url, data, timeout) File "/opt/splunk/lib/python2.7/urllib2.py", line 437, in open response = meth(req, response) File "/opt/splunk/lib/python2.7/urllib2.py", line 550, in http_response 'http', request, response, code, msg, hdrs) File "/opt/splunk/lib/python2.7/urllib2.py", line 475, in error return self._call_chain(*args) File "/opt/splunk/lib/python2.7/urllib2.py", line 409, in _call_chain result = func(*args) File "/opt/splunk/lib/python2.7/urllib2.py", line 558, in http_error_default raise HTTPError(req.get_full_url(), code, msg, hdrs, fp) HTTPError: HTTP Error 401: Unauthorized
Remember you need to restart Splunk after every change to a .py file - did you restart ?
Yes, I restarted splunk after .py change and this is what I get
Sat Jun 4 14:48:03 2016 - ERROR - Connecting to sensor - X.X.X.X: Traceback (most recent call last): File "/opt/splunk/etc/apps/Splunk_TA_cisco-ips/bin/get_ips_feed.py", line 99, in run sdee.open() File "/opt/splunk/etc/apps/Splunk_TA_cisco-ips/bin/pysdee/pySDEE.py", line 188, in open self._request(params) File "/opt/splunk/etc/apps/Splunk_TA_cisco-ips/bin/pysdee/pySDEE.py", line 164, in _request data = urllib2.urlopen(req) File "/opt/splunk/lib/python2.7/urllib2.py", line 154, in urlopen return opener.open(url, data, timeout) File "/opt/splunk/lib/python2.7/urllib2.py", line 431, in open response = self._open(req, data) File "/opt/splunk/lib/python2.7/urllib2.py", line 449, in _open '_open', req) File "/opt/splunk/lib/python2.7/urllib2.py", line 409, in _call_chain result = func(*args) File "/opt/splunk/lib/python2.7/urllib2.py", line 1240, in https_open context=self._context) File "/opt/splunk/lib/python2.7/urllib2.py", line 1197, in do_open raise URLError(err) URLError:
This looks similar to a bug (ADDON-6014) that was encountered after upgrade to Splunk 6.3 (the root cause was a newer version of Python in Splunk 6.3 which contained changes to the urllib2 library that TA uses).
That was resolved in Cisco IPS version 2.1.5 -- which you mention you have in your original question.
My initial hypothesis would be that the IPS query code was not updated appropriately. Was the IPS TA installed from scratch or upgraded from a previous version? Either should be fine but I'm trying to learn more about the environment to determine what could be causing this. Do you have a support case open? In this specific case, it may be easier to help by reviewing a diag.
The IPS TA was installed from scratch on this newly built server. I opened a support case as well, #
000328995 .
I have also been looking at the pySDEE.py file in /opt/splunk/etc/apps/Splunk_TA_cisco-ips/bin/pysdee and noticed that the file references TLSv1_1 rather than SSLv3 and I don't know if that is an issue. I made a change to the file to use the SSLv3 and if that doesn't clear up the problem, I will change it back.
Thank you.
I forgot to add, that I have a distributed setup with a search head and an indexer.