All Apps and Add-ons

Splunk Cisco IPS App - no data being pulled?

BenjaminWyatt
Communicator

We are currently attempting to use the Splunk for Cisco IPS App (http://apps.splunk.com/app/528/) to pull data from our IPS devices into Splunk. However, we have run into the following problem: while the script successfully authenticates against the IPS device, it does not seem to pull any data from the /cgi-bin/sdee-server endpoint. When I hit this endpoint in my browser (using the same credentials as the script is using), I see the log data, so I know it exists and is accessible by this account. Nor are any exceptions raised in the logs; it appears the script is simply returning no data from the web request.

Any thoughts on what might be causing this problem?

1 Solution

BenjaminWyatt
Communicator

I figured out the problem. Posting my answer here in case it's helpful to others.

Essentially, it was an issue where the script was working, but for various reasons it looked kind of broken.

First of all, the script doesn't appear to pull historical alert data (you only get data from when you first turn on the script). This made me think that the script wasn't working, because I was expecting to get historical data.

Second, because the default polling interval is 15 seconds, the calls to the IPS API frequently return no alerts. Now, when you just hit the API in your browser, you get a ton of XML output, which includes alerts, healtchecks, etc. The script tosses the healthcheck information away and just keeps the alerts. This isn't a problem in and of itself, but there is no documentation in the app or logging in the script to indicate that is the expected behavior. So we were comparing what we saw in Splunk to what was in the webpage when we saw it in our browser, and that made us think that we were having a problem with the collection. We didn't figure out what was going on until we forced the script to log the raw XML output. Once we figured out that the script was just filtering out all the healthcheck data, we let the script run for a few hours and monitored for events - sure enough, they started showing up.

To any Splunk folks reading this - some official documentation to walk us through how the app worked, and what we could have expected in terms of data volume, would have been really helpful and saved us a considerable amount of time and frustration.

View solution in original post

0 Karma

BenjaminWyatt
Communicator

I figured out the problem. Posting my answer here in case it's helpful to others.

Essentially, it was an issue where the script was working, but for various reasons it looked kind of broken.

First of all, the script doesn't appear to pull historical alert data (you only get data from when you first turn on the script). This made me think that the script wasn't working, because I was expecting to get historical data.

Second, because the default polling interval is 15 seconds, the calls to the IPS API frequently return no alerts. Now, when you just hit the API in your browser, you get a ton of XML output, which includes alerts, healtchecks, etc. The script tosses the healthcheck information away and just keeps the alerts. This isn't a problem in and of itself, but there is no documentation in the app or logging in the script to indicate that is the expected behavior. So we were comparing what we saw in Splunk to what was in the webpage when we saw it in our browser, and that made us think that we were having a problem with the collection. We didn't figure out what was going on until we forced the script to log the raw XML output. Once we figured out that the script was just filtering out all the healthcheck data, we let the script run for a few hours and monitored for events - sure enough, they started showing up.

To any Splunk folks reading this - some official documentation to walk us through how the app worked, and what we could have expected in terms of data volume, would have been really helpful and saved us a considerable amount of time and frustration.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...