- Apps and Add-ons
- :
- All Apps and Add-ons
- :
- Splunk Cisco IPS App - no data being pulled?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We are currently attempting to use the Splunk for Cisco IPS App (http://apps.splunk.com/app/528/) to pull data from our IPS devices into Splunk. However, we have run into the following problem: while the script successfully authenticates against the IPS device, it does not seem to pull any data from the /cgi-bin/sdee-server endpoint. When I hit this endpoint in my browser (using the same credentials as the script is using), I see the log data, so I know it exists and is accessible by this account. Nor are any exceptions raised in the logs; it appears the script is simply returning no data from the web request.
Any thoughts on what might be causing this problem?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I figured out the problem. Posting my answer here in case it's helpful to others.
Essentially, it was an issue where the script was working, but for various reasons it looked kind of broken.
First of all, the script doesn't appear to pull historical alert data (you only get data from when you first turn on the script). This made me think that the script wasn't working, because I was expecting to get historical data.
Second, because the default polling interval is 15 seconds, the calls to the IPS API frequently return no alerts. Now, when you just hit the API in your browser, you get a ton of XML output, which includes alerts, healtchecks, etc. The script tosses the healthcheck information away and just keeps the alerts. This isn't a problem in and of itself, but there is no documentation in the app or logging in the script to indicate that is the expected behavior. So we were comparing what we saw in Splunk to what was in the webpage when we saw it in our browser, and that made us think that we were having a problem with the collection. We didn't figure out what was going on until we forced the script to log the raw XML output. Once we figured out that the script was just filtering out all the healthcheck data, we let the script run for a few hours and monitored for events - sure enough, they started showing up.
To any Splunk folks reading this - some official documentation to walk us through how the app worked, and what we could have expected in terms of data volume, would have been really helpful and saved us a considerable amount of time and frustration.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I figured out the problem. Posting my answer here in case it's helpful to others.
Essentially, it was an issue where the script was working, but for various reasons it looked kind of broken.
First of all, the script doesn't appear to pull historical alert data (you only get data from when you first turn on the script). This made me think that the script wasn't working, because I was expecting to get historical data.
Second, because the default polling interval is 15 seconds, the calls to the IPS API frequently return no alerts. Now, when you just hit the API in your browser, you get a ton of XML output, which includes alerts, healtchecks, etc. The script tosses the healthcheck information away and just keeps the alerts. This isn't a problem in and of itself, but there is no documentation in the app or logging in the script to indicate that is the expected behavior. So we were comparing what we saw in Splunk to what was in the webpage when we saw it in our browser, and that made us think that we were having a problem with the collection. We didn't figure out what was going on until we forced the script to log the raw XML output. Once we figured out that the script was just filtering out all the healthcheck data, we let the script run for a few hours and monitored for events - sure enough, they started showing up.
To any Splunk folks reading this - some official documentation to walk us through how the app worked, and what we could have expected in terms of data volume, would have been really helpful and saved us a considerable amount of time and frustration.
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
