Getting Data In

Splunk for Cisco IPS setup issue

tambo24
New Member

I'm trying to get the trial of Splunk up and running on an Windows 2008 std 64bit Sp2 server; 16GB RAM, dual quad core 3.0ghz processors; I'm starting with Cisco Security app and am running into an issue on the IPS setup. I've installed and setup the Splunk for Cisco IPS app v. 1.0.1 but I'm running into the following issues that I can't seem to get past: (Sorry for the long post but I wasn't sure what would be most useful)

First after install and setup I receive the following errors in splunkd.log: 03-28-2011 23:13:14.084 -0400 ERROR FrameworkUtils - Incorrect path to script: E:\Program Files\Splunk/etc/apps/Splunk_CiscoIPS/bin/get_ips_feed.py. Script must be in a bin subdirectory in $SPLUNK_HOME. 03-28-2011 23:13:14.084 -0400 ERROR ExecProcessor - Ignoring: ""E:\Program Files\Splunk/etc/apps/Splunk_CiscoIPS/bin/get_ips_feed.py" username password 10.1.1.1"

I took a guess that it may be because the slashes after the Splunk directory are the wrong way; if I change them in the E:\Program Files\Splunk\etc\apps\Splunk_CiscoIPS\local\inputs.conf file to: script://$SPLUNK_HOME/etc\apps\Splunk_CiscoIPS\bin\get_ips_feed.py it gets past the last error but now the following 4 lines repeat in splunkd.log and no data is indexed:

03-28-2011 23:26:24.333 -0400 ERROR ExecProcessor - message from "python "E:\Program Files\Splunk\etc\apps\Splunk_CiscoIPS\bin\get_ips_feed.py" username pasword 10.1.1.1" Traceback (most recent call last):

03-28-2011 23:26:24.333 -0400 ERROR ExecProcessor - message from "python "E:\Program Files\Splunk\etc\apps\Splunk_CiscoIPS\bin\get_ips_feed.py" username password 10.1.1.1" File "E:\Program Files\Splunk\etc\apps\Splunk_CiscoIPS\bin\get_ips_feed.py", line 2, in

03-28-2011 23:26:24.333 -0400 ERROR ExecProcessor - message from "python "E:\Program Files\Splunk\etc\apps\Splunk_CiscoIPS\bin\get_ips_feed.py" username password 10.1.1.1" from pysdee.pySDEE import SDEE

03-28-2011 23:26:24.333 -0400 ERROR ExecProcessor - message from "python "E:\Program Files\Splunk\etc\apps\Splunk_CiscoIPS\bin\get_ips_feed.py" username password 10.1.1.1" OverflowError: modification time overflows a 4 byte field

I don't know if it's a python issue or something else. I've tried w/ the latest release the previous release, 32 bit and the old version of the IPS app all with the same result. We're pretty new to Splunk and are just starting to trial it so hopefully I've missed some thing simple.

Thanks!

Tags (3)
0 Karma
1 Solution

dleung
Splunk Employee
Splunk Employee

Hey Tambo24, it looks like an issue related to the modification times of the scripted input and/or the SDEE module files. Make sure all .py files within the following directories have current modification times:

$SPLUNK_HOME/etc/apps/Splunk_CiscoIPS/bin
$SPLUNK_HOME/etc/apps/Splunk_CiscoIPS/bin/pysdee

There's an issue with python files whose modification times fall outside the limit of 2^32 seconds after the Unix epoch fail. Modification times allowed are [1/1/1970 - 2/6/2106]

To update the modification time to current, open a file in a text editor make a change, undo and save. Restart Splunk afterwards.

View solution in original post

richnavis
Contributor

I am experiencing the same error "Script must be in a bin subdirectory in $SPLUNK_HOME." However I am unable to implement the fix you used, since we have a
searchhead pooling configuration and the scripts actually live on a file share, not in SPLUNK_HOME. Is this problem related to the APP, and any ideas on how to fix this?

0 Karma

dleung
Splunk Employee
Splunk Employee

Hey Tambo24, it looks like an issue related to the modification times of the scripted input and/or the SDEE module files. Make sure all .py files within the following directories have current modification times:

$SPLUNK_HOME/etc/apps/Splunk_CiscoIPS/bin
$SPLUNK_HOME/etc/apps/Splunk_CiscoIPS/bin/pysdee

There's an issue with python files whose modification times fall outside the limit of 2^32 seconds after the Unix epoch fail. Modification times allowed are [1/1/1970 - 2/6/2106]

To update the modification time to current, open a file in a text editor make a change, undo and save. Restart Splunk afterwards.

LukeMurphey
Champion

The root cause for this issue has been discovered and will be fixed in a maintenance release. Thus, this workaround will no longer be necessary soon.

0 Karma

tambo24
New Member

That was it! Thank you so much for the assistance dleung!

0 Karma

tambo24
New Member

Just some additional info on this; on a different server, still 2008 64bit but with 8gb of RAM the 4.1.7 version of splunk and the cisco_ips_addon app it runs fine and indexes correctly. If I update that to the Splunk for IPS app it fails with the same errors. Just wondering if there is some RAM limit for Python on 64bit systems?

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...