Hi all,
I try add new Cisco IPS4270-20 probe into Splunk_CiscoIPS but I get this:
Encountered the following error while trying to update: In handler 'localapps': Failed to create scripted input!
SPLUNK version 5.0.8, build 201809
Splunk_CiscoIPS ver 2.0.0
IPS Version 7.1(8)E4
I have tried it unsuccesfully many times. Any advice?
Thanks a lot for help!
Radim
Manually adding doesn't work anyway... 😞
But in splunkd.log I can see this:
05-06-2014 16:11:49.650 +0200 ERROR AdminHandler:Exec - passAuth user does not exist: splunk-system-user
05-06-2014 16:11:49.669 +0200 ERROR AdminManager - Failed to create scripted input!
For adding probe I use credentials of the probe (admin privilege, not operator). What user doesn't exist?
Thanks again in advance!
I use free trial splunk! Could it be problem? It's just for testing now, which SIEM console we should choose. For LOG server is Splunk the best solution so I hope for SIEM would be too 😉
R.
You could also check if the user Splunk is running as has permission to write to the file & directory concerned: $SPLUNK_HOME$/apps/
As well as updating the file manually as mentioned previously, you could rename the inputs.conf file then try again to see if there's something strange going wrong with any inputs file already in place. I.e. let the IPS app create the inputs.conf file again from scratch, in a format it's happy with.
The other file this app writes to is app.conf (also in local dir) so the same advice applies here also.
Just a couple of ideas.
This error means that the setup handler could not create the stanza in inputs.conf via the REST API. You can take a look at splunkd.log for more information on why if failed. As a workaround, you can manually create the stanza in inputs.conf to pull your IPS logs.