Splunk Add-on for Cisco IPS 2.1.2: Why am I gettin...

louis_poulin · ‎01-12-2015

I just installed version 2.1.2 and I just did the setup.

I have a problem connecting to my sensor. Following the documentation (http://docs.splunk.com/Documentation/AddOns/latest/CiscoIPS/Troubleshooting), I searched in Splunk (v 6.2.0) for index="_internal" sourcetype="sdee_connection" and I see the following entries :

Mon Jan 12 14:09:08 2015 - INFO - Successfully connected to: sensor.domain.net
Mon Jan 12 14:09:04 2015 - ERROR - Attempting to re-connect to the sensor: sensor.domain.net
Mon Jan 12 14:09:04 2015 - ERROR - Exception thrown in sdee.get(): HTTPError: HTTP Error 401: Unauthorized
Mon Jan 12 14:08:47 2015 - INFO - host="sensor.domain.net" SessionID="9ca3b03d1b5b4fbc05649fdbdd0e997f" SubscriptionID="sub-4-541d4a3b"
Mon Jan 12 14:08:47 2015 - INFO - Successfully connected to: sensor.domain.net
Mon Jan 12 14:08:41 2015 - INFO - Successfully connected to: sensor.domain.net
Mon Jan 12 14:08:41 2015 - INFO - Attempting to connect to sensor: sensor.domain.net
Mon Jan 12 14:08:41 2015 - INFO - No exsisting SubscriptionID for host: sensor.domain.net

I manually tried to connect with a web browser : it works using https://sensor.domain.net and the same credentials entered during setup. The certificate is self signed on the sensor so I get the usual warnings.

Any idea what the problem is?

jcoates_splunk · ‎03-01-2015

Hi,

Please open a support ticket so that we can get debug logs. Between POODLE and Heartbleed and a few other gotchas, secured connections to appliances are going through a lot of flux right now.

Splunk Add-on for Cisco IPS 2.1.2: Why am I getting errors connecting to the sensor?

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!