Hello there,
I have an issue obtaining logs from an IPS.......I can add the IPS correctly, but then I receive this logs.
[root@localhost splunk]# tail -f sdee_get.log
Fri Feb 20 17:41:43 2015 - INFO - Checking for exsisting SubscriptionID on host: 10.201.158.35
Fri Feb 20 17:41:43 2015 - INFO - No exsisting SubscriptionID for host: 10.201.158.35
Fri Feb 20 17:41:43 2015 - INFO - Attempting to connect to sensor: 10.201.158.35
Fri Feb 20 17:41:43 2015 - INFO - Successfully connected to: 10.201.158.35
Fri Feb 20 17:41:44 2015 - ERROR - Connecting to sensor - 10.201.158.35: URLError: urlopen error [Errno 104] Connection reset by peer>
Splunk is in the Allowed host list in the IPS
Someone knows whats going on?
I updated the SSL to use TLS as stated in the http://docs.splunk.com/Documentation/AddOns/latest/CiscoIPS/Troubleshooting to get around this issue.
Is the IPS hitting its maximum allotment of connections?
Check my post here and see if this is related: http://blog.hortonew.com/splunk-ciscoips-app-no-longer-pulls-from-ips
Hi, I don't think that patch is valid any more, as we've made some changes to the connection code.
Good to know, thanks.