Hello,
I set Cisco Security Suite and Splunk Add-on for Cisco ASA. I set connection parameters. In IPS logs I see messages
description: User logged into HTTP server
userName: cisco
userAddress: 172.16.19.30
But in the dashboards it is empty!!! though alerts in IPS are.
It looks like you see the data in $SPLUNK_HOME/etc/apps/Splunk_TA_cisco-ips/var/log
, so the polling appears to be working correctly, which is good. You're almost there.
You'll also need to enable monitoring: You can copy pasta this into $SPLUNK_HOME/etc/apps/Splunk_TA_cisco-ips/local/inputs.conf
[monitor://$SPLUNK_HOME/etc/apps/Splunk_TA_cisco-ips/var/log/ips_sdee.log*]
disabled = 0
...and then restart.
Alternatively, you can avoid a restart by enabling the monitor via the UI by clicking Enable
for $SPLUNK_HOME/etc/apps/Splunk_TA_cisco-ips/var/log/ips_sdee.log*
after navigating to Settings -> Data Inputs -> Files & directories.
I found an error, after installation of addon input was switched off
Hi Vinchakov_a,
Thanks for the comment. In this case, the input is shipped in the off-state by design. It is not desireable to have inputs enabled for a few reasons. One reason is distributed environments. In a distributed environment, the TA should be installed on search heads because it contains search knowledge and also on heavy forwarders & indexers for its parsing and indexing configurations.
The input should only be enabled on the instance that is doing the polling/collection. So it is shipped in the disabled state intentionally.
The installation instructions including enabling the input: http://docs.splunk.com/Documentation/AddOns/released/CiscoIPS/Configureinputs#Use_Splunk_Web
I found in / opt/splunk/etc/apps/Splunk_TA_cisco-ips/var/log the file with IPS logs. But they aren't present in Splunk.
Try adding the following to you inputs.conf in the "local" directory for the Splunk_TA_cisco-ips.
For Linux Indexer add:
[monitor://$SPLUNK_HOME/etc/apps/Splunk_TA_cisco-ips/var/log/ips_sdee.log*]
sourcetype = cisco:ips:syslog
disabled = 0
For Windows Indexer Add:
[monitor://$SPLUNK_HOME\etc\apps\Splunk_TA_cisco-ips\var\log\ips_sdee.log*]
sourcetype = cisco:ips:syslog
disabled = 0