All Apps and Add-ons

Cisco Security Suite and Splunk Add-on for Cisco ASA: Why am I not seeing any IPS events?

vinchakov_a
Path Finder

Hello,

I set Cisco Security Suite and Splunk Add-on for Cisco ASA. I set connection parameters. In IPS logs I see messages

  description: User logged into HTTP server  
        userName: cisco  
        userAddress: 172.16.19.30

But in the dashboards it is empty!!! though alerts in IPS are.

0 Karma

bwooden
Splunk Employee
Splunk Employee

It looks like you see the data in $SPLUNK_HOME/etc/apps/Splunk_TA_cisco-ips/var/log, so the polling appears to be working correctly, which is good. You're almost there.

You'll also need to enable monitoring: You can copy pasta this into $SPLUNK_HOME/etc/apps/Splunk_TA_cisco-ips/local/inputs.conf

[monitor://$SPLUNK_HOME/etc/apps/Splunk_TA_cisco-ips/var/log/ips_sdee.log*]
disabled = 0

...and then restart.

Alternatively, you can avoid a restart by enabling the monitor via the UI by clicking Enable for $SPLUNK_HOME/etc/apps/Splunk_TA_cisco-ips/var/log/ips_sdee.log* after navigating to Settings -> Data Inputs -> Files & directories.

0 Karma

vinchakov_a
Path Finder

I found an error, after installation of addon input was switched off

0 Karma

bwooden
Splunk Employee
Splunk Employee

Hi Vinchakov_a,

Thanks for the comment. In this case, the input is shipped in the off-state by design. It is not desireable to have inputs enabled for a few reasons. One reason is distributed environments. In a distributed environment, the TA should be installed on search heads because it contains search knowledge and also on heavy forwarders & indexers for its parsing and indexing configurations.

The input should only be enabled on the instance that is doing the polling/collection. So it is shipped in the disabled state intentionally.

The installation instructions including enabling the input: http://docs.splunk.com/Documentation/AddOns/released/CiscoIPS/Configureinputs#Use_Splunk_Web

0 Karma

vinchakov_a
Path Finder

I found in / opt/splunk/etc/apps/Splunk_TA_cisco-ips/var/log the file with IPS logs. But they aren't present in Splunk.

0 Karma

klaxdal
Contributor

Try adding the following to you inputs.conf in the "local" directory for the Splunk_TA_cisco-ips.

For Linux Indexer add:

When adding a sensor please run setup or enable below monitor in this app's local directory for Linux hosts

[monitor://$SPLUNK_HOME/etc/apps/Splunk_TA_cisco-ips/var/log/ips_sdee.log*]
sourcetype = cisco:ips:syslog
disabled = 0

For Windows Indexer Add:

When adding a sensor please run setup or enable below monitor in this app's local directory for Windows hosts

[monitor://$SPLUNK_HOME\etc\apps\Splunk_TA_cisco-ips\var\log\ips_sdee.log*]
sourcetype = cisco:ips:syslog
disabled = 0

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...