All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk Cisco IPS

djames
New Member
‎05-16-2011 07:26 AM

When I run | search index="_internal" sourcetype="sdee_connection" I get the following error: 

Mon May 16 10:20:10 2011 - ERROR - Exception thrown while parsing SDEE payload: Traceback (most recent call last):
  File "/opt/splunk/etc/apps/Splunk_CiscoIPS/bin/get_ips_feed.py", line 74, in run
    alert_obj_list = idsmxml.parse_alerts( result_xml )
  File "/opt/splunk/etc/apps/Splunk_CiscoIPS/bin/pysdee/idsmxml.py", line 240, in parse_alerts
    alert_obj = build_global(alert)
  File "/opt/splunk/etc/apps/Splunk_CiscoIPS/bin/pysdee/idsmxml.py", line 136, in build_global
    alert.appname = node.getElementsByTagName('sd:originator')[0].getElementsByTagName('cid:appName')[0].firstChild.wholeText
IndexError: list index out of range
0 Karma
Reply

troywollenslege
Path Finder
‎02-03-2012 11:02 AM

our splunkd.log
failed to parse timestamp for event. context="source::c:\Splunk_CiscoIPS\bin\get_ips_feed.py", line 74 in run...
Failed to parse timestamp for event. Context="soruce::c:\var\log\sdee_get.log|host::ciscohost|sdee_get-too_small|" Text="
failed to parse timestamp for event.
context="source::c:\Splunk_CiscoIPS\bin\pysdee\idsmxml.py", line 243, in parse_..."

0 Karma
Reply

jbsplunk
Splunk Employee
Splunk Employee
‎05-16-2011 01:35 PM

whats in your splunkd.log? It should have some messages in it which are relevant to the collection of these logs via the scripted input. I know there are people who have this configuration working out there.

0 Karma
Reply

djames
New Member
‎05-16-2011 12:51 PM

Has anyone ever got this to work? I am trying to see the IPS alerts from my Cisco ISR router running the IOS IPS feature set. I run on the router sh ip sdee sub and can see that the router is sending the sdee alerts to the splunk server. I am running the latest splunk on a 64bit Ubuntu server. But other than that, absolutely nothing on the real time IPS Dashboard.

0 Karma
Reply

jbsplunk
Splunk Employee
Splunk Employee
‎05-16-2011 09:11 AM

There was an error around this particular 'list index out of range' error that was resolved in 4.2.1, SPL-38100. If you haven't already, it may be a good idea to update the product to see if that resolves this problem.

0 Karma
Reply

troywollenslege
Path Finder
‎02-03-2012 10:56 AM

We are getting the same error. Running on 4.2.5 windows forwarder (with forwarder license)

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...