All Apps and Add-ons

How to sending Cisco IPS logs to a different index

keenanjo
Engager
I have the app working well pulling events from about a dozen sensors. I'm undergoing an effort where I'm moving various data inputs in to separate indexes to facilitate implementing access controls. I've attempted to add the index =  directive in my local/inputs.conf, but it still sends all the events to main. Is the get_ips_feed.py script setup to use the index= directive in inputs.conf? Any ideas on how I can get these inputs into a specific index?

Here's my sanitized inputs.conf:

[script://$SPLUNK_HOME/etc/apps/Splunk_CiscoIPS/bin/get_ips_feed.py  "splunk_user" "splunk_password" 1.2.3.4]
sourcetype = cisco_ips_syslog
source = SDEE
disabled = 0
interval = 1
index = ips

Also the ips index is created and working properly. We have data from a different ips vendor successfully logging to that index.
Tags (1)
0 Karma
1 Solution

keenanjo
Engager

I've got it working now. Apparently the local/inputs.conf scripts only control how the data is logged into local log files in SPUNK_HOME/etc/apps/Splunk_CiscoIPS/var/log/. There is a separate monitor line in default/inputs.conf that watches for new entries in those log files and indexes them. By copying the monitor section from default/inputs.conf into local/inputs.conf and adding a line to specify the index, the data is now flowing to the ips index as expected.

[monitor://$SPLUNK_HOME/etc/apps/Splunk_CiscoIPS/var/log/]

sourcetype = cisco_ips_syslog

disabled = false

_whitelist = ips_sdee.log

index = ips

View solution in original post

0 Karma

keenanjo
Engager

I've got it working now. Apparently the local/inputs.conf scripts only control how the data is logged into local log files in SPUNK_HOME/etc/apps/Splunk_CiscoIPS/var/log/. There is a separate monitor line in default/inputs.conf that watches for new entries in those log files and indexes them. By copying the monitor section from default/inputs.conf into local/inputs.conf and adding a line to specify the index, the data is now flowing to the ips index as expected.

[monitor://$SPLUNK_HOME/etc/apps/Splunk_CiscoIPS/var/log/]

sourcetype = cisco_ips_syslog

disabled = false

_whitelist = ips_sdee.log

index = ips

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...