Reporting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

SPLUNK is unable to collect IPS logs in SDEE format consistently.

splunklogs
New Member
‎05-27-2013 06:15 AM

Splunk was working properly, we change its license to free, it worked without problem for a while, but suddenly we realized that it is unable to collect IPS logs during working hours(betweeen 09.30 AM-06.00 PM) on weekdays. It starts to get the logs after 06.30 PM. I'm sending you the lines in sdee_get.log file. As you can see Splunk is in a loop; it is attempting to re-connect IPS Sensor, succeeded and then get an exception. How can we solve this problem? Is it related with the type of license? Which parts(services,etc.) should we check when Splunk suddenly stops getting logs of IPS?
Thanks for your help.

Thu May 09 16:48:22 2013 - ERROR - Attempting to re-connect to the sensor: x.y.z.t

Thu May 09 16:48:22 2013 - INFO - Successfully connected to: x.y.z.t

Thu May 09 16:48:22 2013 - INFO - host="x.y.z.t" SessionID="25e40597e46a7536228f70501d757a9b" SubscriptionID="sub-63431-8a2f85a2"

Thu May 09 16:48:37 2013 - ERROR - Exception thrown in sdee.get(): HTTPError: HTTP Error 400: Bad Request

Thu May 09 16:48:37 2013 - ERROR - Attempting to re-connect to the sensor: x.y.z.t

Thu May 09 16:48:37 2013 - INFO - Successfully connected to: x.y.z.t

Thu May 09 16:48:37 2013 - INFO - host="x.y.z.t" SessionID="8bdd038849dc1bae35276a396db6040c" SubscriptionID="sub-63442-7205ac01"

Thu May 09 16:48:52 2013 - ERROR - Exception thrown in sdee.get(): HTTPError: HTTP Error 400: Bad Request

Thu May 09 16:48:52 2013 - ERROR - Attempting to re-connect to the sensor: x.y.z.t

Thu May 09 16:48:52 2013 - INFO - Successfully connected to: x.y.z.t

(x.y.z.t is the symbolic IP of IPS Sensor)

Tags (2)
0 Karma
Reply

andrew_garvin
Path Finder
‎05-28-2013 08:56 AM

Looks like you are getting a HTTP Error 400: Bad Request from the IPS when making the HTTPS connection. Can you try navigating to https://x.y.z.t/cgi-bin/sdee-server using a web browser from the Splunk server using the same username and password that Splunk is using. You should get a bunch of XML data. If you are getting an error, that needs to be resolved at the network and/or appliance layer first. Also, please make sure you are running the latest version of the Splunk for Cisco IPS app (version 2.0.0 - http://splunk-base.splunk.com/apps/22292/splunk-for-cisco-ips).

0 Karma
Reply

splunklogs
New Member
‎05-29-2013 07:02 AM

Thanks for your advice. When I tried to navigate to https://x.y.z.t/cgi-bin/sdee-server using a web browser from Splunk, I got a brunch of XML data as you mention without any problem. We are running the latest version of the Splunk for Cisco IPS app. Everything looks fine but we can't collect IPS logs permanently. It suddenly stops getting logs wihout any reason. How can we solve this problem??

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...