Reporting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

SPLUNK is unable to collect IPS logs in SDEE format consistently.

splunklogs
New Member
‎05-27-2013 06:15 AM

Splunk was working properly, we change its license to free, it worked without problem for a while, but suddenly we realized that it is unable to collect IPS logs during working hours(betweeen 09.30 AM-06.00 PM) on weekdays. It starts to get the logs after 06.30 PM. I'm sending you the lines in sdee_get.log file. As you can see Splunk is in a loop; it is attempting to re-connect IPS Sensor, succeeded and then get an exception. How can we solve this problem? Is it related with the type of license? Which parts(services,etc.) should we check when Splunk suddenly stops getting logs of IPS?
Thanks for your help.

Thu May 09 16:48:22 2013 - ERROR - Attempting to re-connect to the sensor: x.y.z.t

Thu May 09 16:48:22 2013 - INFO - Successfully connected to: x.y.z.t

Thu May 09 16:48:22 2013 - INFO - host="x.y.z.t" SessionID="25e40597e46a7536228f70501d757a9b" SubscriptionID="sub-63431-8a2f85a2"

Thu May 09 16:48:37 2013 - ERROR - Exception thrown in sdee.get(): HTTPError: HTTP Error 400: Bad Request

Thu May 09 16:48:37 2013 - ERROR - Attempting to re-connect to the sensor: x.y.z.t

Thu May 09 16:48:37 2013 - INFO - Successfully connected to: x.y.z.t

Thu May 09 16:48:37 2013 - INFO - host="x.y.z.t" SessionID="8bdd038849dc1bae35276a396db6040c" SubscriptionID="sub-63442-7205ac01"

Thu May 09 16:48:52 2013 - ERROR - Exception thrown in sdee.get(): HTTPError: HTTP Error 400: Bad Request

Thu May 09 16:48:52 2013 - ERROR - Attempting to re-connect to the sensor: x.y.z.t

Thu May 09 16:48:52 2013 - INFO - Successfully connected to: x.y.z.t

(x.y.z.t is the symbolic IP of IPS Sensor)

Tags (2)
0 Karma
Reply

andrew_garvin
Path Finder
‎05-28-2013 08:56 AM

Looks like you are getting a HTTP Error 400: Bad Request from the IPS when making the HTTPS connection. Can you try navigating to https://x.y.z.t/cgi-bin/sdee-server using a web browser from the Splunk server using the same username and password that Splunk is using. You should get a bunch of XML data. If you are getting an error, that needs to be resolved at the network and/or appliance layer first. Also, please make sure you are running the latest version of the Splunk for Cisco IPS app (version 2.0.0 - http://splunk-base.splunk.com/apps/22292/splunk-for-cisco-ips).

0 Karma
Reply

splunklogs
New Member
‎05-29-2013 07:02 AM

Thanks for your advice. When I tried to navigate to https://x.y.z.t/cgi-bin/sdee-server using a web browser from Splunk, I got a brunch of XML data as you mention without any problem. We are running the latest version of the Splunk for Cisco IPS app. Everything looks fine but we can't collect IPS logs permanently. It suddenly stops getting logs wihout any reason. How can we solve this problem??

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...