Splunk Add-on for Cisco IPS: Why am I receiving "U...

paguayof · ‎02-23-2015

Hello there,

I have an issue obtaining logs from an IPS.......I can add the IPS correctly, but then I receive this logs.

[root@localhost splunk]# tail -f sdee_get.log 
Fri Feb 20 17:41:43 2015 - INFO - Checking for exsisting SubscriptionID on host: 10.201.158.35
Fri Feb 20 17:41:43 2015 - INFO - No exsisting SubscriptionID for host: 10.201.158.35
Fri Feb 20 17:41:43 2015 - INFO - Attempting to connect to sensor: 10.201.158.35
Fri Feb 20 17:41:43 2015 - INFO - Successfully connected to: 10.201.158.35
Fri Feb 20 17:41:44 2015 - ERROR - Connecting to sensor - 10.201.158.35: URLError: urlopen error [Errno 104] Connection reset by peer>

Splunk is in the Allowed host list in the IPS

Someone knows whats going on?

bmas10 · ‎06-11-2016

I updated the SSL to use TLS as stated in the http://docs.splunk.com/Documentation/AddOns/latest/CiscoIPS/Troubleshooting to get around this issue.

jcoates_splunk · ‎03-14-2015

Is the IPS hitting its maximum allotment of connections?

hortonew · ‎02-24-2015

Check my post here and see if this is related: http://blog.hortonew.com/splunk-ciscoips-app-no-longer-pulls-from-ips

jcoates_splunk · ‎03-14-2015

Hi, I don't think that patch is valid any more, as we've made some changes to the connection code.

hortonew · ‎03-15-2015

Good to know, thanks.

Splunk Add-on for Cisco IPS: Why am I receiving "URLError: urlopen error [Errno 104] Connection reset by peer"?

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

.conf24 | Personalize your .conf experience with Learning Paths!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...