Re: Cisco IPS addon issues

stuckeysnewband · ‎11-03-2010

Good Day, I have installed the IPS addon to the Cisco Security, but am not generating any information. I tried executing the search index="_internal" sourcetype="sdee_connection" to troubleshoot, but did not receive any hits back. My inputs.conf file looks right. I am sure I have missed something, but am not sure where to go from here.

Thanks!

pstamati · ‎08-24-2011

Hi, i have the same problem. I installed Cisco IPS add-no in my splunk (windows) but any event is shown.
No sdee_connection.log file exists nor .run file either.
Any Idea?

Will_Hayes · ‎12-15-2010

Hi, Two things to check.

in $SPLUNK_HOME/var/log/splunk you should see sdee_connection.log Can you paste the contents of that log.

Also, do you see a .run file in $SPLUNK_HOME/etc/apps/cisco_ips_addon/var/run ?

Mick · ‎11-03-2010

Can you paste in your inputs.conf please?

A lack of data from that particular sourcetype tells that no data with that sourcetype is being indexed, which may suggest that the app isn't enabled correctly or that the script isn't firing as it should. There's likely some events in splunkd.log that will point you in the right direction, such as a script error. Another possibility is that the script isn't firing at all, you may want to enable DEBUG logging on the script processors to get a better view into how/if it's being run. You can do this via the 'System Logging' page in Manager

Cisco IPS addon issues

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases