Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How do I install the Cisco IPS add-on?

Will_Hayes
Splunk Employee
Splunk Employee
‎06-06-2010 07:14 PM

How do I install and configure the Cisco SDEE data input and IPS add-on on SplunkBase:

http://www.splunkbase.com/apps/All/4.x/app:Cisco+IPS+SDEE+Data+Collector

0 Karma
Reply

supernana
New Member
‎10-19-2012 05:28 AM

how do i filter so splunk only accept/get high and medium alert ?

thx

0 Karma
Reply

Will_Hayes
Splunk Employee
Splunk Employee
‎06-06-2010 07:15 PM

To install this add-on, you will need to unpack this file into $SPLUNK_HOME/etc/apps create or modify local/inputs.conf and restart.

Modifying inputs.conf:

Open the inputs.conf file located at $SPLUNK_HOME/etc/apps/cisco_ips_addon/local/inputs.conf

You will need to create an entry for each sensor you would like to monitor using the following stanza:


[script://$SPLUNK_HOME/etc/apps/cisco_ips_addon/bin/get_ips_feed.py user pass sensor_ip]
sourcetype = cisco_ips_syslog
source = SDEE
disabled = false
interval = 1

The scripted input creates sensor_ip.run file in the $SPLUNK_HOME/etc/apps/cisco_ips_addon/var/run directory which is updated each time Splunk attempts to connect to a sensor. If you are having issues connecting to a sensor or are not seeing IPS data in Splunk the following search may be used for troubleshooting: index="_internal" sourcetype="sdee_connection"

The real time and overview dashboards as well as the included searches and reports in this add-on rely on the search: eventtype=cisco_ips in order to report on Cisco IPS data.

There is one scheduled search included in this add-on which creates an cache for the dashboard every 3 hours with a Splunk enterprise license.

To change the schedule you can edit the following search under the manager:

Cisco IPS - DataCube

For help getting set up e-mail me at: will@splunk.com

Reply

dleung
Splunk Employee
Splunk Employee
‎12-27-2010 07:18 PM

I believe that search should produce the app's scripted input connection status messages. The scripted input connects to a Cisco IPS sensor/device.

The app's inputs.conf has stanza:

[monitor://$SPLUNK_HOME/var/log/splunk/sdee_get.log]
index = _internal
sourcetype = sdee_connection

The sdee_get log file is actually written out by the scripted input - get_ips_feed.py, mentioned above. It looks like that script output two log files - sdee_get.log and ips_sdee.log.

The sdee_get.log contains the script's connection status messages. The ips_sdee.log contains the actual IPS related data.

0 Karma
Reply

Mick
Splunk Employee
Splunk Employee
‎11-03-2010 03:43 PM

What is the search - index="_internal" sourcetype="sdee_connection" supposed to produce?

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...