Cisco IPS works, but it does not transfer events to Splunk

Question

Hello everybody, We have four Cisco ipsen. As described in the manual, the Cisco IPS Addon was installed.

The Cisco IPS Addon works as far as:

*2387 3/17/11 1:31:01.000 PM Thu Mar 17 13:31:01 2011 - INFO - Successfully connected to: xxx.xxx.xxx.xxx* host = test Options | sourceType = sdee_connection Options | source = / var / splunk / var / log / splunk / sdee_get.log Options | type = unix-all-logs option

2388 3/17/11 1:31:01.000 PM Thu Mar 17 13:31:01 2011 - INFO - Attempting to connect to sensor: xxx.xxx.xxx.xxx host = test Options | sourceType = sdee_connection Options | source = / var / splunk / var / log / splunk / sdee_get.log Options | type = unix-all-logs option

2389 3/17/11 **1:31:01.000 PM Thu Mar 17 13:31:01 2011 - INFO - Subscription ID: sub-56-757216ed found for host: xxx.xxx.xxx.xxx** host = test Options | sourceType = sdee_connection Options | source = / var / splunk / var / log / splunk / sdee_get.log Options | type = unix-all-logs option

But, it does not transfer events to Splunk.

What is wrong?

Answer 1

Hey Mountain1, this maybe related to a known issue filed (SOLN-829). In the meantime, can you try the following?

Modify file ../etc/apps/Splunk_CiscoIPS/local/inputs.conf

Replace this line:

[monitor://$SPLUNK_HOME/etc/apps/cisco_ips/var/log/]

With this line:

[monitor://$SPLUNK_HOME/etc/apps/Splunk_CiscoIPS/var/log/]

If a local/inputs.conf doesn't yet exist create one and put the following in it:

[monitor://$SPLUNK_HOME/etc/apps/Splunk_CiscoIPS/var/log/]
sourcetype = cisco_ips_syslog
disabled = false
_whitelist = ips_sdee.log

You may have to restart Splunk. Please let me know if you start picking up events.

Cisco IPS works, but it does not transfer events to Splunk

Follow this question

Splunk Resources

Related questions