Thanks For Downloading!Review the documentation below and follow any custom installation steps. If no install steps are listed, most Splunk Apps and Add-ons can be installed as follows: Windows: Decompress the downloaded file using a tool like 7-Zip and place the resulting folder into Unix/Linux: Decompress the downloaded file using a tool like DescriptionThe Splunk for Cisco IPS technology add-on is a collection of scripted inputs, field extractions, and other search-time knowledge that is used to drive reporting and search for data collected from Cisco IPS devices. The scripted input included in this add-on can be configured to collect data from Cisco IPS sensors using the Security Device Event Exchange (SDEE) format. Security Device Event Exchange (SDEE) is a standard proposed by ICSA that specifies the format of messages and protocol used to communicate events generated by security devices. This protocol is used in the Cisco IPS Sensor 5.0 software to replace Remote Data Exchange Protocol (RDEP), which is used by earlier versions of the Cisco IDS Sensor software. The IPS data format is XML. Splunk for SDEE translates and maps the data into key value pairs. This add-on can be used standalone, or it can be installed with the Cisco Security Suite umbrella app and other Cisco Security Suite apps and add-ons to provide a single pane of glass interface and get out of box reports on Cisco firewall devices and other Cisco technology data. Important note: This add-on, under its new name, Splunk for Cisco IPS, replaces the older and very popular Cisco IPS SDEE Data Collector and contains all of the functionality of its predecessor plus the enhancements listed in the release notes below. Additional information and download for Cisco Security Suite can be found on Splunkbase. The other Cisco Security Suite apps and add-ons include:
Installation and configuration instructions for this add-on can be found in the README file within the downloaded package. Versions and Release Notes
Version 1.0.4 (current version - updated Feb 15, 2012)
release notes:
- Added log rotation feature.
- Removed Cisco MARS category.
Version 1.0.4
(updated Feb 15, 2012)
release notes:
- Added log rotation feature.
- Removed Cisco MARS category.
Version 1.0.2
(updated May 22, 2011)
release notes:
Resolved the following issues:
- Cisco IPS get_ips_feed.py script fails on Windows when package extracted using Winzip (SOLN-949)
- Cisco IPS setup fails to configure scripted inputs with appropriate OS path separators (SOLN-925)
Version 1.0.1
(updated Mar 22, 2011)
release notes:
This maintenance release includes a fix for:
Bug SOLN-829 Cisco IPS scripts refer to incorrect folder name "cisco_ips"
See http://answers.splunk.com/questions/12692/app-not-installing-correctly
Version 1.0.0
(updated Mar 12, 2011)
release notes:
- Updated to provide compatibility with Splunk 4.2
- Updated to include a new setup workflow to assist with initial configuration
|
Hello
Is it possible for SDEE collected logs cto be converted into Syslog format and forwarded to a Syslog server?
Has anyone made this and Splunk work together? We're running into many issues and could use a hand. Specifically, this error:
Wed Jan 11 10:23:27 2012 - ERROR - Exception thrown while parsing SDEE payload: Traceback (most recent call last):
File "C:\Program Files\Splunk\etc\apps\Splunk_CiscoIPS\bin\get_ips_feed.py", line 74, in run
alert_obj_list = idsmxml.parse_alerts( result_xml )
File "C:\Program Files\Splunk\etc\apps\Splunk_CiscoIPS\bin\pysdee\idsmxml.py", line 243, in parse_alerts
alert_obj.signature = build_sig(sig[0])
File "C:\Program Files\Splunk\etc\apps\Splunk_CiscoIPS\bin\pysdee\idsmxml.py", line 190, in build_sig
signature.marscategory = node.getElementsByTagName('marsCategory')[0].firstChild.wholeText
IndexError: list index out of range
The script get_ips_feed.py runs forever, because of "while 1". So the option "interval" wants to be modify, it seems it can not work.
Thanks for your advice !
