Splunk Cisco_IPS app no longer pulls from IPS
After an upgrade to Splunk 6, the Cisco_IPS app fails to download IPS logs.
- Navigate to /var/log/splunk/sdee_get.log
Events like the following show up
Exception thrown in sdee.get(): URLError: <urlopen error [Errno 1] _ssl.c:521 error:1407741A:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert decode error>
Note: Upgrade to the latest version and you shouldn’t experience the problem anymore. App Link
Info for the fix was pulled from: This Splunk forum
- Navigate to /etc/apps/Splunk_CiscoIPS/bin/pysdee/
- Edit: pySDEE.py
Directly after the default import statements, paste the following.
# The section below is to override the default socket connection # which will fail with these devices. The newer version of openssl # in Python does not support the ciphers these devices would like to use import httplib from httplib import HTTPConnection, HTTPS_PORT import ssl import socket class HTTPSConnection(HTTPConnection): default_port = HTTPS_PORT def __init__(self, host, port=None, key_file=None, cert_file=None, strict=None, timeout=socket._GLOBAL_DEFAULT_TIMEOUT, source_address=None): HTTPConnection.__init__(self, host, port, strict, timeout, source_address) self.key_file = key_file self.cert_file = cert_file def connect(self): sock = socket.create_connection((self.host, self.port), self.timeout, self.source_address) if self._tunnel_host: self.sock = sock self._tunnel() self.sock = ssl.wrap_socket(sock, self.key_file, self.cert_file, ssl_version=ssl.PROTOCOL_TLSv1) #now we override the one in httplib httplib.HTTPSConnection = HTTPSConnection # ssl_version corrections are done
Depending on your IPS, you may need to change
Restart Splunkd and you should be good to go.