Splunk Cisco_IPS app no longer pulls from IPS

Problem #

After an upgrade to Splunk 6, the Cisco_IPS app fails to download IPS logs.

Troubleshooting #

  1. Navigate to /var/log/splunk/sdee_get.log
  2. Events like the following show up

    Exception thrown in sdee.get(): URLError: <urlopen error [Errno 1] _ssl.c:521 error:1407741A:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert decode error>

Fix #

Note: Upgrade to the latest version and you shouldn’t experience the problem anymore. App Link

Info for the fix was pulled from: This Splunk forum

  1. Navigate to /etc/apps/Splunk_CiscoIPS/bin/pysdee/
  2. Edit: pySDEE.py
  3. Directly after the default import statements, paste the following.

    # The section below is to override the default socket connection
    # which will fail with these devices. The newer version of openssl
    # in Python does not support the ciphers these devices would like to use
    import httplib
    from httplib import HTTPConnection, HTTPS_PORT
    import ssl
    import socket
    class HTTPSConnection(HTTPConnection):
        default_port = HTTPS_PORT
        def __init__(self, host, port=None, key_file=None, cert_file=None, strict=None, timeout=socket._GLOBAL_DEFAULT_TIMEOUT, source_address=None):
            HTTPConnection.__init__(self, host, port, strict, timeout, source_address)
            self.key_file = key_file
            self.cert_file = cert_file
            def connect(self):
                sock = socket.create_connection((self.host, self.port), self.timeout, self.source_address)
            if self._tunnel_host:
                self.sock = sock
            self.sock = ssl.wrap_socket(sock, self.key_file, self.cert_file, ssl_version=ssl.PROTOCOL_TLSv1)
    #now we override the one in httplib
    httplib.HTTPSConnection = HTTPSConnection
    # ssl_version corrections are done

Depending on your IPS, you may need to change




Restart Splunkd and you should be good to go.


Now read this

How to use Regex in Splunk searches

Regex to extract fields # | rex field=_raw "port (?<port>.+)\." _raw The source to apply the regular expression to. This is a Splunk extracted field. left side of () The left side of what you want stored as a variable. Anything... Continue →