Splunk Cisco_IPS app no longer pulls from IPS


After an upgrade to Splunk 6, the Cisco_IPS app fails to download IPS logs.


  1. Navigate to /var/log/splunk/sdee_get.log
  2. Events like the following show up

    Exception thrown in sdee.get(): URLError: <urlopen error [Errno 1] _ssl.c:521 error:1407741A:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert decode error>


Note: Upgrade to the latest version and you shouldn’t experience the problem anymore. App Link

Info for the fix was pulled from: This Splunk forum

  1. Navigate to /etc/apps/Splunk_CiscoIPS/bin/pysdee/
  2. Edit: pySDEE.py
  3. Directly after the default import statements, paste the following.

    # The section below is to override the default socket connection
    # which will fail with these devices. The newer version of openssl
    # in Python does not support the ciphers these devices would like to use
    import httplib
    from httplib import HTTPConnection, HTTPS_PORT
    import ssl
    import socket
    class HTTPSConnection(HTTPConnection):
        default_port = HTTPS_PORT
        def __init__(self, host, port=None, key_file=None, cert_file=None, strict=None, timeout=socket._GLOBAL_DEFAULT_TIMEOUT, source_address=None):
            HTTPConnection.__init__(self, host, port, strict, timeout, source_address)
            self.key_file = key_file
            self.cert_file = cert_file
            def connect(self):
                sock = socket.create_connection((self.host, self.port), self.timeout, self.source_address)
            if self._tunnel_host:
                self.sock = sock
            self.sock = ssl.wrap_socket(sock, self.key_file, self.cert_file, ssl_version=ssl.PROTOCOL_TLSv1)
    #now we override the one in httplib
    httplib.HTTPSConnection = HTTPSConnection
    # ssl_version corrections are done

Depending on your IPS, you may need to change




Restart Splunkd and you should be good to go.


Now read this

Splunk Deployment Server: Grab all deployment clients

There are times when you need to know what’s out there. If you’re like me, you have thousands of deployment clients in the environment, and browsing to the GUI interface to see your forwarders just doesn’t cut it. The following can be... Continue →