Hello,
I've installed the Cisco Security Suite 2.0, Cisco IPS 2.0.0 and Cisco MARS 1.0.0 apps.
MARS works fine.
The IPS app however won't pull any data.
running the search: index="_internal" sourcetype="sdee_connection" generates the following info: INFO - Checking for exsisting SubscriptionID on host: #.#.#.# INFO - No exsisting SubscriptionID for host: #.#.#.# INFO - Attempting to connect to sensor: #.#.#.# INFO - Successfully connected to: #.#.#.# ERROR - Connecting to sensor - #.#.#.#: URLError: <urlopen error="" tunnel="" connection="" failed:="" 503="" service="" unavailable="">
Cisco says that splunk needs to connect to https://Ip-address-of-IPS/cgi-bin/sdee-server/ but I don't see anywhere to specify the path to the xml file at that address.
I do have '.run' files.
Anything I'm missing? Thanks.