https://community.splunk.com/t5/All-Apps-and-Add-ons/Why-does-the-Splunk-Add-on-for-Tenable-stops-ingesting-data/m-p/375835#M45588 <P>This is not the same issue being reported in all the other threads. <BR /> In my case, (and a few people have yelled 'me too') the issue is that collection stops with no apparent error:<BR /> <A href="https://answers.splunk.com/answers/583400/splunk-add-on-for-tenable-stalls-when-collecting-f.html">https://answers.splunk.com/answers/583400/splunk-add-on-for-tenable-stalls-when-collecting-f.html</A></P> <P>Your example seems quite different, in that you are seeing an issue with authentication:</P> <PRE><CODE>sc.login(username, password) File "/opt/splunk/etc/apps/Splunk_TA_nessus/bin/splunk_ta_nessus/security_center.py", line 46, in login self._token = str(result['token']) KeyError: 'token' </CODE></PRE> <P>I don't know what could cause this, but on the face of it your deployment is working correctly - check the SC logs to see if there were any issues with the credentials you were using at that time. - It also explains why in your env it could start working again, once the auth problem has cleared up.</P> Fri, 16 Feb 2018 12:30:02 GMT nickhills 2018-02-16T12:30:02Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Why-does-the-Splunk-Add-on-for-Tenable-stops-ingesting-data/m-p/375833#M45586 <P>I've searched through the answers and most suggestions are: to disable and then enable the input, change the Start Time, some have even re-installed the app. For a while, I only had to open the input in the GUI which resets it, and that would work to get the data coming in again. Yesterday when, I restarted Splunk for another reason, data started to come again. I've tried everything but reinstalling the add-on this morning with no luck. I am running 5.1.2 for the add-on and my Splunk version is 7.0.1.</P> <P>Here is the error I'm getting, I have double checked the user name and password both of which have not been changed on Nessus/Security Center and in the Splunk configuration.</P> <PRE><CODE>2018-02-15 14:01:33,278 +0000 log_level=ERROR, pid=338, tid=Thread-4, file=ta_data_collector.py, func_name=index_data, code_line_no=118 | [stanza_name="Vulnerability" data="sc_vulnerability" server="SecuirtyCenter"] Failed to index data Traceback (most recent call last): File "/opt/splunk/etc/apps/Splunk_TA_nessus/bin/splunk_ta_nessus/splunktaucclib/data_collection/ta_data_collector.py", line 115, in index_data self._do_safe_index() File "/opt/splunk/etc/apps/Splunk_TA_nessus/bin/splunk_ta_nessus/splunktaucclib/data_collection/ta_data_collector.py", line 148, in _do_safe_index self._client = self._create_data_client() File "/opt/splunk/etc/apps/Splunk_TA_nessus/bin/splunk_ta_nessus/splunktaucclib/data_collection/ta_data_collector.py", line 95, in _create_data_client self._checkpoint_manager) File "/opt/splunk/etc/apps/Splunk_TA_nessus/bin/splunk_ta_nessus/splunktaucclib/data_collection/ta_data_client.py", line 55, in __init__ self._ckpt) File "/opt/splunk/etc/apps/Splunk_TA_nessus/bin/splunk_ta_nessus/ta_tenable_sc_data_collector.py", line 18, in do_job_one_time return _do_job_one_time(all_conf_contents, task_config, ckpt) File "/opt/splunk/etc/apps/Splunk_TA_nessus/bin/splunk_ta_nessus/ta_tenable_sc_data_collector.py", line 53, in _do_job_one_time logger_prefix=logger_prefix) File "/opt/splunk/etc/apps/Splunk_TA_nessus/bin/splunk_ta_nessus/security_center.py", line 219, in get_security_center sc.login(username, password) File "/opt/splunk/etc/apps/Splunk_TA_nessus/bin/splunk_ta_nessus/security_center.py", line 46, in login self._token = str(result['token']) KeyError: 'token' </CODE></PRE> Thu, 15 Feb 2018 14:13:33 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Why-does-the-Splunk-Add-on-for-Tenable-stops-ingesting-data/m-p/375833#M45586 jclehmuth 2018-02-15T14:13:33Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Why-does-the-Splunk-Add-on-for-Tenable-stops-ingesting-data/m-p/375834#M45587 <P>This add-on is really frustrating...<BR /> I came in this morning and it is working again. The majority of our scans run at night, so my usual setting to check for data is about every six hours, I went to adjust the check for data setting then I went to monitor the sourcetype for updates. The last logs came in at 0100, I have no idea what is going on with this add-on.</P> Fri, 16 Feb 2018 11:49:17 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Why-does-the-Splunk-Add-on-for-Tenable-stops-ingesting-data/m-p/375834#M45587 jclehmuth 2018-02-16T11:49:17Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Why-does-the-Splunk-Add-on-for-Tenable-stops-ingesting-data/m-p/375835#M45588 <P>This is not the same issue being reported in all the other threads. <BR /> In my case, (and a few people have yelled 'me too') the issue is that collection stops with no apparent error:<BR /> <A href="https://answers.splunk.com/answers/583400/splunk-add-on-for-tenable-stalls-when-collecting-f.html">https://answers.splunk.com/answers/583400/splunk-add-on-for-tenable-stalls-when-collecting-f.html</A></P> <P>Your example seems quite different, in that you are seeing an issue with authentication:</P> <PRE><CODE>sc.login(username, password) File "/opt/splunk/etc/apps/Splunk_TA_nessus/bin/splunk_ta_nessus/security_center.py", line 46, in login self._token = str(result['token']) KeyError: 'token' </CODE></PRE> <P>I don't know what could cause this, but on the face of it your deployment is working correctly - check the SC logs to see if there were any issues with the credentials you were using at that time. - It also explains why in your env it could start working again, once the auth problem has cleared up.</P> Fri, 16 Feb 2018 12:30:02 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Why-does-the-Splunk-Add-on-for-Tenable-stops-ingesting-data/m-p/375835#M45588 nickhills 2018-02-16T12:30:02Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Why-does-the-Splunk-Add-on-for-Tenable-stops-ingesting-data/m-p/375836#M45589 <P>I haven't had the issue in a while however, if it is an authentication issue we have an idea of what the problem may be. Our security center drops connection to AD on occasion, we have a ticket open with Tenable to help resolve the issue.<BR /> Thanks for pointing that out.</P> Fri, 16 Mar 2018 14:06:35 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Why-does-the-Splunk-Add-on-for-Tenable-stops-ingesting-data/m-p/375836#M45589 jclehmuth 2018-03-16T14:06:35Z