Our Splunk Add-on for Tenable was working just fine for a while, but I just noticed it has not pulled data for several weeks. When I looked at the internal log with this search:
index=_internal sourcetype="tenable:sc:log" WARNING
I saw I was getting a ton of these messages:
[SSL: CERTIFICATE_VERIFY_FAILED] certificate verification failed. The certificate of the https server is not trusted, this add-on will proceed to connect with this certificate. You may need to check the certificate and refer to the documentation and add it to the trust list.
So I tried to re-import the certificate using the instructions here: http://docs.splunk.com/Documentation/AddOns/released/Nessus/ConfigureModularInput2
But I've had no luck. I notice that the cert I was trying to import was expired so I'm wondering if that has anything to do with the rejection. (although the cert expired a 10 days AFTER the certificate verification messages started).
Is that the problem or is it something else?
Thanks
It turns out that the above error was due to the fact that a new Tenable server was deployed without updating the connection configurations. We ended up disabling the add-on and using some custom scripts so the error is gone.
Not really a satisfying resolution, sorry.
In order to help dig into the problem, would you please check that there is any error messages using the following SPL?
index=_internal sourcetype="tenable:sc:log" error
I have one error that repeats every minute, the same as the previous error.
log_level=ERROR, pid=xxxx, tid=Thread-5, file=ta_data_collector.py, func_name=_do_safe_index, code_line_no=161 | [stanza_name="our_vuln" data="sc_vulnerability" server="our_server"] Failed to get msg
Traceback (most recent call last):
File " /opt/splunk/etc/apps/Splunk_TA_nessus/bin/splunk_ta_nessus/splunktaucclib/data_collection/ta_data_collector.py", line 151, in _do_safe_index
File " /opt/splunk/etc/apps/Splunk_TA_nessus/bin/splunk_ta_nessus/splunktaucclib/data_collection/ta_data_client.py", line 73, in get return self._gen.next()
File " /opt/splunk/etc/apps/Splunk_TA_nessus/bin/splunk_ta_nessus/ta_tenable_sc_data_collector.py" line 93, in _process_sc_vulnerability _pre_process_ckpt(sc, task_config, ckpt, logger_prefix)
File " /opt/splunk/etc/apps/Splunk_TA_nessus/bin/splunk_ta_nessus/ta_tenable_sc_data_collector.py", line 212, in _pre_process_ckpt job_start_time, end_time)) (note: I don't know why the first parens don't show up in the error)
File " /opt/splunk/etc/apps/Splunk_TA_nessus/bin/splunk_ta_nessus/security_center.py", line 134, in perform_request self._error_check(response, result)
File " /opt/splunk/etc/apps/Splunk_TA_nessus/bin/splunk_ta_nessus/security_center.py", line 177, in _error_check result['error_msg'])
APIError: 'status=403, error_code=12, error_msg=This request contains an invalid token.'