All Apps and Add-ons

How to handle expired certificates with Splunk Add-on for Tenable?

reswob4
Builder

Our Splunk Add-on for Tenable was working just fine for a while, but I just noticed it has not pulled data for several weeks. When I looked at the internal log with this search:

index=_internal sourcetype="tenable:sc:log" WARNING

I saw I was getting a ton of these messages:

[SSL: CERTIFICATE_VERIFY_FAILED] certificate verification failed. The certificate of the https server is not trusted, this add-on will proceed to connect with this certificate. You may need to check the certificate and refer to the documentation and add it to the trust list.

So I tried to re-import the certificate using the instructions here: http://docs.splunk.com/Documentation/AddOns/released/Nessus/ConfigureModularInput2

But I've had no luck. I notice that the cert I was trying to import was expired so I'm wondering if that has anything to do with the rejection. (although the cert expired a 10 days AFTER the certificate verification messages started).

Is that the problem or is it something else?

Thanks

0 Karma

reswob4
Builder

It turns out that the above error was due to the fact that a new Tenable server was deployed without updating the connection configurations. We ended up disabling the add-on and using some custom scripts so the error is gone.

Not really a satisfying resolution, sorry.

0 Karma

hozhang_splunk
Splunk Employee
Splunk Employee

In order to help dig into the problem, would you please check that there is any error messages using the following SPL?
index=_internal sourcetype="tenable:sc:log" error

0 Karma

reswob4
Builder

I have one error that repeats every minute, the same as the previous error.

log_level=ERROR, pid=xxxx, tid=Thread-5, file=ta_data_collector.py, func_name=_do_safe_index, code_line_no=161 | [stanza_name="our_vuln" data="sc_vulnerability" server="our_server"] Failed to get msg
Traceback (most recent call last):
File " /opt/splunk/etc/apps/Splunk_TA_nessus/bin/splunk_ta_nessus/splunktaucclib/data_collection/ta_data_collector.py", line 151, in _do_safe_index
File " /opt/splunk/etc/apps/Splunk_TA_nessus/bin/splunk_ta_nessus/splunktaucclib/data_collection/ta_data_client.py", line 73, in get return self._gen.next()
File " /opt/splunk/etc/apps/Splunk_TA_nessus/bin/splunk_ta_nessus/ta_tenable_sc_data_collector.py" line 93, in _process_sc_vulnerability _pre_process_ckpt(sc, task_config, ckpt, logger_prefix)
File " /opt/splunk/etc/apps/Splunk_TA_nessus/bin/splunk_ta_nessus/ta_tenable_sc_data_collector.py", line 212, in _pre_process_ckpt job_start_time, end_time)) (note: I don't know why the first parens don't show up in the error)
File " /opt/splunk/etc/apps/Splunk_TA_nessus/bin/splunk_ta_nessus/security_center.py", line 134, in perform_request self._error_check(response, result)
File " /opt/splunk/etc/apps/Splunk_TA_nessus/bin/splunk_ta_nessus/security_center.py", line 177, in _error_check result['error_msg'])
APIError: 'status=403, error_code=12, error_msg=This request contains an invalid token.'

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...