All Apps and Add-ons

How to handle expired certificates with Splunk Add-on for Tenable?

Builder

Our Splunk Add-on for Tenable was working just fine for a while, but I just noticed it has not pulled data for several weeks. When I looked at the internal log with this search:

index=_internal sourcetype="tenable:sc:log" WARNING

I saw I was getting a ton of these messages:

[SSL: CERTIFICATE_VERIFY_FAILED] certificate verification failed. The certificate of the https server is not trusted, this add-on will proceed to connect with this certificate. You may need to check the certificate and refer to the documentation and add it to the trust list.

So I tried to re-import the certificate using the instructions here: http://docs.splunk.com/Documentation/AddOns/released/Nessus/ConfigureModularInput2

But I've had no luck. I notice that the cert I was trying to import was expired so I'm wondering if that has anything to do with the rejection. (although the cert expired a 10 days AFTER the certificate verification messages started).

Is that the problem or is it something else?

Thanks

0 Karma

Builder

It turns out that the above error was due to the fact that a new Tenable server was deployed without updating the connection configurations. We ended up disabling the add-on and using some custom scripts so the error is gone.

Not really a satisfying resolution, sorry.

0 Karma

Splunk Employee
Splunk Employee

In order to help dig into the problem, would you please check that there is any error messages using the following SPL?
index=_internal sourcetype="tenable:sc:log" error

0 Karma

Builder

I have one error that repeats every minute, the same as the previous error.

log_level=ERROR, pid=xxxx, tid=Thread-5, file=ta_data_collector.py, func_name=_do_safe_index, code_line_no=161 | [stanza_name="our_vuln" data="sc_vulnerability" server="our_server"] Failed to get msg
Traceback (most recent call last):
File " /opt/splunk/etc/apps/Splunk_TA_nessus/bin/splunk_ta_nessus/splunktaucclib/data_collection/ta_data_collector.py", line 151, in _do_safe_index
File " /opt/splunk/etc/apps/Splunk_TA_nessus/bin/splunk_ta_nessus/splunktaucclib/data_collection/ta_data_client.py", line 73, in get return self._gen.next()
File " /opt/splunk/etc/apps/Splunk_TA_nessus/bin/splunk_ta_nessus/ta_tenable_sc_data_collector.py" line 93, in _process_sc_vulnerability _pre_process_ckpt(sc, task_config, ckpt, logger_prefix)
File " /opt/splunk/etc/apps/Splunk_TA_nessus/bin/splunk_ta_nessus/ta_tenable_sc_data_collector.py", line 212, in _pre_process_ckpt job_start_time, end_time)) (note: I don't know why the first parens don't show up in the error)
File " /opt/splunk/etc/apps/Splunk_TA_nessus/bin/splunk_ta_nessus/security_center.py", line 134, in perform_request self._error_check(response, result)
File " /opt/splunk/etc/apps/Splunk_TA_nessus/bin/splunk_ta_nessus/security_center.py", line 177, in _error_check result['error_msg'])
APIError: 'status=403, error_code=12, error_msg=This request contains an invalid token.'

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!