Hi All,
Am having issues with the Splunk Add-on for Tenable - receiving the error connection closed - hoping you guys can help!
Splunk Version: 6.55
Tenable version: 5.12
Tenable SecurityCenter 5.6.0.1 (build: 201711093168)
2018-06-06 00:52:38,013 +0000 log_level=INFO, pid=319, tid=Thread-2, file=scheduler.py, func_name=get_ready_jobs, code_line_no=100 | Get 1 ready jobs, next duration is 119.998971, and there are 1 jobs scheduling
2018-06-06 00:52:38,014 +0000 log_level=INFO, pid=319, tid=Thread-5, file=ta_data_collector.py, func_name=index_data, code_line_no=112 | [stanza_name="TNS_VM_SC_INPUT" data="sc_vulnerability" server="TNS_VM_SC"] Start indexing data for checkpoint_key=TNS_VM_SC_INPUT___sc_vulnerability___TNS_VM_SC
2018-06-06 00:52:38,018 +0000 log_level=ERROR, pid=319, tid=Thread-5, file=ta_data_collector.py, func_name=index_data, code_line_no=118 | [stanza_name="TNS_VM_SC_INPUT" data="sc_vulnerability" server="TNS_VM_SC"] Failed to index data
Traceback (most recent call last):
File "/apps/pcehr/splunk/etc/apps/Splunk_TA_nessus/bin/splunk_ta_nessus/splunktaucclib/data_collection/ta_data_collector.py", line 115, in index_data
self._do_safe_index()
File "/apps/pcehr/splunk/etc/apps/Splunk_TA_nessus/bin/splunk_ta_nessus/splunktaucclib/data_collection/ta_data_collector.py", line 148, in _do_safe_index
self._client = self._create_data_client()
File "/apps/pcehr/splunk/etc/apps/Splunk_TA_nessus/bin/splunk_ta_nessus/splunktaucclib/data_collection/ta_data_collector.py", line 89, in _create_data_client
ckpt = self._get_ckpt()
File "/apps/pcehr/splunk/etc/apps/Splunk_TA_nessus/bin/splunk_ta_nessus/splunktaucclib/data_collection/ta_data_collector.py", line 80, in _get_ckpt
return self._checkpoint_manager.get_ckpt()
File "/apps/pcehr/splunk/etc/apps/Splunk_TA_nessus/bin/splunk_ta_nessus/splunktaucclib/data_collection/ta_checkpoint_manager.py", line 31, in get_ckpt
return self._store.get_state(key)
File "/apps/pcehr/splunk/etc/apps/Splunk_TA_nessus/bin/splunk_ta_nessus/splunktalib/state_store.py", line 141, in get_state
state = json.load(jsonfile)
File "/apps/pcehr/splunk/lib/python2.7/json/__init__.py", line 291, in load
**kw)
File "/apps/pcehr/splunk/lib/python2.7/json/__init__.py", line 339, in loads
return _default_decoder.decode(s)
File "/apps/pcehr/splunk/lib/python2.7/json/decoder.py", line 364, in decode
obj, end = self.raw_decode(s, idx=_w(s, 0).end())
File "/apps/pcehr/splunk/lib/python2.7/json/decoder.py", line 382, in raw_decode
raise ValueError("No JSON object could be decoded")
ValueError: No JSON object could be decoded
2018-06-06 00:52:38,024 +0000 log_level=INFO, pid=319, tid=Thread-5, file=ta_data_collector.py, func_name=index_data, code_line_no=120 | [stanza_name="TNS_VM_SC_INPUT" data="sc_vulnerability" server="TNS_VM_SC"] End of indexing data for checkpoint_key=TNS_VM_SC_INPUT___sc_vulnerability___TNS_VM_SC
2018-06-06 00:52:38,025 +0000 log_level=INFO, pid=319, tid=Thread-5, file=thread_pool.py, func_name=_run, code_line_no=261 | Thread work_queue_size=0
Could someone please assist? Having been trying to troubleshoot this for a while now 😞
Regards,
Craig
Judging by these lines in the stacktrace, it looks like the problem is with loading the checkpoint:
File "/apps/pcehr/splunk/etc/apps/Splunk_TA_nessus/bin/splunk_ta_nessus/splunktaucclib/data_collection/ta_checkpoint_manager.py", line 31, in get_ckpt
return self._store.get_state(key)
File "/apps/pcehr/splunk/etc/apps/Splunk_TA_nessus/bin/splunk_ta_nessus/splunktalib/state_store.py", line 141, in get_state
state = json.load(jsonfile)
Try looking at the steps in here to reset the checkpoint :
https://docs.splunk.com/Documentation/AddOns/released/Nessus/Troubleshoot#Checkpoint_behavior
If you want to reset the checkpoint, change the start_date for your Nessus input or start_time for your Security Center input. The Splunk platform deletes the checkpoint file and re-indexes your data starting from the new start date.
The checkpoints for nessus:scan and nessus:plugin inputs in $SPLUNK_HOME$/var/lib/splunk/modinputs/nessus/
The checkpoints for tenable:sc:vuln in $SPLUNK_HOME$/var/lib/splunk/modinputs/tenable
(the checkpoint for tenable:sc:vuln was actually in $SPLUNK_HOME$/var/lib/splunk/modinputs/tenable_sc on my local environment)
I just had the same error sequence:
2018-06-21 17:24:15,963 ERROR Execution failed: Traceback (most recent call last):
File "C:\Program Files\Splunk\etc\apps\alertAction_runRemoteCommand\bin\modular_alert.py", line 535, in execute
payload = json.loads(in_stream.read())
File "C:\Program Files\Splunk\Python-2.7\Lib\json\__init__.py", line 339, in loads
return _default_decoder.decode(s)
File "C:\Program Files\Splunk\Python-2.7\Lib\json\decoder.py", line 364, in decode
obj, end = self.raw_decode(s, idx=_w(s, 0).end())
File "C:\Program Files\Splunk\Python-2.7\Lib\json\decoder.py", line 382, in raw_decode
raise ValueError("No JSON object could be decoded")
ValueError: No JSON object could be decoded
when executing an alert action. Reason here was my action had to be configured to output JSON formatted payload, as this is expected by the python script.
So I would guess that one of the python scripts mentioned in your stacktrace expects a JSON formatted file and the data it gets is not in this format