All Apps and Add-ons

Splunk Add-on For Tenable No JSON object could be decoded

Path Finder

Hi All,

Am having issues with the Splunk Add-on for Tenable - receiving the error connection closed - hoping you guys can help!

Splunk Version: 6.55
Tenable version: 5.12
Tenable SecurityCenter 5.6.0.1 (build: 201711093168)

2018-06-06 00:52:38,013 +0000 log_level=INFO, pid=319, tid=Thread-2, file=scheduler.py, func_name=get_ready_jobs, code_line_no=100 | Get 1 ready jobs, next duration is 119.998971, and there are 1 jobs scheduling
2018-06-06 00:52:38,014 +0000 log_level=INFO, pid=319, tid=Thread-5, file=ta_data_collector.py, func_name=index_data, code_line_no=112 | [stanza_name="TNS_VM_SC_INPUT" data="sc_vulnerability" server="TNS_VM_SC"] Start indexing data for checkpoint_key=TNS_VM_SC_INPUT___sc_vulnerability___TNS_VM_SC
2018-06-06 00:52:38,018 +0000 log_level=ERROR, pid=319, tid=Thread-5, file=ta_data_collector.py, func_name=index_data, code_line_no=118 | [stanza_name="TNS_VM_SC_INPUT" data="sc_vulnerability" server="TNS_VM_SC"] Failed to index data
Traceback (most recent call last):
  File "/apps/pcehr/splunk/etc/apps/Splunk_TA_nessus/bin/splunk_ta_nessus/splunktaucclib/data_collection/ta_data_collector.py", line 115, in index_data
    self._do_safe_index()
  File "/apps/pcehr/splunk/etc/apps/Splunk_TA_nessus/bin/splunk_ta_nessus/splunktaucclib/data_collection/ta_data_collector.py", line 148, in _do_safe_index
    self._client = self._create_data_client()
  File "/apps/pcehr/splunk/etc/apps/Splunk_TA_nessus/bin/splunk_ta_nessus/splunktaucclib/data_collection/ta_data_collector.py", line 89, in _create_data_client
    ckpt = self._get_ckpt()
  File "/apps/pcehr/splunk/etc/apps/Splunk_TA_nessus/bin/splunk_ta_nessus/splunktaucclib/data_collection/ta_data_collector.py", line 80, in _get_ckpt
    return self._checkpoint_manager.get_ckpt()
  File "/apps/pcehr/splunk/etc/apps/Splunk_TA_nessus/bin/splunk_ta_nessus/splunktaucclib/data_collection/ta_checkpoint_manager.py", line 31, in get_ckpt
    return self._store.get_state(key)
  File "/apps/pcehr/splunk/etc/apps/Splunk_TA_nessus/bin/splunk_ta_nessus/splunktalib/state_store.py", line 141, in get_state
    state = json.load(jsonfile)
  File "/apps/pcehr/splunk/lib/python2.7/json/__init__.py", line 291, in load
    **kw)
  File "/apps/pcehr/splunk/lib/python2.7/json/__init__.py", line 339, in loads
    return _default_decoder.decode(s)
  File "/apps/pcehr/splunk/lib/python2.7/json/decoder.py", line 364, in decode
    obj, end = self.raw_decode(s, idx=_w(s, 0).end())
  File "/apps/pcehr/splunk/lib/python2.7/json/decoder.py", line 382, in raw_decode
    raise ValueError("No JSON object could be decoded")
ValueError: No JSON object could be decoded
2018-06-06 00:52:38,024 +0000 log_level=INFO, pid=319, tid=Thread-5, file=ta_data_collector.py, func_name=index_data, code_line_no=120 | [stanza_name="TNS_VM_SC_INPUT" data="sc_vulnerability" server="TNS_VM_SC"] End of indexing data for checkpoint_key=TNS_VM_SC_INPUT___sc_vulnerability___TNS_VM_SC
2018-06-06 00:52:38,025 +0000 log_level=INFO, pid=319, tid=Thread-5, file=thread_pool.py, func_name=_run, code_line_no=261 | Thread work_queue_size=0

Could someone please assist? Having been trying to troubleshoot this for a while now 😞

Regards,

Craig

0 Karma

Explorer

Judging by these lines in the stacktrace, it looks like the problem is with loading the checkpoint:

File "/apps/pcehr/splunk/etc/apps/Splunk_TA_nessus/bin/splunk_ta_nessus/splunktaucclib/data_collection/ta_checkpoint_manager.py", line 31, in get_ckpt
         return self._store.get_state(key)
File "/apps/pcehr/splunk/etc/apps/Splunk_TA_nessus/bin/splunk_ta_nessus/splunktalib/state_store.py", line 141, in get_state
         state = json.load(jsonfile)

Try looking at the steps in here to reset the checkpoint :
https://docs.splunk.com/Documentation/AddOns/released/Nessus/Troubleshoot#Checkpoint_behavior

If you want to reset the checkpoint, change the start_date for your Nessus input or start_time for your Security Center input. The Splunk platform deletes the checkpoint file and re-indexes your data starting from the new start date.

The checkpoints for nessus:scan and nessus:plugin inputs in $SPLUNK_HOME$/var/lib/splunk/modinputs/nessus/

The checkpoints for tenable:sc:vuln in $SPLUNK_HOME$/var/lib/splunk/modinputs/tenable

(the checkpoint for tenable:sc:vuln was actually in $SPLUNK_HOME$/var/lib/splunk/modinputs/tenable_sc on my local environment)

0 Karma

Path Finder

I just had the same error sequence:

  2018-06-21 17:24:15,963 ERROR Execution failed: Traceback (most recent call last):
  File "C:\Program Files\Splunk\etc\apps\alertAction_runRemoteCommand\bin\modular_alert.py", line 535, in execute
    payload = json.loads(in_stream.read())
   File "C:\Program Files\Splunk\Python-2.7\Lib\json\__init__.py", line 339, in loads
        return _default_decoder.decode(s)
      File "C:\Program Files\Splunk\Python-2.7\Lib\json\decoder.py", line 364, in decode
        obj, end = self.raw_decode(s, idx=_w(s, 0).end())
      File "C:\Program Files\Splunk\Python-2.7\Lib\json\decoder.py", line 382, in raw_decode
        raise ValueError("No JSON object could be decoded")
    ValueError: No JSON object could be decoded

when executing an alert action. Reason here was my action had to be configured to output JSON formatted payload, as this is expected by the python script.

So I would guess that one of the python scripts mentioned in your stacktrace expects a JSON formatted file and the data it gets is not in this format

0 Karma