I have the latest TA Nessus installed and it was working fine for about a week importing nessus reports through the Tenable API calls. It then stopped indexing events and reported the following error(s):
2016-08-08 17:04:27,658 +0000 log_level=ERROR, pid=18084, tid=MainThread, file=ta_mod_input.py, func_name=main, code_line_no=186 | Tenable task encounter exception Traceback (most recent call last): File "/opt/splunk/etc/apps/Splunk_TA_nessus/bin/splunk_ta_nessus/splunktaucclib/data_collection/ta_mod_input.py", line 183, in main config_cls=configer_cls) File "/opt/splunk/etc/apps/Splunk_TA_nessus/bin/splunk_ta_nessus/splunktaucclib/data_collection/ta_mod_input.py", line 100, in run tconfig = tc.create_ta_config(settings, config_cls or tc.TaConfig) File "/opt/splunk/etc/apps/Splunk_TA_nessus/bin/splunk_ta_nessus/splunktaucclib/data_collection/ta_config.py", line 181, in create_ta_config return config_cls(meta_config, settings) File "/opt/splunk/etc/apps/Splunk_TA_nessus/bin/splunk_ta_nessus/splunktaucclib/data_collection/ta_config.py", line 24, in __init__ self._load_task_configs() File "/opt/splunk/etc/apps/Splunk_TA_nessus/bin/splunk_ta_nessus/splunktaucclib/data_collection/ta_config.py", line 48, in _load_task_configs self._client_schema) File "/opt/splunk/etc/apps/Splunk_TA_nessus/bin/splunk_ta_nessus/splunktaucclib/data_collection/ta_helper.py", line 67, in __init__ self._load_conf_contents() File "/opt/splunk/etc/apps/Splunk_TA_nessus/bin/splunk_ta_nessus/splunktaucclib/data_collection/ta_helper.py", line 93, in _load_conf_contents self._all_conf_contents = self._config.load() File "/opt/splunk/etc/apps/Splunk_TA_nessus/bin/splunk_ta_nessus/splunktaucclib/config.py", line 127, in load raise ConfigException(msg) ConfigException: Fail to load endpoint "global_settings" - Unspecified internal server error. reason={"messages":[{"type":"ERROR","text":"\n In handler 'ta_tenable_settings': External handler failed with code '1' and output: 'REST ERROR[1021]: Fail to decrypt the encrypted credential information - not well-formed (invalid token): line 135, column 41'. See splunkd.log for stderr output."}]}
as well as:
2016-08-08 17:04:27,658 +0000 log_level=ERROR, pid=18084, tid=MainThread, file=config.py, func_name=log, code_line_no=50 | UCC Config Module: Fail to load endpoint "global_settings" - Unspecified internal server error. reason={"messages":[{"type":"ERROR","text":"\n In handler 'ta_tenable_settings': External handler failed with code '1' and output: 'REST ERROR[1021]: Fail to decrypt the encrypted credential information - not well-formed (invalid token): line 135, column 41'. See splunkd.log for stderr output."}]}
File "/opt/splunk/etc/apps/Splunk_TA_nessus/bin/tenable_sc.py", line 21, in <module>
ta_run()
File "/opt/splunk/etc/apps/Splunk_TA_nessus/bin/tenable_sc.py", line 17, in ta_run
ta_input.main(collector_cls, schema_file_path, 'tenable_sc')
File "/opt/splunk/etc/apps/Splunk_TA_nessus/bin/splunk_ta_nessus/splunktaucclib/data_collection/ta_mod_input.py", line 183, in main
config_cls=configer_cls)
File "/opt/splunk/etc/apps/Splunk_TA_nessus/bin/splunk_ta_nessus/splunktaucclib/data_collection/ta_mod_input.py", line 100, in run
tconfig = tc.create_ta_config(settings, config_cls or tc.TaConfig)
File "/opt/splunk/etc/apps/Splunk_TA_nessus/bin/splunk_ta_nessus/splunktaucclib/data_collection/ta_config.py", line 181, in create_ta_config
return config_cls(meta_config, settings)
File "/opt/splunk/etc/apps/Splunk_TA_nessus/bin/splunk_ta_nessus/splunktaucclib/data_collection/ta_config.py", line 24, in __init__
self._load_task_configs()
File "/opt/splunk/etc/apps/Splunk_TA_nessus/bin/splunk_ta_nessus/splunktaucclib/data_collection/ta_config.py", line 48, in _load_task_configs
self._client_schema)
File "/opt/splunk/etc/apps/Splunk_TA_nessus/bin/splunk_ta_nessus/splunktaucclib/data_collection/ta_helper.py", line 67, in __init__
self._load_conf_contents()
File "/opt/splunk/etc/apps/Splunk_TA_nessus/bin/splunk_ta_nessus/splunktaucclib/data_collection/ta_helper.py", line 93, in _load_conf_contents
self._all_conf_contents = self._config.load()
File "/opt/splunk/etc/apps/Splunk_TA_nessus/bin/splunk_ta_nessus/splunktaucclib/config.py", line 126, in load
log(msg, level=logging.ERROR, need_tb=True)
File "/opt/splunk/etc/apps/Splunk_TA_nessus/bin/splunk_ta_nessus/splunktaucclib/config.py", line 48, in log
stack = ''.join(traceback.format_stack())
None
I've tried restarting the Heavy Forwarder that is collecting it, as well as changing the "start_time" located in the tenable_sc_inputs.conf to try and reset the checkpoint information, but no luck.
Resolution:
Edit the following file on the HF: Splunk_TA_nessus/bin/splunk_ta_nessus/security_center.py
Insert the following at Line 138 within the file: Code: self._cookie = self._cookie[74:]
Save the file
Restart Splunk
We just discovered a similar problem with another add-on (qualys, in our case), but the culprit turned out to be the exact same add-on, (on three different hosts) SA-ldapsearch. I'm guessing there must be a bug in some version of this or some related component, that causes this corruption in the clear_password field. Can someone from Splunk confirm that, and provide information on when/whether the problem is fixed?
@johnmccash, This is an old question with an accepted answer. For better chances at a helpful response, please post a new question.
was able to resolve this issue with support's help,
1) Access this url and fetch all content of passwords.conf, please do add "count=-1" to list all stanzas:
https://:8089/servicesNS/nobody/-/storage/passwords?output_mode=json&count=-1
2) Format the json by any tool you are familiar with and check “content->clear_password” for each item under “object->entry”. If the clear_password is garbled, then copy this item’s “id” out and delete it
Delete it by:
> curl -k -u <user:password> -X DELETE <url from id part>
sample operation for above case:
> curl -k -u admin:admin -X DELETE
> https://10.66.137.43:8089/servicesNS/nobody/Splunk_TA_microsoft-clouds
> ervices/storage/passwords/__REST_CREDENTIAL__%23Splunk_TA_microsoft-of
> fice365%23testtest%3A123%3A
After above steps, please remember to reconfigure the passwords for deleted stanzas.
Turns out another add-on had a corrupt or bad password, this is whats screwing up Tenable.
this is what my json lookslike
"entry": [
{
"content": {
"username": "default",
"realm": "SA-ldapsearch",
"password": "********",
"encr_password": "$1$IJYiBLKN31eZ+i5t7/Acj7",
"eai:acl": null,
"clear_password": "�\u0012!�8|\u001a��c|��\u0013�"
},
"acl": {
"sharing": "global",
"removable": true,
"perms": {
"write": [
"admin",
"it"
],
"read": [
"it"
]
},
"owner": "joe.sixpack",
"app": "SA-ldapsearch",
"can_change_perms": true,
"can_list": true,
"can_share_app": true,
"can_share_global": true,
"can_share_user": true,
"can_write": true,
"modifiable": true
},
"author": "joe.sixpack",
"links": {
"remove": "/servicesNS/nobody/SA-ldapsearch/storage/passwords/SA-ldapsearch%3Adefault%3A",
"edit": "/servicesNS/nobody/SA-ldapsearch/storage/passwords/SA-ldapsearch%3Adefault%3A",
"_reload": "/servicesNS/nobody/SA-ldapsearch/storage/passwords/SA-ldapsearch%3Adefault%3A/_reload",
"list": "/servicesNS/nobody/SA-ldapsearch/storage/passwords/SA-ldapsearch%3Adefault%3A",
"alternate": "/servicesNS/nobody/SA-ldapsearch/storage/passwords/SA-ldapsearch%3Adefault%3A"
},
"updated": "2017-05-03T08:35:08-04:00",
"id": "https://SPLUNK:8089/servicesNS/nobody/SA-ldapsearch/storage/passwords/SA-ldapsearch%3Adefault%3A",
"name": "SA-ldapsearch:default:"
I opened up the SA-ldapsearch addon, changed the configured password , restarted splunk and tenable now works properly.
I never got this to work right. Ended up writing a py script to get scan data out as CSV, and then have Splunk read this CSV off a forwarder, and then created some dashboards around this. Works nicely. Let me knwo if you need the script.
I get the same issue. i tested this out in my testenvironment and i figured out that this issue is only if splunk run on linux. on windows, the same version of splunk and tenable 5.1.1 work like a charm.
py script
https://gist.github.com/perfecto25/71c50288150180911ecc6cd7f355969e
it downloads the scan as a csv to wherever you run the script from, then I have splunk feed in that csv data via a forwarder, and then you can create dashboards
Yeah I'd like to take a look at the script too. Does it work with SC or directly with Nessus? Thanks!
I'd definitely be interested in your script if you're willing to share it out. Cheers
getting this error as well,
Splunk Version
6.5.2
Splunk Build
67571ef4b87d
Current Application: Splunk Add-on for Tenable
App Version
5.1.1
App Build
2
Searching this index,
index=_internal sourcetype=tenable:sc:log source="/opt/splunk/var/log/splunk/splunk_ta_nessus_tenable_sc.log"
getting same error
0000 log_level=ERROR, pid=19605,
tid=MainThread, file=config.py,
func_name=log, code_line_no=50 | UCC
Config Module: Fail to load endpoint
"global_settings" - Unspecified
internal server error.
reason={"messages":[{"type":"ERROR","text":"External
handler failed with code '1' and
output: 'REST ERROR[1021]: Fail to decrypt the encrypted credential
information - not well-formed (invalid
token): line 33, column 37'. See
splunkd.log for stderr output."}]}
File
"/opt/splunk/etc/apps/Splunk_TA_nessus/bin/tenable_sc.py",
line 21, in
I upgraded the Tenable add-on recently, not sure if this is related to the upgrade. My security_center.py perform_request def looks like this,
def perform_request(self, method, path, data=None):
# build headers
headers = {'Content-Type': 'application/json'}
if self._token is not None:
headers['X-SecurityCenter'] = self._token
if self._cookie is not None:
headers['Cookie'] = self._cookie
# Only convert the data to JSON if there is data.
if data is not None:
data = json.dumps(data)
# make a request
if self._proxy_config:
http = sr.build_http_connection(
config=self._proxy_config,
timeout=self._timeout,
disable_ssl_validation=
self._disable_ssl_certificate_validation)
else:
http = httplib2.Http(timeout=self._timeout,
disable_ssl_certificate_validation=
self._disable_ssl_certificate_validation)
response, content = http.request(
self._uri(path), method, data, headers)
if path.find('download') != -1:
return content
result = json.loads(content)
self._error_check(response, result)
set_cookie = response.get('set-cookie')
if set_cookie:
self._cookie = set_cookie[set_cookie.find(',') + 1:].strip()
stulog.logger.debug('{} set-cookie={}'.format(self._logger_prefix,
set_cookie))
stulog.logger.debug('{} self._cookie={}'.format(
self._logger_prefix, self._cookie))
return result['response']
,Im getting the same error when upgrading the Tenable addon to version 5.1.1
looking in
@perfecto25 - It looks like some text got cut off at the bottom. Also, this question is quite old so it may not garner much activity. I would suggest posting a new question.
Resolution:
Edit the following file on the HF: Splunk_TA_nessus/bin/splunk_ta_nessus/security_center.py
Insert the following at Line 138 within the file: Code: self._cookie = self._cookie[74:]
Save the file
Restart Splunk
This worked for me, thanks!
Do we know if this fix works for when using Security Center 5.4+ or is it as @worshamn says below and 5.4+ just isn't supported yet? Thanks!
@jbailey's provided fix worked for 5.4
I am running SC 5.4.2...wonder if that's why I am seeing this. Or maybe I applied the line of code wrong. Could you tell me which line comes before/after the line you added from jbailey? I have code on line 138 so i wasn't sure if it should go before or after said line.
To be clear i am getting this error message when trying to add a Security Center server to the TA config.
Thanks @worshamn !
Hey jat75,
ever got this working? I am having the same issue.
After many restarts of our splunk boxes (all of them) it magically started working and I was able to add my security center box to the app configuration. However, I gave up on this because to make this work it also needs a heavy forwarder. This rings as rather odd to me when you are essentially using REST and login creds for your SC box to be able to login and pull back data. Shouldn't need a heavy forwarder IMO...and I don't have time to build one. Nor have I even seen what benefit there is to hooking them together. Not even a screenshot. So for now I just login to SC to view my vuln data. Thanks.
which version is this fix for? i just tried it on 5.1.1 and its not working.
I believe this was originally for 5.0, but then fixed in 5.1.0 which is the version I'm currently on.
5.1.1 installed and seeing the same problem.
output: 'REST ERROR[1021]: Fail to decrypt the encrypted credential information - not well-formed (invalid token): line 33, column 47'. See splunkd.log for stderr output."}]}
File "/opt/splunk/etc/apps/Splunk_TA_nessus/bin/tenable_sc.py"