All Apps and Add-ons

Splunk Add-on for Nessus: What SecurityCenter Permissions are required?

coltwanger
Contributor

We are running SecurityCenter 5.3 and I've just enabled the new Splunk Add-on for Nessus, but I'm not able to return any data. I'm getting the following error in the tenable logs:

2016-08-04 21:45:23,598 +0000 log_level=ERROR, pid=4520, tid=Thread-4, file=ta_data_collector.py, func_name=_do_safe_index, code_line_no=161 | [stanza_name="SecurityCenter" data="sc_vulnerability" server="CMU_SecurityCenter"] Failed to get msg
Traceback (most recent call last):
  File "C:\Program Files\Splunk\etc\apps\Splunk_TA_nessus\bin\splunk_ta_nessus\splunktaucclib\data_collection\ta_data_collector.py", line 151, in _do_safe_index
    events, ckpt = self._client.get()
  File "C:\Program Files\Splunk\etc\apps\Splunk_TA_nessus\bin\splunk_ta_nessus\splunktaucclib\data_collection\ta_data_client.py", line 73, in get
    return self._gen.next()
  File "C:\Program Files\Splunk\etc\apps\Splunk_TA_nessus\bin\splunk_ta_nessus\ta_tenable_sc_data_collector.py", line 93, in _process_sc_vulnerability
    _pre_process_ckpt(sc, task_config, ckpt, logger_prefix)
  File "C:\Program Files\Splunk\etc\apps\Splunk_TA_nessus\bin\splunk_ta_nessus\ta_tenable_sc_data_collector.py", line 212, in _pre_process_ckpt
    job_start_time, end_time))
  File "C:\Program Files\Splunk\etc\apps\Splunk_TA_nessus\bin\splunk_ta_nessus\security_center.py", line 134, in perform_request
    self._error_check(response, result)
  File "C:\Program Files\Splunk\etc\apps\Splunk_TA_nessus\bin\splunk_ta_nessus\security_center.py", line 177, in _error_check
    result['error_msg'])
APIError: 'status=403, error_code=163, error_msg=Administrators may not manage Scan Results.\n'

I was granted a service account to SecurityCenter which has Administrator Privileges. Googling this error doesn't yield too much info, and I am not a SecurityCenter admin myself, so I'm not sure if we've configured the right permissions.

Is there a built-in role to assign to our service account, or one we can create for this purpose?

0 Karma
1 Solution

rwang_splunk
Splunk Employee
Splunk Employee

Hi Coltwanger

You have to apply for the role in security center to be able to get data into Splunk.

See http://docs.splunk.com/Documentation/AddOns/released/Nessus/Hardwareandsoftwarerequirements for more information.

View solution in original post

rwang_splunk
Splunk Employee
Splunk Employee

Hi Coltwanger

You have to apply for the role in security center to be able to get data into Splunk.

See http://docs.splunk.com/Documentation/AddOns/released/Nessus/Hardwareandsoftwarerequirements for more information.

coltwanger
Contributor

Thank you! I have to say I'm embarrassed I missed that part of the documentation 😞

Unfortunately after resolving that error, I'm now getting this one:

2016-08-05 16:23:38,476 +0000 log_level=ERROR, pid=4244, tid=Thread-7, file=ta_data_collector.py, func_name=_do_safe_index, code_line_no=161 | [stanza_name="SecurityCenter" data="sc_vulnerability" server="CMU_SecurityCenter"] Failed to get msg
Traceback (most recent call last):
  File "C:\Program Files\Splunk\etc\apps\Splunk_TA_nessus\bin\splunk_ta_nessus\splunktaucclib\data_collection\ta_data_collector.py", line 151, in _do_safe_index
    events, ckpt = self._client.get()
  File "C:\Program Files\Splunk\etc\apps\Splunk_TA_nessus\bin\splunk_ta_nessus\splunktaucclib\data_collection\ta_data_client.py", line 74, in get
    return self._gen.send(self.is_stopped())
  File "C:\Program Files\Splunk\etc\apps\Splunk_TA_nessus\bin\splunk_ta_nessus\ta_tenable_sc_data_collector.py", line 146, in _process_sc_vulnerability
    vuln_list = sc.get_vulns(scan_id, start_offset, end_offset)
  File "C:\Program Files\Splunk\etc\apps\Splunk_TA_nessus\bin\splunk_ta_nessus\security_center.py", line 83, in get_vulns
    result = self.perform_request('POST', 'analysis', args)
  File "C:\Program Files\Splunk\etc\apps\Splunk_TA_nessus\bin\splunk_ta_nessus\security_center.py", line 132, in perform_request
    result = json.loads(content)
  File "C:\Program Files\Splunk\Python-2.7\Lib\json\__init__.py", line 339, in loads
    return _default_decoder.decode(s)
  File "C:\Program Files\Splunk\Python-2.7\Lib\json\decoder.py", line 364, in decode
    obj, end = self.raw_decode(s, idx=_w(s, 0).end())
  File "C:\Program Files\Splunk\Python-2.7\Lib\json\decoder.py", line 382, in raw_decode
    raise ValueError("No JSON object could be decoded")
ValueError: No JSON object could be decoded

Any ideas?

Edit: Nevermind, I decreased the batch size to 5,000 and got rid of this error. I still don't have any data coming in, but no more errors in the tenable log, so we'll let it sit over the weekend to see if it generates anything to ingest 🙂

0 Karma

naqviah
Explorer

Did this change ever work to get the logs to be ingested by Splunk?

0 Karma
Get Updates on the Splunk Community!

Splunk Forwarders and Forced Time Based Load Balancing

Splunk customers use universal forwarders to collect and send data to Splunk. A universal forwarder can send ...

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...