I have recently set up a virtual environment on a development machine. It is not meant for production, just testing. The machines are virtualized through virtual box. Splunk is on the Windows host, and Security Center is installed in a fresh CentOS installation with the firewall and selinux disabled. The SSL cert is the default one. The machines can see eachother on the network at the following IPs:
10.0.0.10 - Splunk (7.0.2)
10.0.0.20 - Security Center (5.7.1)
I have installed Splunk Add-on for Tenable. After searching tenable:sc:log, I am getting an error each time it tried to pull vulnerability data:
2018-11-21 20:22:10,740 +0000 log_level=ERROR, pid=30732, tid=Thread-4, file=ta_tenable_sc_data_collector.py, func_name=_do_job_one_time, code_line_no=67 | [stanza_name="Test SC Server" data="sc_vulnerability" server="Test SC Server"] [SSL: CERTIFICATE_VERIFY_FAILED] certificate verification failed. The certificate validation is enabled. You may need to check the certificate and refer to the documentation and add it to the trust list.
I have search many posts here and have found varying solutions. I have also looked at the trouble shooting guide. Here is what I have tried:
Tried adding disable_ssl_certificate_validation = 1
to the following files based on others suggestions
etc\apps\search\local\inputs.conf
etc\apps\Splunk_TA_nessus\local\nessus.conf
etc\apps\Splunk_TA_nessus\local\inputs.conf
Also navigated to Security Center, exported the .cer/.pem file, and appended it to
etc\apps\Splunk_TA_nessus\bin\splunktalib\httplib2\cacerts.txt
Tried ensuring that Windows firewall is allowing port 8089 inbound communication as per someones comment to a post.
No matter what I seem to try, I am always told that certificate validation is enabled, and that the verification can failed. Any help would be great.
Thanks
in "nessus.conf", did you create a new stanza, named "[tenable_sc_settings]", to put "disable_ssl_certificate_validation = 1" under?
Yes, here is my exact file contents, pasted:
C:\Program Files\Splunk\etc\apps\Splunk_TA_nessus\local\nessus.conf
[tenable_sc_settings]
disable_ssl_certificate_validation = 1
what version of the add-on are you using? i'm on 5.1.4 and it's working
(also, i have "true", instead of "1", although that shouldn't matter)
I tried "true" as well without any results.
According to my README.txt in the Splunk_TA_nessus folder, I am running version 5.1.4
that's weird. maybe i never actually got the disable cert part working and it was actually the cert part i got working...can't remember, it's been a while
good luck, though