All Apps and Add-ons

Splunk Add-on for Tenable: Why do I receive "Unable to process Vuln Query" error message?

Blu3fish
Path Finder

Using v5.1.1 of the Splunk Add-on for Tenable (https://splunkbase.splunk.com/app/1710/) to pull scan results from Security Center (5.4.4). I'm receiving the occasional scan result but not all scan results and am seeing the following log repeated over and over in index=_internal sourcetype=tenable:sc:log:

2017-03-08 15:51:57,258 +0000 log_level=WARNING, pid=20668, tid=Thread-5, file=ta_tenable_sc_data_collector.py, func_name=_pre_process_ckpt, code_line_no=284 | [stanza_name="securitycenterserver" data="sc_vulnerability" server="securitycenterserver"] error_msg=Unable to process Vuln Query.
SecurityCenter could not process the vulnerability filter string (SC_ROOT=/opt/sc /opt/sc/bin/showvulns-individual  +orgid "1" +groupid "0" +tool 'listvuln' +datedir "2017-03-08" +scanid '1234' +view 'all' +startoffset '0' +endoffset '0' +repository "1"  -acceptRisk).
11^list^0^0^-1

The scanid does change per event which accurately reflects the scanids from security center that aren't being ingested.

1 Solution

Blu3fish
Path Finder

Worked with Tenable support on another issue (frequent timeouts when using the UI) and they had me adjust the "max_execution_time" value in /opt/sc/support/etc/php.ini:

# Backup the PHP file:
$ cp /opt/sc/support/etc/php.ini /opt/sc/support/etc/php.ini.bk

# Edit the PHP.ini file
$ vi /opt/sc/support/etc/php.ini

Scroll down to the max_execution_time setting and double/triple the value that is in there. The default is 30s so I increased mine to 90s. Save the file then restart SecurityCenter.

Since this change I've been able to pull all scan results into Splunk.

View solution in original post

0 Karma

Blu3fish
Path Finder

Worked with Tenable support on another issue (frequent timeouts when using the UI) and they had me adjust the "max_execution_time" value in /opt/sc/support/etc/php.ini:

# Backup the PHP file:
$ cp /opt/sc/support/etc/php.ini /opt/sc/support/etc/php.ini.bk

# Edit the PHP.ini file
$ vi /opt/sc/support/etc/php.ini

Scroll down to the max_execution_time setting and double/triple the value that is in there. The default is 30s so I increased mine to 90s. Save the file then restart SecurityCenter.

Since this change I've been able to pull all scan results into Splunk.

View solution in original post

0 Karma

shirishkamat84
Path Finder

Did anyone find a fix for this issue? I am having the same exact error message

0 Karma

hozhang_splunk
Splunk Employee
Splunk Employee

This seems an issue at Tenable side.
https://community.tenable.com/thread/9403

0 Karma

hozhang_splunk
Splunk Employee
Splunk Employee

Seems the log pasted is broken, would you please provide the raw logs?

0 Karma

lamars79
New Member

I am having this same problem too. Has anyone been able to figure this out?

0 Karma

Blu3fish
Path Finder

2017-03-08 15:51:57,258 +0000 log_level=WARNING, pid=20668, tid=Thread-5, file=ta_tenable_sc_data_collector.py, func_name=_pre_process_ckpt, code_line_no=284 | [stanza_name="securitycenterserver" data="sc_vulnerability" server="securitycenterserver"] error_msg=Unable to process Vuln Query.
SecurityCenter could not process the vulnerability filter string (SC_ROOT=/opt/sc /opt/sc/bin/showvulns-individual +orgid "1" +groupid "0" +tool 'listvuln' +datedir "2017-03-08" +scanid '2275' +view 'all' +startoffset '0' +endoffset '0' +repository "1" -acceptRisk).
11^list^0^0^-1

0 Karma
.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!