All Apps and Add-ons

Splunk Add-on for Tenable: Why do I receive "Unable to process Vuln Query" error message?

Path Finder

Using v5.1.1 of the Splunk Add-on for Tenable (https://splunkbase.splunk.com/app/1710/) to pull scan results from Security Center (5.4.4). I'm receiving the occasional scan result but not all scan results and am seeing the following log repeated over and over in index=_internal sourcetype=tenable:sc:log:

2017-03-08 15:51:57,258 +0000 log_level=WARNING, pid=20668, tid=Thread-5, file=ta_tenable_sc_data_collector.py, func_name=_pre_process_ckpt, code_line_no=284 | [stanza_name="securitycenterserver" data="sc_vulnerability" server="securitycenterserver"] error_msg=Unable to process Vuln Query.
SecurityCenter could not process the vulnerability filter string (SC_ROOT=/opt/sc /opt/sc/bin/showvulns-individual  +orgid "1" +groupid "0" +tool 'listvuln' +datedir "2017-03-08" +scanid '1234' +view 'all' +startoffset '0' +endoffset '0' +repository "1"  -acceptRisk).
11^list^0^0^-1

The scanid does change per event which accurately reflects the scanids from security center that aren't being ingested.

1 Solution

Path Finder

Worked with Tenable support on another issue (frequent timeouts when using the UI) and they had me adjust the "max_execution_time" value in /opt/sc/support/etc/php.ini:

# Backup the PHP file:
$ cp /opt/sc/support/etc/php.ini /opt/sc/support/etc/php.ini.bk

# Edit the PHP.ini file
$ vi /opt/sc/support/etc/php.ini

Scroll down to the max_execution_time setting and double/triple the value that is in there. The default is 30s so I increased mine to 90s. Save the file then restart SecurityCenter.

Since this change I've been able to pull all scan results into Splunk.

View solution in original post

0 Karma

Path Finder

Worked with Tenable support on another issue (frequent timeouts when using the UI) and they had me adjust the "max_execution_time" value in /opt/sc/support/etc/php.ini:

# Backup the PHP file:
$ cp /opt/sc/support/etc/php.ini /opt/sc/support/etc/php.ini.bk

# Edit the PHP.ini file
$ vi /opt/sc/support/etc/php.ini

Scroll down to the max_execution_time setting and double/triple the value that is in there. The default is 30s so I increased mine to 90s. Save the file then restart SecurityCenter.

Since this change I've been able to pull all scan results into Splunk.

View solution in original post

0 Karma

Path Finder

Did anyone find a fix for this issue? I am having the same exact error message

0 Karma

Splunk Employee
Splunk Employee

This seems an issue at Tenable side.
https://community.tenable.com/thread/9403

0 Karma

Splunk Employee
Splunk Employee

Seems the log pasted is broken, would you please provide the raw logs?

0 Karma

New Member

I am having this same problem too. Has anyone been able to figure this out?

0 Karma

Path Finder

2017-03-08 15:51:57,258 +0000 log_level=WARNING, pid=20668, tid=Thread-5, file=ta_tenable_sc_data_collector.py, func_name=_pre_process_ckpt, code_line_no=284 | [stanza_name="securitycenterserver" data="sc_vulnerability" server="securitycenterserver"] error_msg=Unable to process Vuln Query.
SecurityCenter could not process the vulnerability filter string (SC_ROOT=/opt/sc /opt/sc/bin/showvulns-individual +orgid "1" +groupid "0" +tool 'listvuln' +datedir "2017-03-08" +scanid '2275' +view 'all' +startoffset '0' +endoffset '0' +repository "1" -acceptRisk).
11^list^0^0^-1

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!