All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splunk Add-on for Tenable: Why do I receive "Unable to process Vuln Query" error message?

Blu3fish
Path Finder
‎03-08-2017 09:43 AM

Using v5.1.1 of the Splunk Add-on for Tenable (https://splunkbase.splunk.com/app/1710/) to pull scan results from Security Center (5.4.4). I'm receiving the occasional scan result but not all scan results and am seeing the following log repeated over and over in index=_internal sourcetype=tenable:sc:log:

2017-03-08 15:51:57,258 +0000 log_level=WARNING, pid=20668, tid=Thread-5, file=ta_tenable_sc_data_collector.py, func_name=_pre_process_ckpt, code_line_no=284 | [stanza_name="securitycenterserver" data="sc_vulnerability" server="securitycenterserver"] error_msg=Unable to process Vuln Query.
SecurityCenter could not process the vulnerability filter string (SC_ROOT=/opt/sc /opt/sc/bin/showvulns-individual  +orgid "1" +groupid "0" +tool 'listvuln' +datedir "2017-03-08" +scanid '1234' +view 'all' +startoffset '0' +endoffset '0' +repository "1"  -acceptRisk).
11^list^0^0^-1

The scanid does change per event which accurately reflects the scanids from security center that aren't being ingested.

Reply
1 Solution
Solved! Jump to solution
Solution

Blu3fish
Path Finder
‎05-30-2017 08:38 AM

Worked with Tenable support on another issue (frequent timeouts when using the UI) and they had me adjust the "max_execution_time" value in /opt/sc/support/etc/php.ini:

# Backup the PHP file:
$ cp /opt/sc/support/etc/php.ini /opt/sc/support/etc/php.ini.bk

# Edit the PHP.ini file
$ vi /opt/sc/support/etc/php.ini

Scroll down to the max_execution_time setting and double/triple the value that is in there. The default is 30s so I increased mine to 90s. Save the file then restart SecurityCenter.

Since this change I've been able to pull all scan results into Splunk.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

Blu3fish
Path Finder
‎05-30-2017 08:38 AM

Worked with Tenable support on another issue (frequent timeouts when using the UI) and they had me adjust the "max_execution_time" value in /opt/sc/support/etc/php.ini:

# Backup the PHP file:
$ cp /opt/sc/support/etc/php.ini /opt/sc/support/etc/php.ini.bk

# Edit the PHP.ini file
$ vi /opt/sc/support/etc/php.ini

Scroll down to the max_execution_time setting and double/triple the value that is in there. The default is 30s so I increased mine to 90s. Save the file then restart SecurityCenter.

Since this change I've been able to pull all scan results into Splunk.

0 Karma
Reply
Solved! Jump to solution

shirishkamat84
Path Finder
‎05-09-2017 02:45 PM

Did anyone find a fix for this issue? I am having the same exact error message

0 Karma
Reply
Solved! Jump to solution

hozhang_splunk
Splunk Employee
Splunk Employee
‎03-26-2017 08:27 PM

This seems an issue at Tenable side.
https://community.tenable.com/thread/9403

0 Karma
Reply
Solved! Jump to solution

hozhang_splunk
Splunk Employee
Splunk Employee
‎03-09-2017 05:37 PM

Seems the log pasted is broken, would you please provide the raw logs?

0 Karma
Reply
Solved! Jump to solution

lamars79
New Member
‎03-24-2017 09:43 AM

I am having this same problem too. Has anyone been able to figure this out?

0 Karma
Reply
Solved! Jump to solution

Blu3fish
Path Finder
‎03-10-2017 08:50 AM

2017-03-08 15:51:57,258 +0000 log_level=WARNING, pid=20668, tid=Thread-5, file=ta_tenable_sc_data_collector.py, func_name=_pre_process_ckpt, code_line_no=284 | [stanza_name="securitycenterserver" data="sc_vulnerability" server="securitycenterserver"] error_msg=Unable to process Vuln Query.
SecurityCenter could not process the vulnerability filter string (SC_ROOT=/opt/sc /opt/sc/bin/showvulns-individual +orgid "1" +groupid "0" +tool 'listvuln' +datedir "2017-03-08" +scanid '2275' +view 'all' +startoffset '0' +endoffset '0' +repository "1" -acceptRisk).
11^list^0^0^-1

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...