All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk Add-on for Tenable: Why has Splunk stopped ingesting an API modular input for security center vulnerability management scans?

mmohiuddin1512
Explorer
‎05-22-2017 04:57 AM

Hi All:
I am getting the following error, in which Splunk is unable to pull data (scans) from a security center. Splunk Add-on for Tenable is being utilized to pull the management scans. We have 8 security center servers, and Splunk successfully pulls scan data from all the 7 security center server, apart from this 8th security server. It's been since 1 and a half months, that log ingestion stopped. We are pulling lot of scan data's which Splunk doesn't seem to ingest. The application contact has been able to verify that they are receiving API logins from the Splunk account. This verifies that Splunk is trying to pull the management scan data but is unable to do so.

Verified the permissions for the Splunk account. Permissions looks good. Splunk account is provided the Security Manager, Security Analyst and Vulnerability Analyst roles to get the scan results.

In the Splunk internal logs, I see the following errors:

2017-05-19 18:53:46,264 +0000 log_level=ERROR, pid=11116, tid=Thread-5, file=ta_data_collector.py, func_name=_do_safe_index, code_line_no=161 | [stanza_name="SecurityCenterInputs07" data="sc_vulnerability" server="SecurityCenter07"] Failed to get msg Traceback (most recent call last): File "/oap/poap/a00/splunk/etc/apps/Splunk_TA_nessus/bin/splunk_ta_nessus/splunktaucclib/data_collection/ta_data_collector.py", line 151, in _do_safe_index events, ckpt = self._client.get() File "/oap/poap/a00/splunk/etc/apps/Splunk_TA_nessus/bin/splunk_ta_nessus/splunktaucclib/data_collection/ta_data_client.py", line 74, in get return self._gen.send(self.is_stopped()) File "/oap/poap/a00/splunk/etc/apps/Splunk_TA_nessus/bin/splunk_ta_nessus/ta_tenable_sc_data_collector.py", line 188, in _process_sc_vulnerability del scan_results[scan_id] KeyError: u'102

[stanza_name="SecurityCenterInputs07" data="sc_vulnerability" server="SecurityCenter07"] error_msg=Error getting Scan Result #102 for User #10 in Organization #1.
Scan Result #102 does not exist. 
The object "102" is missing

Please help me out in troubleshooting this matter.

Thanks,

Obaid

Reply

the0duke0
Path Finder
‎09-06-2017 06:33 AM

We have found that every so often (1-2 months) what we stop getting data from Security Center via the Nessus app. I haven't found the root cause, but I have found that if you change the Start Time in the Splunk_TA_nessus inputs for Security Center that it will start working again.

Reply

robjackson
Path Finder
‎02-01-2018 08:17 AM

We have the same issue. and change the start date to get it working. We also have the same issue with IP360 data being collected with DBConnect.

0 Karma
Reply

krishanp
Explorer
‎11-16-2017 07:17 AM

We have been having the same issue as well and resetting the checkpoint (Start Time) is the current fix we've been using as well. If anyone has any insight into this issue, it would be much appreciated.

0 Karma
Reply

mmohiuddin1512
Explorer
‎11-16-2017 07:44 AM

There is a newer version of Splunk TA nessus version 5.1.2 that addresses most of the issues and bug fixes. We have implemented the newer version in our environment and we longer get errors on missing scan ids.

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...