Hi All:
I am getting the following error, in which Splunk is unable to pull data (scans) from a security center. Splunk Add-on for Tenable is being utilized to pull the management scans. We have 8 security center servers, and Splunk successfully pulls scan data from all the 7 security center server, apart from this 8th security server. It's been since 1 and a half months, that log ingestion stopped. We are pulling lot of scan data's which Splunk doesn't seem to ingest. The application contact has been able to verify that they are receiving API logins from the Splunk account. This verifies that Splunk is trying to pull the management scan data but is unable to do so.
Verified the permissions for the Splunk account. Permissions looks good. Splunk account is provided the Security Manager, Security Analyst and Vulnerability Analyst roles to get the scan results.
In the Splunk internal logs, I see the following errors:
2017-05-19 18:53:46,264 +0000 log_level=ERROR, pid=11116, tid=Thread-5, file=ta_data_collector.py, func_name=_do_safe_index, code_line_no=161 | [stanza_name="SecurityCenterInputs07" data="sc_vulnerability" server="SecurityCenter07"] Failed to get msg Traceback (most recent call last): File "/oap/poap/a00/splunk/etc/apps/Splunk_TA_nessus/bin/splunk_ta_nessus/splunktaucclib/data_collection/ta_data_collector.py", line 151, in _do_safe_index events, ckpt = self._client.get() File "/oap/poap/a00/splunk/etc/apps/Splunk_TA_nessus/bin/splunk_ta_nessus/splunktaucclib/data_collection/ta_data_client.py", line 74, in get return self._gen.send(self.is_stopped()) File "/oap/poap/a00/splunk/etc/apps/Splunk_TA_nessus/bin/splunk_ta_nessus/ta_tenable_sc_data_collector.py", line 188, in _process_sc_vulnerability del scan_results[scan_id] KeyError: u'102
[stanza_name="SecurityCenterInputs07" data="sc_vulnerability" server="SecurityCenter07"] error_msg=Error getting Scan Result #102 for User #10 in Organization #1.
Scan Result #102 does not exist.
The object "102" is missing
Please help me out in troubleshooting this matter.
Thanks,
Obaid
We have found that every so often (1-2 months) what we stop getting data from Security Center via the Nessus app. I haven't found the root cause, but I have found that if you change the Start Time in the Splunk_TA_nessus inputs for Security Center that it will start working again.
We have the same issue. and change the start date to get it working. We also have the same issue with IP360 data being collected with DBConnect.
We have been having the same issue as well and resetting the checkpoint (Start Time) is the current fix we've been using as well. If anyone has any insight into this issue, it would be much appreciated.
There is a newer version of Splunk TA nessus version 5.1.2 that addresses most of the issues and bug fixes. We have implemented the newer version in our environment and we longer get errors on missing scan ids.