All Apps and Add-ons

Splunk Add-on for Tenable: Why has Splunk stopped ingesting an API modular input for security center vulnerability management scans?

mmohiuddin1512
Explorer

Hi All:
I am getting the following error, in which Splunk is unable to pull data (scans) from a security center. Splunk Add-on for Tenable is being utilized to pull the management scans. We have 8 security center servers, and Splunk successfully pulls scan data from all the 7 security center server, apart from this 8th security server. It's been since 1 and a half months, that log ingestion stopped. We are pulling lot of scan data's which Splunk doesn't seem to ingest. The application contact has been able to verify that they are receiving API logins from the Splunk account. This verifies that Splunk is trying to pull the management scan data but is unable to do so.

Verified the permissions for the Splunk account. Permissions looks good. Splunk account is provided the Security Manager, Security Analyst and Vulnerability Analyst roles to get the scan results.

In the Splunk internal logs, I see the following errors:

2017-05-19 18:53:46,264 +0000 log_level=ERROR, pid=11116, tid=Thread-5, file=ta_data_collector.py, func_name=_do_safe_index, code_line_no=161 | [stanza_name="SecurityCenterInputs07" data="sc_vulnerability" server="SecurityCenter07"] Failed to get msg Traceback (most recent call last): File "/oap/poap/a00/splunk/etc/apps/Splunk_TA_nessus/bin/splunk_ta_nessus/splunktaucclib/data_collection/ta_data_collector.py", line 151, in _do_safe_index events, ckpt = self._client.get() File "/oap/poap/a00/splunk/etc/apps/Splunk_TA_nessus/bin/splunk_ta_nessus/splunktaucclib/data_collection/ta_data_client.py", line 74, in get return self._gen.send(self.is_stopped()) File "/oap/poap/a00/splunk/etc/apps/Splunk_TA_nessus/bin/splunk_ta_nessus/ta_tenable_sc_data_collector.py", line 188, in _process_sc_vulnerability del scan_results[scan_id] KeyError: u'102

[stanza_name="SecurityCenterInputs07" data="sc_vulnerability" server="SecurityCenter07"] error_msg=Error getting Scan Result #102 for User #10 in Organization #1.
Scan Result #102 does not exist. 
The object "102" is missing

Please help me out in troubleshooting this matter.

Thanks,

Obaid

the0duke0
Path Finder

We have found that every so often (1-2 months) what we stop getting data from Security Center via the Nessus app. I haven't found the root cause, but I have found that if you change the Start Time in the Splunk_TA_nessus inputs for Security Center that it will start working again.

robjackson
Path Finder

We have the same issue. and change the start date to get it working. We also have the same issue with IP360 data being collected with DBConnect.

0 Karma

krishanp
Explorer

We have been having the same issue as well and resetting the checkpoint (Start Time) is the current fix we've been using as well. If anyone has any insight into this issue, it would be much appreciated.

0 Karma

mmohiuddin1512
Explorer

There is a newer version of Splunk TA nessus version 5.1.2 that addresses most of the issues and bug fixes. We have implemented the newer version in our environment and we longer get errors on missing scan ids.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...