All Apps and Add-ons

Unable to Add Tenable.io Account in Tenable Add-on for Splunk Configuration Screen

sdemoss
Explorer

We have installed the Tenable Add-on for Splunk to our HF as prescribed by the TA documentation. The necessary account on the Teanble side has been created and the API key pieces successfully generated. We have been able to validate this API key using various curl commands as well as testing the API endpoints through developer.tenable.com.

However, when we attempt to configure the Tenable.io account inside of this TA, we are consistently given the "Please enter valid Address or configure valid proxy settings or verify SSL certificate." error message. There is no proxy in use here (again, the programatic API calls from the CLI all return valid results for various endpoints).

Has anyone else encountered and successfully resolved this issue? My gut tells me that if I could successfully create a valid config file (ta_tenable_settings.conf?) that stores the API keys and account details (typically populated by the Web UI for the add-on), that this would all work just fine. However, I do not have an example of a valid configuration file that stores the details of the Tenable.io account.

Thanks in advance!

0 Karma
1 Solution

sdemoss
Explorer

I was able to solve my own problem with some additional digging. It turns out that the README directory that ships with the TA includes sample configuration files, one of which is called ta_tenable_account.conf. Of course I only found this file after reviewing the various python files in the app's bin directory and extracting the configuration settings it was leveraging 🙂
Upon manually creating an account stanza in this file and restarting Splunk, my account was recognized/registered and I could successfully create an input and index data.

I did not further troubleshoot the issue with TA's web UI for creating an account.

To summarize, if you are receiving this error, do the following as a suitable workaround:
1. Copy the $SPLUNK_HOME/etc/apps/TA-tenable/README/ta_tenable_account.conf.spec file to the TA's local directory
2. Rename the file to remove the ".spec" suffix from the filename
3. Edit the file accordingly. A sample, valid configuration file looks like this:

[myTenableIOAccountName]
tenable_account_type = tenable_io
address = cloud.tenable.com
verify_ssl = 0
access_key = pasteYourApiAccessKeyHere
secret_key = pasteYourApiSecretKeyHere

Restart Splunk, open the Tenable TA and Create a Tenable.io input and you should be off and running.

View solution in original post

sdemoss
Explorer

I was able to solve my own problem with some additional digging. It turns out that the README directory that ships with the TA includes sample configuration files, one of which is called ta_tenable_account.conf. Of course I only found this file after reviewing the various python files in the app's bin directory and extracting the configuration settings it was leveraging 🙂
Upon manually creating an account stanza in this file and restarting Splunk, my account was recognized/registered and I could successfully create an input and index data.

I did not further troubleshoot the issue with TA's web UI for creating an account.

To summarize, if you are receiving this error, do the following as a suitable workaround:
1. Copy the $SPLUNK_HOME/etc/apps/TA-tenable/README/ta_tenable_account.conf.spec file to the TA's local directory
2. Rename the file to remove the ".spec" suffix from the filename
3. Edit the file accordingly. A sample, valid configuration file looks like this:

[myTenableIOAccountName]
tenable_account_type = tenable_io
address = cloud.tenable.com
verify_ssl = 0
access_key = pasteYourApiAccessKeyHere
secret_key = pasteYourApiSecretKeyHere

Restart Splunk, open the Tenable TA and Create a Tenable.io input and you should be off and running.

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...