All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Why are we missing data on Tenable Add-On?

andrew_burnett
Path Finder
‎07-12-2023 08:55 AM

We have an issue where Splunk is not showing vulnerabilities in fixed state, but Tenable Cloud has the correct information. So we're likely losing data between Tenable Cloud and Splunk at least for the update of the fixed status of vulnerabilities, but I have no clue why. Logs look clean, we're getting data. And the issue cannot be on Tenable side since they have the correct data and we collect that right off the API. Any ideas?

Labels (1)
Labels
0 Karma
Reply

etoombs
Path Finder
‎08-25-2023 02:34 PM

If you're still having this issue, check your logs for the lag between event time and index time. The Tenable add-on pulls all of your open vulnerability data first, and only pulls in the fixed data after all of the open stuff is complete. If you've got a large lag time, it may not be getting as far as actually pulling in the fixed vulns.  

Check the  /opt/splunk/etc/apps/TA-tenable/default/inputs.conf, (and the local inputs.conf if you have one) and look for the "page_size". Increasing this number may resolve the issue. When I was troubleshooting a similar issue, Tenable indicated the number hadn't been changed - but it was set to 1000 - meaning it ran API calls for 1000 records at a time - and wasn't ever finishing with a large number of vulns.   We increased this to 10000, reducing the api calls by a factor of 10 - and allowing the process to complete so all our vulns got pulled in. 

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎07-12-2023 11:43 AM

Are you sure the fixed vulnerabilities are reported to Splunk?  Use tcpdump or wireshark (or similar) to confirm the data gets from Tenable to Splunk.

How are you searching for fixed vulns?  If you search the entire index (index=tenable earliest=-30d latest=+30d) do you see any fixed events?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

andrew_burnett
Path Finder
‎07-17-2023 12:59 PM

No the issue is that it's not getting to Splunk, but I have no clue why that would be. The data is in Tenable Cloud but not getting to Splunk apparently.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎07-17-2023 10:03 PM

If the data is not getting into Splunk then there should be a log message, either on the Splunk or Tenable side, explaining why.

Is the add-on installed properly? On which instance type(s) is it installed?  Is it configured?

Have you confirmed network connectivity between Splunk and Tenable?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...