All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Why does the Splunk Add-on for Tenable stops ingesting data randomly?

jclehmuth
Path Finder
‎02-15-2018 06:13 AM

I've searched through the answers and most suggestions are: to disable and then enable the input, change the Start Time, some have even re-installed the app. For a while, I only had to open the input in the GUI which resets it, and that would work to get the data coming in again. Yesterday when, I restarted Splunk for another reason, data started to come again. I've tried everything but reinstalling the add-on this morning with no luck. I am running 5.1.2 for the add-on and my Splunk version is 7.0.1.

Here is the error I'm getting, I have double checked the user name and password both of which have not been changed on Nessus/Security Center and in the Splunk configuration.

2018-02-15 14:01:33,278 +0000 log_level=ERROR, pid=338, tid=Thread-4, file=ta_data_collector.py, func_name=index_data, code_line_no=118 | [stanza_name="Vulnerability" data="sc_vulnerability" server="SecuirtyCenter"] Failed to index data
Traceback (most recent call last):
  File "/opt/splunk/etc/apps/Splunk_TA_nessus/bin/splunk_ta_nessus/splunktaucclib/data_collection/ta_data_collector.py", line 115, in index_data
self._do_safe_index()
  File "/opt/splunk/etc/apps/Splunk_TA_nessus/bin/splunk_ta_nessus/splunktaucclib/data_collection/ta_data_collector.py", line 148, in _do_safe_index
self._client = self._create_data_client()
  File "/opt/splunk/etc/apps/Splunk_TA_nessus/bin/splunk_ta_nessus/splunktaucclib/data_collection/ta_data_collector.py", line 95, in _create_data_client
self._checkpoint_manager)
  File "/opt/splunk/etc/apps/Splunk_TA_nessus/bin/splunk_ta_nessus/splunktaucclib/data_collection/ta_data_client.py", line 55, in __init__
self._ckpt)
  File "/opt/splunk/etc/apps/Splunk_TA_nessus/bin/splunk_ta_nessus/ta_tenable_sc_data_collector.py", line 18, in do_job_one_time
return _do_job_one_time(all_conf_contents, task_config, ckpt)
  File "/opt/splunk/etc/apps/Splunk_TA_nessus/bin/splunk_ta_nessus/ta_tenable_sc_data_collector.py", line 53, in _do_job_one_time
logger_prefix=logger_prefix)
  File "/opt/splunk/etc/apps/Splunk_TA_nessus/bin/splunk_ta_nessus/security_center.py", line 219, in get_security_center
sc.login(username, password)
  File "/opt/splunk/etc/apps/Splunk_TA_nessus/bin/splunk_ta_nessus/security_center.py", line 46, in login
self._token = str(result['token'])
KeyError: 'token'
Reply

nickhills
Ultra Champion
‎02-16-2018 04:30 AM

This is not the same issue being reported in all the other threads.
In my case, (and a few people have yelled 'me too') the issue is that collection stops with no apparent error:
https://answers.splunk.com/answers/583400/splunk-add-on-for-tenable-stalls-when-collecting-f.html

Your example seems quite different, in that you are seeing an issue with authentication:

sc.login(username, password)
       File "/opt/splunk/etc/apps/Splunk_TA_nessus/bin/splunk_ta_nessus/security_center.py", line 46, in login
     self._token = str(result['token'])
     KeyError: 'token'

I don't know what could cause this, but on the face of it your deployment is working correctly - check the SC logs to see if there were any issues with the credentials you were using at that time. - It also explains why in your env it could start working again, once the auth problem has cleared up.

If my comment helps, please give it a thumbs up!
Reply

jclehmuth
Path Finder
‎03-16-2018 07:06 AM

I haven't had the issue in a while however, if it is an authentication issue we have an idea of what the problem may be. Our security center drops connection to AD on occasion, we have a ticket open with Tenable to help resolve the issue.
Thanks for pointing that out.

0 Karma
Reply

jclehmuth
Path Finder
‎02-16-2018 03:49 AM

This add-on is really frustrating...
I came in this morning and it is working again. The majority of our scans run at night, so my usual setting to check for data is about every six hours, I went to adjust the check for data setting then I went to monitor the sourcetype for updates. The last logs came in at 0100, I have no idea what is going on with this add-on.

0 Karma
Reply
Get Updates on the Splunk Community!

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...

State of Splunk Careers 2024: Maximizing Career Outcomes and the Continued Value of ...

For the past four years, Splunk has partnered with Enterprise Strategy Group to conduct a survey that gauges ...

Data-Driven Success: Splunk & Financial Services

Splunk streamlines the process of extracting insights from large volumes of data. In this fast-paced world, ...