Getting Data In

Splunk Add-on for Tenable: Security Center Logs Failed to Index

gworkun
Explorer

On Splunk 6.6, most up-to-date Splunk Add-On for Tenable. Been using it successfully from around February 2017 til middle of May 2017 with no issues, but after a Splunk update or two, have noticed the logs stopped flowing into Splunk.

No network change, Security Center user change to be noted, but seeing the following error at regular intervals coming in (once every 60-90 seconds, just depends on the interval I have set or changed to troubleshoot). Didn't know if this was due to an update to Splunk that the Add-On did not account for, or if it was something else. Seeing some few other questions with similar reported issues, but wanted to bump the posts up with this error.

Any assistance or direction would be fantastic!

885 +0000 log_level=ERROR, pid=2248, tid=Thread-6, file=ta_data_collector.py, func_name=index_data, code_line_no=118 | [stanza_name="SecurityCenterInput" data="sc_vulnerability" server="SecurityCenter"] Failed to index data
Traceback (most recent call last):
File "C:\Program Files\Splunk\etc\apps\Splunk_TA_nessus\bin\splunk_ta_nessus\splunktaucclib\data_collection\ta_data_collector.py", line 115, in index_data
self.do_safe_index()
File "C:\Program Files\Splunk\etc\apps\Splunk_TA_nessus\bin\splunk_ta_nessus\splunktaucclib\data_collection\ta_data_collector.py", line 148, in _do_safe_index
self._client = self._create_data_client()
File "C:\Program Files\Splunk\etc\apps\Splunk_TA_nessus\bin\splunk_ta_nessus\splunktaucclib\data_collection\ta_data_collector.py", line 89, in _create_data_client
ckpt = self._get_ckpt()
File "C:\Program Files\Splunk\etc\apps\Splunk_TA_nessus\bin\splunk_ta_nessus\splunktaucclib\data_collection\ta_data_collector.py", line 80, in _get_ckpt
return self._checkpoint_manager.get_ckpt()
File "C:\Program Files\Splunk\etc\apps\Splunk_TA_nessus\bin\splunk_ta_nessus\splunktaucclib\data_collection\ta_checkpoint_manager.py", line 31, in get_ckpt
return self._store.get_state(key)
File "C:\Program Files\Splunk\etc\apps\Splunk_TA_nessus\bin\splunk_ta_nessus\splunktalib\state_store.py", line 141, in get_state
state = json.load(jsonfile)
File "C:\Program Files\Splunk\Python-2.7\Lib\json__init
.py", line 291, in load
**kw)
File "C:\Program Files\Splunk\Python-2.7\Lib\json__init
_.py", line 339, in loads
return _default_decoder.decode(s)
File "C:\Program Files\Splunk\Python-2.7\Lib\json\decoder.py", line 364, in decode
obj, end = self.raw_decode(s, idx=_w(s, 0).end())
File "C:\Program Files\Splunk\Python-2.7\Lib\json\decoder.py", line 382, in raw_decode
raise ValueError("No JSON object could be decoded")

ValueError: No JSON object could be decoded

0 Karma
1 Solution

gworkun
Explorer

I've actually had some luck just re-installing app on an existing Indexer that did not have the app previously. Made no changes to any python files or setup things, just re-added inputs through the App on Splunk and seems to be working about. Still curious about that error, but reapplying app to new indexer has worked for me for now.

View solution in original post

0 Karma

wanderson7
Explorer

Hi, I realize this is an older question, and I am not sure if this directly answers your question, but perhaps it could be of some help.

I recently developed a free open-source application called TenaPull, which processes Nessus data for ingestion by Splunk.  There is more information here:

https://community.splunk.com/t5/Getting-Data-In/I-developed-an-application-to-process-Nessus-data-fo...

GitHub repo:
https://github.com/billyJoePiano/TenaPull

0 Karma

gworkun
Explorer

I've actually had some luck just re-installing app on an existing Indexer that did not have the app previously. Made no changes to any python files or setup things, just re-added inputs through the App on Splunk and seems to be working about. Still curious about that error, but reapplying app to new indexer has worked for me for now.

0 Karma

rosslopez
Observer

Any luck? Im having this problem with v5.1.1 on Splunk 6.5.2. Upgraded app to v5.1.2 and still no luck.

0 Karma

nickhills
Ultra Champion

Funnily enough, I was going to close my question today with an update saying "all has been well since the update", however - it seems that my HF got restarted at the weekend, so its not really had time to prove itself yet.

Stay tuned...

If my comment helps, please give it a thumbs up!
0 Karma

nickhills
Ultra Champion

Despite searching, I only found your question after posting mine!
https://answers.splunk.com/answers/583400/splunk-ta-nessus-stalls-collecting-from-security-c.html?mi...

Smells like it could be related - will see if I can see the same error in mine.

If my comment helps, please give it a thumbs up!
0 Karma

gworkun
Explorer

Indeed, tried your temporary solution of disabling/enabling the input to no avail. I'll keep exploring other routes, but seems like may need some guidance from app creators or those that have seen this problem often.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In September, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...

New in Observability - Improvements to Custom Metrics SLOs, Log Observer Connect & ...

The latest enhancements to the Splunk observability portfolio deliver improved SLO management accuracy, better ...

Improve Data Pipelines Using Splunk Data Management

  Register Now   This Tech Talk will explore the pipeline management offerings Edge Processor and Ingest ...