Solved: Splunk Add-on for Tenable: Security Center Logs Fa...

gworkun · ‎10-13-2017

On Splunk 6.6, most up-to-date Splunk Add-On for Tenable. Been using it successfully from around February 2017 til middle of May 2017 with no issues, but after a Splunk update or two, have noticed the logs stopped flowing into Splunk.

No network change, Security Center user change to be noted, but seeing the following error at regular intervals coming in (once every 60-90 seconds, just depends on the interval I have set or changed to troubleshoot). Didn't know if this was due to an update to Splunk that the Add-On did not account for, or if it was something else. Seeing some few other questions with similar reported issues, but wanted to bump the posts up with this error.

Any assistance or direction would be fantastic!

885 +0000 log_level=ERROR, pid=2248, tid=Thread-6, file=ta_data_collector.py, func_name=index_data, code_line_no=118 | [stanza_name="SecurityCenterInput" data="sc_vulnerability" server="SecurityCenter"] Failed to index data
Traceback (most recent call last):
File "C:\Program Files\Splunk\etc\apps\Splunk_TA_nessus\bin\splunk_ta_nessus\splunktaucclib\data_collection\ta_data_collector.py", line 115, in index_data
self.do_safe_index()
File "C:\Program Files\Splunk\etc\apps\Splunk_TA_nessus\bin\splunk_ta_nessus\splunktaucclib\data_collection\ta_data_collector.py", line 148, in _do_safe_index
self._client = self._create_data_client()
File "C:\Program Files\Splunk\etc\apps\Splunk_TA_nessus\bin\splunk_ta_nessus\splunktaucclib\data_collection\ta_data_collector.py", line 89, in _create_data_client
ckpt = self._get_ckpt()
File "C:\Program Files\Splunk\etc\apps\Splunk_TA_nessus\bin\splunk_ta_nessus\splunktaucclib\data_collection\ta_data_collector.py", line 80, in _get_ckpt
return self._checkpoint_manager.get_ckpt()
File "C:\Program Files\Splunk\etc\apps\Splunk_TA_nessus\bin\splunk_ta_nessus\splunktaucclib\data_collection\ta_checkpoint_manager.py", line 31, in get_ckpt
return self._store.get_state(key)
File "C:\Program Files\Splunk\etc\apps\Splunk_TA_nessus\bin\splunk_ta_nessus\splunktalib\state_store.py", line 141, in get_state
state = json.load(jsonfile)
File "C:\Program Files\Splunk\Python-2.7\Lib\json__init.py", line 291, in load
**kw)
File "C:\Program Files\Splunk\Python-2.7\Lib\json__init_.py", line 339, in loads
return _default_decoder.decode(s)
File "C:\Program Files\Splunk\Python-2.7\Lib\json\decoder.py", line 364, in decode
obj, end = self.raw_decode(s, idx=_w(s, 0).end())
File "C:\Program Files\Splunk\Python-2.7\Lib\json\decoder.py", line 382, in raw_decode
raise ValueError("No JSON object could be decoded")

ValueError: No JSON object could be decoded

gworkun · ‎10-23-2017

I've actually had some luck just re-installing app on an existing Indexer that did not have the app previously. Made no changes to any python files or setup things, just re-added inputs through the App on Splunk and seems to be working about. Still curious about that error, but reapplying app to new indexer has worked for me for now.

View solution in original post

wanderson7 · ‎05-21-2022

Hi, I realize this is an older question, and I am not sure if this directly answers your question, but perhaps it could be of some help.

I recently developed a free open-source application called TenaPull, which processes Nessus data for ingestion by Splunk. There is more information here:
https://community.splunk.com/t5/Getting-Data-In/I-developed-an-application-to-process-Nessus-data-fo...

GitHub repo:
https://github.com/billyJoePiano/TenaPull

gworkun · ‎10-23-2017

I've actually had some luck just re-installing app on an existing Indexer that did not have the app previously. Made no changes to any python files or setup things, just re-added inputs through the App on Splunk and seems to be working about. Still curious about that error, but reapplying app to new indexer has worked for me for now.

rosslopez · ‎10-23-2017

Any luck? Im having this problem with v5.1.1 on Splunk 6.5.2. Upgraded app to v5.1.2 and still no luck.

nickhills · ‎10-23-2017

Funnily enough, I was going to close my question today with an update saying "all has been well since the update", however - it seems that my HF got restarted at the weekend, so its not really had time to prove itself yet.

Stay tuned...

If my comment helps, please give it a thumbs up!

nickhills · ‎10-16-2017

Despite searching, I only found your question after posting mine!
https://answers.splunk.com/answers/583400/splunk-ta-nessus-stalls-collecting-from-security-c.html?mi...

Smells like it could be related - will see if I can see the same error in mine.

If my comment helps, please give it a thumbs up!

gworkun · ‎10-16-2017

Indeed, tried your temporary solution of disabling/enabling the input to no avail. I'll keep exploring other routes, but seems like may need some guidance from app creators or those that have seen this problem often.

Splunk Add-on for Tenable: Security Center Logs Failed to Index

Any assistance or direction would be fantastic!

ValueError: No JSON object could be decoded

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

Transform your security operations with Splunk Enterprise Security

Splunk Admins and App Developers | Earn a $35 gift card!