Splunk Enterprise

How do I get Tenable add-on to connect to Splunk?

sudderthc
Loves-to-Learn Lots

Hello all,

I was reaching out to see if anyone has come across issues connecting Tenable.sc add-on to Splunk.  I downloaded the Tenable application and add-on, and I was able upload to Splunk.  My issue is getting Tenable to connect to Splunk.  When I try with credentials, I receive the following error, "Please enter valid address, username and password, or configure valid proxy settings or verify  SSL certificate."  When trying with API keys, I receive the following error, "Please enter valid address, access key, secret key, or configure valid proxy settings.  I have verified credentials and API keys multiple times.  Can anyone help with this?  Thank you. 

Labels (2)
Tags (1)
0 Karma

esalesapns2
Communicator

the curl command works from the command line only if I specify "-k" (ignore SSL cert)
how do I get Splunk to accept the cert?

0 Karma

Tom_Lundie
Contributor

Hi @sudderthc,

First and foremost, this add-on is supported by Tenable so I would raise a case with them if you can't get this going.

Looking at tenable_account_validation.py that error is unfortunately just as vague as it looks. Funnily enough, the ConnectionError exception that's raised to trigger that exception is decently verbose but for some reason the TA Devs have decided to mask it with that generic error you're seeing.

If you're comfortable with it, you could temporarily modify the TA to include the verbose exception details. I've also included some more generic troubleshooting steps to help if you'd rather not touch the code.

Making the TA Validation More Verbose:

Modify tenable_account_validation.py lines 221-223
From:

 

                except Exception:
                    msg = "Please enter valid Address, Username and Password or configure valid proxy settings or verify SSL certificate."
                    raise Exception(msg)

 

To:

 

                except Exception as e:
                    msg = "Please enter valid Address, Username and Password or configure valid proxy settings or verify SSL certificate. Verbose Details: " + repr(e)
                    raise Exception(msg)

 

Then try to add your account again. It should now include the verbose details about what went wrong.

High-Level Troubleshooting:

If I were troubleshooting this on the Splunk host, I would step-through the following:

1. Establish basic connectivity:

 

curl -k https://tenablesc_host:tenablesc_port/rest/system

 

If you're behind a proxy you can use the --proxy curl switch.
Do you get a response? If not then you'll need to facilitate this connectivity first.

2. Validate SSL Settings:

(This is only applicable if you're using verify_ssl=true, if not then skip to 3.)

 

curl https://tenablesc_host:tenablesc_port/rest/system

 

Does the same command work with SSL Verification (no -k)? If not, then you're probably using a self-signed certificate for your Tenable SC instance. Tenable does not support self-signed certificates on their SDK, but you could modify the TA slightly to support it. A quick look through the code shows that it leverages the restfly library so you could update the APISessions base class to support your self-signed certificate. Do this as your own risk, it will be a trade-off between SSL verification and upstream support.

3. Validate Credentials

If you've managed to establish connectivity then I would test if your credentials are working properly.

 

curl https://tenablesc_host:tenablesc_port/rest/system -H "X-APIKey: accessKey=123; secretKey=123;"

 

(Replacing 123 with the appropriate keys) does this return the same content as the previous commands? If not and you receive a login denied message instead, validate that your credentials are correct and API key login is enabled on the SC instance.

Good Luck, let me know how you get on!

0 Karma
Get Updates on the Splunk Community!

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation

As of Splunk Cloud Platform 9.3.2408 and Splunk Enterprise 9.4, classic dashboard export features are now ...