Splunk Add-on for Tenable: Why am I getting error ...

perfecto25 · ‎03-09-2017

Current Application: Splunk Add-on for Tenable
App Version
5.1.1
App Build
2

Splunk Version
6.5.2
Splunk Build
67571ef4b87d

I upgraded the Splunk Add-on for Tenable to the current version. When adding a new Nessus Input, Splunk is not ingesting any data from Nessus.

Based on the logs, the problem seems to be a change in the way set-cookie format is being implemented

Fail to load endpoint "global_settings" - Unspecified internal server error. reason={"messages":[{"type":"ERROR","text":"External handler failed with code '1' and output: 'REST ERROR[1021]: Fail to decrypt the encrypted credential information - not well-formed (invalid token): line 33, column 37'. See splunkd.log for stderr output."}]}

3/9/17
2:13:22.673 PM  
2017-03-09 19:13:22,673 +0000 log_level=INFO, pid=31587, tid=MainThread, file=ta_mod_input.py, func_name=main, code_line_no=187 | End Tenable task
host =  splunk02.corp.local source =  /opt/splunk/var/log/splunk/splunk_ta_nessus_tenable_sc.log sourcetype = tenable:sc:log
3/9/17
2:13:22.673 PM  
2017-03-09 19:13:22,673 +0000 log_level=ERROR, pid=31587, tid=MainThread, file=ta_mod_input.py, func_name=main, code_line_no=186 | Tenable task encounter exception
Traceback (most recent call last):
  File "/opt/splunk/etc/apps/Splunk_TA_nessus/bin/splunk_ta_nessus/splunktaucclib/data_collection/ta_mod_input.py", line 183, in main
    config_cls=configer_cls)
  File "/opt/splunk/etc/apps/Splunk_TA_nessus/bin/splunk_ta_nessus/splunktaucclib/data_collection/ta_mod_input.py", line 100, in run
Show all 19 lines
host =  splunk02.corp.local source =  /opt/splunk/var/log/splunk/splunk_ta_nessus_tenable_sc.log sourcetype = tenable:sc:log
3/9/17
2:13:22.673 PM  
**2017-03-09 19:13:22,673 +0000 log_level=ERROR, pid=31587, tid=MainThread, file=config.py, func_name=log, code_line_no=50 | UCC Config Module: Fail to load endpoint "global_settings" - Unspecified internal server error. reason={"messages":[{"type":"ERROR","text":"External handler failed with code '1' and output: 'REST ERROR[1021]: Fail to decrypt the encrypted credential information - not well-formed (invalid token): line 33, column 37'.  See splunkd.log for stderr output."}]}
  File "/opt/splunk/etc/apps/Splunk_TA_nessus/bin/tenable_sc.py", line 21, in <module>**
    ta_run()
  File "/opt/splunk/etc/apps/Splunk_TA_nessus/bin/tenable_sc.py", line 17, in ta_run
    ta_input.main(collector_cls, schema_file_path, 'tenable_sc')
  File "/opt/splunk/etc/apps/Splunk_TA_nessus/bin/splunk_ta_nessus/splunktaucclib/data_collection/ta_mod_input.py", line 183, in main
    config_cls=configer_cls)
  File "/opt/splunk/etc/apps/Splunk_TA_nessus/bin/splunk_ta_nessus/splunktaucclib/data_collection/ta_mod_input.py", line 100, in run
    tconfig = tc.create_ta_config(settings, config_cls or tc.TaConfig)
  File "/opt/splunk/etc/apps/Splunk_TA_nessus/bin/splunk_ta_nessus/splunktaucclib/data_collection/ta_config.py", line 181, in create_ta_config
    return config_cls(meta_config, settings)
  File "/opt/splunk/etc/apps/Splunk_TA_nessus/bin/splunk_ta_nessus/splunktaucclib/data_collection/ta_config.py", line 24, in __init__
    self._load_task_configs()
  File "/opt/splunk/etc/apps/Splunk_TA_nessus/bin/splunk_ta_nessus/splunktaucclib/data_collection/ta_config.py", line 48, in _load_task_configs
    self._client_schema)
  File "/opt/splunk/etc/apps/Splunk_TA_nessus/bin/splunk_ta_nessus/splunktaucclib/data_collection/ta_helper.py", line 67, in __init__
    self._load_conf_contents()
  File "/opt/splunk/etc/apps/Splunk_TA_nessus/bin/splunk_ta_nessus/splunktaucclib/data_collection/ta_helper.py", line 93, in _load_conf_contents
    self._all_conf_contents = self._config.load()
  File "/opt/splunk/etc/apps/Splunk_TA_nessus/bin/splunk_ta_nessus/splunktaucclib/config.py", line 126, in load
    log(msg, level=logging.ERROR, need_tb=True)
  File "/opt/splunk/etc/apps/Splunk_TA_nessus/bin/splunk_ta_nessus/splunktaucclib/config.py", line 48, in log
    stack = ''.join(traceback.format_stack())
None
Collapse
host =  splunk02.corp.local source =  /opt/splunk/var/log/splunk/splunk_ta_nessus_tenable_sc.log sourcetype = tenable:sc:log
3/9/17
2:13:20.685 PM  
2017-03-09 19:13:20,685 +0000 log_level=INFO, pid=31587, tid=MainThread, file=ta_mod_input.py, func_name=main, code_line_no=180 | Start Tenable task
host =  splunk02.corp.local source =  /opt/splunk/var/log/splunk/splunk_ta_nessus_tenable_sc.log sourcetype = tenable:sc:log
3/9/17
2:13:02.316 PM  
2017-03-09 19:13:02,316 +0000 log_level=INFO, pid=14646, tid=MainThread, file=ta_config.py, func_name=_generate_task_configs, code_line_no=78 | Totally generated 0 task configs
host =  splunk01.corp.local source =  /opt/splunk/var/log/splunk/splunk_ta_nessus_tenable_sc.log sourcetype = tenable:sc:log
3/9/17
2:13:00.436 PM  
2017-03-09 19:13:00,436 +0000 log_level=INFO, pid=14646, tid=MainThread, file=ta_mod_input.py, func_name=main, code_line_no=180 | Start Tenable task
host =  splunk01.corp.local source =  /opt/splunk/var/log/splunk/splunk_ta_nessus_tenable_sc.log sourcetype = tenable:sc:log
3/9/17
2:12:53.398 PM  
2017-03-09 19:12:53,398 +0000 log_level=INFO, pid=30552, tid=MainThread, file=ta_mod_input.py, func_name=main, code_line_no=187 | End Tenable task
host =  splunk02.corp.local source =  /opt/splunk/var/log/splunk/splunk_ta_nessus_tenable_sc.log sourcetype = tenable:sc:log
3/9/17
2:12:53.398 PM  
2017-03-09 19:12:53,398 +0000 log_level=ERROR, pid=30552, tid=MainThread, file=ta_mod_input.py, func_name=main, code_line_no=186 | Tenable task encounter exception
Traceback (most recent call last):
  File "/opt/splunk/etc/apps/Splunk_TA_nessus/bin/splunk_ta_nessus/splunktaucclib/data_collection/ta_mod_input.py", line 183, in main
    config_cls=configer_cls)
  File "/opt/splunk/etc/apps/Splunk_TA_nessus/bin/splunk_ta_nessus/splunktaucclib/data_collection/ta_mod_input.py", line 100, in run
Show all 19 lines
host =  splunk02.corp.local source =  /opt/splunk/var/log/splunk/splunk_ta_nessus_tenable_sc.log sourcetype = tenable:sc:log
3/9/17
2:12:53.398 PM  
2017-03-09 19:12:53,398 +0000 log_level=ERROR, pid=30552, tid=MainThread, file=config.py, func_name=log, code_line_no=50 | UCC Config Module: Fail to load endpoint "global_settings" - Unspecified internal server error. reason={"messages":[{"type":"ERROR","text":"External handler failed with code '1' and output: 'REST ERROR[1021]: Fail to decrypt the encrypted credential information - not well-formed (invalid token): line 33, column 37'.  See splunkd.log for stderr output."}]}
  File "/opt/splunk/etc/apps/Splunk_TA_nessus/bin/tenable_sc.py", line 21, in <module>
    ta_run()
  File "/opt/splunk/etc/apps/Splunk_TA_nessus/bin/tenable_sc.py", line 17, in ta_run
    ta_input.main(collector_cls, schema_file_path, 'tenable_sc')

shujain_splunk · ‎03-19-2017

Can you please try below steps and see if it helps?

Stop Splunk
Remove local/passwords.conf
Reconfig /local/inputs.conf: entering the accesskey and secretKey in plain text

Restart Splunk

naqviah · ‎04-24-2017

Did this ever work to resolve the issue. I am seeing the same error messages. Please advise..

Splunk Add-on for Tenable: Why am I getting error "REST ERROR[1021]: Fail to decrypt the encrypted credential information" after adding a new Nessus input?

Restart Splunk

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?