We are running SecurityCenter 5.3 and I've just enabled the new Splunk Add-on for Nessus, but I'm not able to return any data. I'm getting the following error in the tenable logs:
2016-08-04 21:45:23,598 +0000 log_level=ERROR, pid=4520, tid=Thread-4, file=ta_data_collector.py, func_name=_do_safe_index, code_line_no=161 | [stanza_name="SecurityCenter" data="sc_vulnerability" server="CMU_SecurityCenter"] Failed to get msg
Traceback (most recent call last):
File "C:\Program Files\Splunk\etc\apps\Splunk_TA_nessus\bin\splunk_ta_nessus\splunktaucclib\data_collection\ta_data_collector.py", line 151, in _do_safe_index
events, ckpt = self._client.get()
File "C:\Program Files\Splunk\etc\apps\Splunk_TA_nessus\bin\splunk_ta_nessus\splunktaucclib\data_collection\ta_data_client.py", line 73, in get
return self._gen.next()
File "C:\Program Files\Splunk\etc\apps\Splunk_TA_nessus\bin\splunk_ta_nessus\ta_tenable_sc_data_collector.py", line 93, in _process_sc_vulnerability
_pre_process_ckpt(sc, task_config, ckpt, logger_prefix)
File "C:\Program Files\Splunk\etc\apps\Splunk_TA_nessus\bin\splunk_ta_nessus\ta_tenable_sc_data_collector.py", line 212, in _pre_process_ckpt
job_start_time, end_time))
File "C:\Program Files\Splunk\etc\apps\Splunk_TA_nessus\bin\splunk_ta_nessus\security_center.py", line 134, in perform_request
self._error_check(response, result)
File "C:\Program Files\Splunk\etc\apps\Splunk_TA_nessus\bin\splunk_ta_nessus\security_center.py", line 177, in _error_check
result['error_msg'])
APIError: 'status=403, error_code=163, error_msg=Administrators may not manage Scan Results.\n'
I was granted a service account to SecurityCenter which has Administrator Privileges. Googling this error doesn't yield too much info, and I am not a SecurityCenter admin myself, so I'm not sure if we've configured the right permissions.
Is there a built-in role to assign to our service account, or one we can create for this purpose?
Hi Coltwanger
You have to apply for the role in security center to be able to get data into Splunk.
See http://docs.splunk.com/Documentation/AddOns/released/Nessus/Hardwareandsoftwarerequirements for more information.
Hi Coltwanger
You have to apply for the role in security center to be able to get data into Splunk.
See http://docs.splunk.com/Documentation/AddOns/released/Nessus/Hardwareandsoftwarerequirements for more information.
Thank you! I have to say I'm embarrassed I missed that part of the documentation 😞
Unfortunately after resolving that error, I'm now getting this one:
2016-08-05 16:23:38,476 +0000 log_level=ERROR, pid=4244, tid=Thread-7, file=ta_data_collector.py, func_name=_do_safe_index, code_line_no=161 | [stanza_name="SecurityCenter" data="sc_vulnerability" server="CMU_SecurityCenter"] Failed to get msg
Traceback (most recent call last):
File "C:\Program Files\Splunk\etc\apps\Splunk_TA_nessus\bin\splunk_ta_nessus\splunktaucclib\data_collection\ta_data_collector.py", line 151, in _do_safe_index
events, ckpt = self._client.get()
File "C:\Program Files\Splunk\etc\apps\Splunk_TA_nessus\bin\splunk_ta_nessus\splunktaucclib\data_collection\ta_data_client.py", line 74, in get
return self._gen.send(self.is_stopped())
File "C:\Program Files\Splunk\etc\apps\Splunk_TA_nessus\bin\splunk_ta_nessus\ta_tenable_sc_data_collector.py", line 146, in _process_sc_vulnerability
vuln_list = sc.get_vulns(scan_id, start_offset, end_offset)
File "C:\Program Files\Splunk\etc\apps\Splunk_TA_nessus\bin\splunk_ta_nessus\security_center.py", line 83, in get_vulns
result = self.perform_request('POST', 'analysis', args)
File "C:\Program Files\Splunk\etc\apps\Splunk_TA_nessus\bin\splunk_ta_nessus\security_center.py", line 132, in perform_request
result = json.loads(content)
File "C:\Program Files\Splunk\Python-2.7\Lib\json\__init__.py", line 339, in loads
return _default_decoder.decode(s)
File "C:\Program Files\Splunk\Python-2.7\Lib\json\decoder.py", line 364, in decode
obj, end = self.raw_decode(s, idx=_w(s, 0).end())
File "C:\Program Files\Splunk\Python-2.7\Lib\json\decoder.py", line 382, in raw_decode
raise ValueError("No JSON object could be decoded")
ValueError: No JSON object could be decoded
Any ideas?
Edit: Nevermind, I decreased the batch size to 5,000 and got rid of this error. I still don't have any data coming in, but no more errors in the tenable log, so we'll let it sit over the weekend to see if it generates anything to ingest 🙂
Did this change ever work to get the logs to be ingested by Splunk?