Solved: Splunk Add-on for Nessus: What SecurityCenter Perm...

coltwanger · ‎08-04-2016

We are running SecurityCenter 5.3 and I've just enabled the new Splunk Add-on for Nessus, but I'm not able to return any data. I'm getting the following error in the tenable logs:

2016-08-04 21:45:23,598 +0000 log_level=ERROR, pid=4520, tid=Thread-4, file=ta_data_collector.py, func_name=_do_safe_index, code_line_no=161 | [stanza_name="SecurityCenter" data="sc_vulnerability" server="CMU_SecurityCenter"] Failed to get msg
Traceback (most recent call last):
  File "C:\Program Files\Splunk\etc\apps\Splunk_TA_nessus\bin\splunk_ta_nessus\splunktaucclib\data_collection\ta_data_collector.py", line 151, in _do_safe_index
    events, ckpt = self._client.get()
  File "C:\Program Files\Splunk\etc\apps\Splunk_TA_nessus\bin\splunk_ta_nessus\splunktaucclib\data_collection\ta_data_client.py", line 73, in get
    return self._gen.next()
  File "C:\Program Files\Splunk\etc\apps\Splunk_TA_nessus\bin\splunk_ta_nessus\ta_tenable_sc_data_collector.py", line 93, in _process_sc_vulnerability
    _pre_process_ckpt(sc, task_config, ckpt, logger_prefix)
  File "C:\Program Files\Splunk\etc\apps\Splunk_TA_nessus\bin\splunk_ta_nessus\ta_tenable_sc_data_collector.py", line 212, in _pre_process_ckpt
    job_start_time, end_time))
  File "C:\Program Files\Splunk\etc\apps\Splunk_TA_nessus\bin\splunk_ta_nessus\security_center.py", line 134, in perform_request
    self._error_check(response, result)
  File "C:\Program Files\Splunk\etc\apps\Splunk_TA_nessus\bin\splunk_ta_nessus\security_center.py", line 177, in _error_check
    result['error_msg'])
APIError: 'status=403, error_code=163, error_msg=Administrators may not manage Scan Results.\n'

I was granted a service account to SecurityCenter which has Administrator Privileges. Googling this error doesn't yield too much info, and I am not a SecurityCenter admin myself, so I'm not sure if we've configured the right permissions.

Is there a built-in role to assign to our service account, or one we can create for this purpose?

rwang_splunk · ‎08-04-2016

Hi Coltwanger

You have to apply for the role in security center to be able to get data into Splunk.

See http://docs.splunk.com/Documentation/AddOns/released/Nessus/Hardwareandsoftwarerequirements for more information.

View solution in original post

rwang_splunk · ‎08-04-2016

Hi Coltwanger

You have to apply for the role in security center to be able to get data into Splunk.

See http://docs.splunk.com/Documentation/AddOns/released/Nessus/Hardwareandsoftwarerequirements for more information.

coltwanger · ‎08-05-2016

Thank you! I have to say I'm embarrassed I missed that part of the documentation 😞

Unfortunately after resolving that error, I'm now getting this one:

2016-08-05 16:23:38,476 +0000 log_level=ERROR, pid=4244, tid=Thread-7, file=ta_data_collector.py, func_name=_do_safe_index, code_line_no=161 | [stanza_name="SecurityCenter" data="sc_vulnerability" server="CMU_SecurityCenter"] Failed to get msg
Traceback (most recent call last):
  File "C:\Program Files\Splunk\etc\apps\Splunk_TA_nessus\bin\splunk_ta_nessus\splunktaucclib\data_collection\ta_data_collector.py", line 151, in _do_safe_index
    events, ckpt = self._client.get()
  File "C:\Program Files\Splunk\etc\apps\Splunk_TA_nessus\bin\splunk_ta_nessus\splunktaucclib\data_collection\ta_data_client.py", line 74, in get
    return self._gen.send(self.is_stopped())
  File "C:\Program Files\Splunk\etc\apps\Splunk_TA_nessus\bin\splunk_ta_nessus\ta_tenable_sc_data_collector.py", line 146, in _process_sc_vulnerability
    vuln_list = sc.get_vulns(scan_id, start_offset, end_offset)
  File "C:\Program Files\Splunk\etc\apps\Splunk_TA_nessus\bin\splunk_ta_nessus\security_center.py", line 83, in get_vulns
    result = self.perform_request('POST', 'analysis', args)
  File "C:\Program Files\Splunk\etc\apps\Splunk_TA_nessus\bin\splunk_ta_nessus\security_center.py", line 132, in perform_request
    result = json.loads(content)
  File "C:\Program Files\Splunk\Python-2.7\Lib\json\__init__.py", line 339, in loads
    return _default_decoder.decode(s)
  File "C:\Program Files\Splunk\Python-2.7\Lib\json\decoder.py", line 364, in decode
    obj, end = self.raw_decode(s, idx=_w(s, 0).end())
  File "C:\Program Files\Splunk\Python-2.7\Lib\json\decoder.py", line 382, in raw_decode
    raise ValueError("No JSON object could be decoded")
ValueError: No JSON object could be decoded

Any ideas?

Edit: Nevermind, I decreased the batch size to 5,000 and got rid of this error. I still don't have any data coming in, but no more errors in the tenable log, so we'll let it sit over the weekend to see if it generates anything to ingest 🙂

naqviah · ‎04-25-2017

Did this change ever work to get the logs to be ingested by Splunk?

Splunk Add-on for Nessus: What SecurityCenter Permissions are required?

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes