All Apps and Add-ons

Splunk Add-on for Tenable: Why has Splunk stopped ingesting an API modular input for security center vulnerability management scans?

mmohiuddin1512
Explorer

Hi All:
I am getting the following error, in which Splunk is unable to pull data (scans) from a security center. Splunk Add-on for Tenable is being utilized to pull the management scans. We have 8 security center servers, and Splunk successfully pulls scan data from all the 7 security center server, apart from this 8th security server. It's been since 1 and a half months, that log ingestion stopped. We are pulling lot of scan data's which Splunk doesn't seem to ingest. The application contact has been able to verify that they are receiving API logins from the Splunk account. This verifies that Splunk is trying to pull the management scan data but is unable to do so.

Verified the permissions for the Splunk account. Permissions looks good. Splunk account is provided the Security Manager, Security Analyst and Vulnerability Analyst roles to get the scan results.

In the Splunk internal logs, I see the following errors:

2017-05-19 18:53:46,264 +0000 log_level=ERROR, pid=11116, tid=Thread-5, file=ta_data_collector.py, func_name=_do_safe_index, code_line_no=161 | [stanza_name="SecurityCenterInputs07" data="sc_vulnerability" server="SecurityCenter07"] Failed to get msg Traceback (most recent call last): File "/oap/poap/a00/splunk/etc/apps/Splunk_TA_nessus/bin/splunk_ta_nessus/splunktaucclib/data_collection/ta_data_collector.py", line 151, in _do_safe_index events, ckpt = self._client.get() File "/oap/poap/a00/splunk/etc/apps/Splunk_TA_nessus/bin/splunk_ta_nessus/splunktaucclib/data_collection/ta_data_client.py", line 74, in get return self._gen.send(self.is_stopped()) File "/oap/poap/a00/splunk/etc/apps/Splunk_TA_nessus/bin/splunk_ta_nessus/ta_tenable_sc_data_collector.py", line 188, in _process_sc_vulnerability del scan_results[scan_id] KeyError: u'102

[stanza_name="SecurityCenterInputs07" data="sc_vulnerability" server="SecurityCenter07"] error_msg=Error getting Scan Result #102 for User #10 in Organization #1.
Scan Result #102 does not exist. 
The object "102" is missing

Please help me out in troubleshooting this matter.

Thanks,

Obaid

the0duke0
Path Finder

We have found that every so often (1-2 months) what we stop getting data from Security Center via the Nessus app. I haven't found the root cause, but I have found that if you change the Start Time in the Splunk_TA_nessus inputs for Security Center that it will start working again.

robjackson
Path Finder

We have the same issue. and change the start date to get it working. We also have the same issue with IP360 data being collected with DBConnect.

0 Karma

krishanp
Explorer

We have been having the same issue as well and resetting the checkpoint (Start Time) is the current fix we've been using as well. If anyone has any insight into this issue, it would be much appreciated.

0 Karma

mmohiuddin1512
Explorer

There is a newer version of Splunk TA nessus version 5.1.2 that addresses most of the issues and bug fixes. We have implemented the newer version in our environment and we longer get errors on missing scan ids.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...