All Apps and Add-ons

Splunk Add-on for Tenable: The add-on is attempting to connect to the Security Center and locking

R_B
Path Finder

Hey everyone! I've been following the documentation for setting up the add-on for tenable. I'm going with the route to have Splunk connect to Security Center and pull in data from there. I set up the Configuration and Input in the app just like the documentation said to do. I am able to take the (Security Center) IP address, username, and password that I configured for Splunk in the add-on and go directly to the the IP address and log in manually. However, whenever the add-on attempts to connect to the Security Center with the same exact information that I used to manually connect and log into Security Center, it does not work.

I looked at the logs by running this and similar searches (which was stated in the "Troubleshooting" section of the documentation): index=_internal sourcetype=tenable* *error*. What I have found is that every 60 seconds, Splunk (using the Tenable add-on) will try to connect to the Security Center (using the information I configured it with). After about 10 - 20 attempts at connecting, the Security Center account will get locked out (for having incorrect log in attempts), and then every minute after the account gets locked out there is a new entry in the logs saying error the account is locked.

The first time this happened I gave the add-on the benefit of the doubt and said maybe it was just user error when I entered the credentials. However, I made sure that I was entering the credentials EXACTLY how they should be the second time, and saved the changes. I then unlocked the account, and the same thing happened — Splunk (using the add-on) attempted to connect to Security Center and locked the account out with incorrect log in attempts.

I have no idea how this is happening, so I was hoping someone here could help me figure this out. Any help would be greatly appreciated!

0 Karma
1 Solution

DavidHourani
Super Champion

Hi R_B,

Does the account you are using have the permission to pull data. It could be that you are using a valid account that doesn't have the read permissions.

Also check the troubleshooting section of the docs :
http://docs.splunk.com/Documentation/AddOns/released/Nessus/Troubleshoot

Regards,
David

View solution in original post

DavidHourani
Super Champion

Hi R_B,

Does the account you are using have the permission to pull data. It could be that you are using a valid account that doesn't have the read permissions.

Also check the troubleshooting section of the docs :
http://docs.splunk.com/Documentation/AddOns/released/Nessus/Troubleshoot

Regards,
David

R_B
Path Finder

To everyone that replied to this: sorry for this very delayed response and thank you all for helping out! I got this working a few weeks ago. If I am remembering correctly, I do believe it was a problem with the account permissions. We reviewed the account that we were using for Security Center, and using the Splunk doc we made sure everything was set up as needed. Then after that it started working without any problems.

Thanks again!

0 Karma

Yunagi
Communicator

That sounds very strange. What is the exact error message when you search for index=_internal sourcetype="tenable:sc:log"?
Maybe it's a permission issue. Can you try with a different user? (Perhaps create a new user in Security Center with the "Security Analyst" or "Vulnerability Analyst" role.)

nickhills
Ultra Champion

This does sound odd.
Can you see any events in the SC System Logs?

One gotcha (ask me how I know) is that if you have more than one server configured with the TA you can get into all kinds of hurt!

If my comment helps, please give it a thumbs up!

nickhills
Ultra Champion

Hi, Did you find anything in the SC Sysetm Logs?

If my comment helps, please give it a thumbs up!
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...