All Apps and Add-ons

Why does the Splunk Add-on for Tenable stops ingesting data randomly?

jclehmuth
Path Finder

I've searched through the answers and most suggestions are: to disable and then enable the input, change the Start Time, some have even re-installed the app. For a while, I only had to open the input in the GUI which resets it, and that would work to get the data coming in again. Yesterday when, I restarted Splunk for another reason, data started to come again. I've tried everything but reinstalling the add-on this morning with no luck. I am running 5.1.2 for the add-on and my Splunk version is 7.0.1.

Here is the error I'm getting, I have double checked the user name and password both of which have not been changed on Nessus/Security Center and in the Splunk configuration.

2018-02-15 14:01:33,278 +0000 log_level=ERROR, pid=338, tid=Thread-4, file=ta_data_collector.py, func_name=index_data, code_line_no=118 | [stanza_name="Vulnerability" data="sc_vulnerability" server="SecuirtyCenter"] Failed to index data
Traceback (most recent call last):
  File "/opt/splunk/etc/apps/Splunk_TA_nessus/bin/splunk_ta_nessus/splunktaucclib/data_collection/ta_data_collector.py", line 115, in index_data
self._do_safe_index()
  File "/opt/splunk/etc/apps/Splunk_TA_nessus/bin/splunk_ta_nessus/splunktaucclib/data_collection/ta_data_collector.py", line 148, in _do_safe_index
self._client = self._create_data_client()
  File "/opt/splunk/etc/apps/Splunk_TA_nessus/bin/splunk_ta_nessus/splunktaucclib/data_collection/ta_data_collector.py", line 95, in _create_data_client
self._checkpoint_manager)
  File "/opt/splunk/etc/apps/Splunk_TA_nessus/bin/splunk_ta_nessus/splunktaucclib/data_collection/ta_data_client.py", line 55, in __init__
self._ckpt)
  File "/opt/splunk/etc/apps/Splunk_TA_nessus/bin/splunk_ta_nessus/ta_tenable_sc_data_collector.py", line 18, in do_job_one_time
return _do_job_one_time(all_conf_contents, task_config, ckpt)
  File "/opt/splunk/etc/apps/Splunk_TA_nessus/bin/splunk_ta_nessus/ta_tenable_sc_data_collector.py", line 53, in _do_job_one_time
logger_prefix=logger_prefix)
  File "/opt/splunk/etc/apps/Splunk_TA_nessus/bin/splunk_ta_nessus/security_center.py", line 219, in get_security_center
sc.login(username, password)
  File "/opt/splunk/etc/apps/Splunk_TA_nessus/bin/splunk_ta_nessus/security_center.py", line 46, in login
self._token = str(result['token'])
KeyError: 'token'

nickhills
Ultra Champion

This is not the same issue being reported in all the other threads.
In my case, (and a few people have yelled 'me too') the issue is that collection stops with no apparent error:
https://answers.splunk.com/answers/583400/splunk-add-on-for-tenable-stalls-when-collecting-f.html

Your example seems quite different, in that you are seeing an issue with authentication:

sc.login(username, password)
       File "/opt/splunk/etc/apps/Splunk_TA_nessus/bin/splunk_ta_nessus/security_center.py", line 46, in login
     self._token = str(result['token'])
     KeyError: 'token'

I don't know what could cause this, but on the face of it your deployment is working correctly - check the SC logs to see if there were any issues with the credentials you were using at that time. - It also explains why in your env it could start working again, once the auth problem has cleared up.

If my comment helps, please give it a thumbs up!

jclehmuth
Path Finder

I haven't had the issue in a while however, if it is an authentication issue we have an idea of what the problem may be. Our security center drops connection to AD on occasion, we have a ticket open with Tenable to help resolve the issue.
Thanks for pointing that out.

0 Karma

jclehmuth
Path Finder

This add-on is really frustrating...
I came in this morning and it is working again. The majority of our scans run at night, so my usual setting to check for data is about every six hours, I went to adjust the check for data setting then I went to monitor the sourcetype for updates. The last logs came in at 0100, I have no idea what is going on with this add-on.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...