Re: Splunk Add-on for Nessus: Why am I unable to p...

tungntran · ‎12-21-2015

Hi,

I installed Splunk Add-on for Nessus on a search head and configured the API key for Nessus, but I'm not seeing any data. Running the debug I get the following:

2015-12-21 14:32:24,525 ERROR pid=2708 tid=MainThread file=nessus.py:get_nessus_modinput_configs:157 | Traceback (most recent call last):
  File "C:\Program Files\Splunk\etc\apps\Splunk_TA_nessus\bin\nessus.py", line 135, in get_nessus_modinput_configs
    config.remove_expired_credentials()
  File "C:\Program Files\Splunk\etc\apps\Splunk_TA_nessus\bin\nessus_config.py", line 142, in remove_expired_credentials
    creds = self._get_raw_stanza(stanza_type="cred", check_exist=False)
  File "C:\Program Files\Splunk\etc\apps\Splunk_TA_nessus\bin\nessus_config.py", line 262, in _get_raw_stanza
    stanza = self.cred_mgr.get_clear_password(stanza_name)
  File "C:\Program Files\Splunk\etc\apps\Splunk_TA_nessus\bin\splunktalib\credentials.py", line 159, in get_clear_password
    return self._get_credentials("clear_password", name)
  File "C:\Program Files\Splunk\etc\apps\Splunk_TA_nessus\bin\splunktalib\credentials.py", line 179, in _get_credentials
    passwords = xdp.parse_conf_xml_dom(content)
  File "C:\Program Files\Splunk\etc\apps\Splunk_TA_nessus\bin\splunktalib\common\xml_dom_parser.py", line 19, in parse_conf_xml_dom
    xml_conf = et.fromstring(xml_content)
  File "<string>", line 124, in XML
ParseError: not well-formed (invalid token): line 32, column 38

Any help is appreciated.

-Thanks

marcellomotta · ‎02-11-2016

Same error for me with Splunk_TA_Nessus version 4.0 on a search head with Enterprise Security app version 4.

Please can you help us?
Thank you

marcellomotta · ‎02-19-2016

I have managed to resolve by configuring the deploy server to not deploy the same access_key and secret_key on the clients but only the application/configuration.
Following, the keys have been updated manually on all the clients.

Thank you very much

jcoates_splunk · ‎01-24-2016

This looks like it needs more than casual attention to troubleshoot. Can someone in this thread please open a support ticket so we can diagnose?

sprooit · ‎02-18-2016

I'm receiving the same error. A ticket has been opened.

piebob · ‎02-11-2016

please come back and post a workaround or solution when one is available.

Richfez · ‎12-21-2015

Can you make sure the two keys are both surrounded by single quotes?

Admiral_Marith · ‎01-11-2016

We are seeing this in Linux splunk also. Interesting thing, I can take the entirety of Splunk_TA_nessus in /opt/splunk/etc/apps on the search head it's failing on to another search head, restart splunk and it works on two other search heads.

The only difference being that one search head has the Enterprise Security app on it, and the others do not.

This is the 4.0.0 version exhibiting the behavior for us. Our splunk level is 6.2.5 and correspondingly supported Enterprise Security app version 3.31

We've examined permissions between the working and not working deployments and nothing is obvious.

We'd like this on the same SH as Enterprise Security if possible.

Adding my voice to this in hopes that the above information helps connect some dots.

tungntran · ‎12-23-2015

Thanks for responding, adding the single quote didn't help. I'm getting the same error.

Splunk Add-on for Nessus: Why am I unable to pull Nessus data after configuring the API key? "ParseError: not well-formed (invalid token)"

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases