Hi,
I installed Splunk Add-on for Nessus on a search head and configured the API key for Nessus, but I'm not seeing any data. Running the debug I get the following:
2015-12-21 14:32:24,525 ERROR pid=2708 tid=MainThread file=nessus.py:get_nessus_modinput_configs:157 | Traceback (most recent call last):
File "C:\Program Files\Splunk\etc\apps\Splunk_TA_nessus\bin\nessus.py", line 135, in get_nessus_modinput_configs
config.remove_expired_credentials()
File "C:\Program Files\Splunk\etc\apps\Splunk_TA_nessus\bin\nessus_config.py", line 142, in remove_expired_credentials
creds = self._get_raw_stanza(stanza_type="cred", check_exist=False)
File "C:\Program Files\Splunk\etc\apps\Splunk_TA_nessus\bin\nessus_config.py", line 262, in _get_raw_stanza
stanza = self.cred_mgr.get_clear_password(stanza_name)
File "C:\Program Files\Splunk\etc\apps\Splunk_TA_nessus\bin\splunktalib\credentials.py", line 159, in get_clear_password
return self._get_credentials("clear_password", name)
File "C:\Program Files\Splunk\etc\apps\Splunk_TA_nessus\bin\splunktalib\credentials.py", line 179, in _get_credentials
passwords = xdp.parse_conf_xml_dom(content)
File "C:\Program Files\Splunk\etc\apps\Splunk_TA_nessus\bin\splunktalib\common\xml_dom_parser.py", line 19, in parse_conf_xml_dom
xml_conf = et.fromstring(xml_content)
File "<string>", line 124, in XML
ParseError: not well-formed (invalid token): line 32, column 38
Any help is appreciated.
-Thanks
Same error for me with Splunk_TA_Nessus version 4.0 on a search head with Enterprise Security app version 4.
Please can you help us?
Thank you
I have managed to resolve by configuring the deploy server to not deploy the same access_key and secret_key on the clients but only the application/configuration.
Following, the keys have been updated manually on all the clients.
Thank you very much
This looks like it needs more than casual attention to troubleshoot. Can someone in this thread please open a support ticket so we can diagnose?
I'm receiving the same error. A ticket has been opened.
please come back and post a workaround or solution when one is available.
Can you make sure the two keys are both surrounded by single quotes?
We are seeing this in Linux splunk also. Interesting thing, I can take the entirety of Splunk_TA_nessus in /opt/splunk/etc/apps on the search head it's failing on to another search head, restart splunk and it works on two other search heads.
The only difference being that one search head has the Enterprise Security app on it, and the others do not.
This is the 4.0.0 version exhibiting the behavior for us. Our splunk level is 6.2.5 and correspondingly supported Enterprise Security app version 3.31
We've examined permissions between the working and not working deployments and nothing is obvious.
We'd like this on the same SH as Enterprise Security if possible.
Adding my voice to this in hopes that the above information helps connect some dots.
Thanks for responding, adding the single quote didn't help. I'm getting the same error.