Solved: Splunk Add-on for Tenable: Why do I receive "Unabl...

Blu3fish · ‎03-08-2017

Using v5.1.1 of the Splunk Add-on for Tenable (https://splunkbase.splunk.com/app/1710/) to pull scan results from Security Center (5.4.4). I'm receiving the occasional scan result but not all scan results and am seeing the following log repeated over and over in index=_internal sourcetype=tenable:sc:log:

2017-03-08 15:51:57,258 +0000 log_level=WARNING, pid=20668, tid=Thread-5, file=ta_tenable_sc_data_collector.py, func_name=_pre_process_ckpt, code_line_no=284 | [stanza_name="securitycenterserver" data="sc_vulnerability" server="securitycenterserver"] error_msg=Unable to process Vuln Query.
SecurityCenter could not process the vulnerability filter string (SC_ROOT=/opt/sc /opt/sc/bin/showvulns-individual  +orgid "1" +groupid "0" +tool 'listvuln' +datedir "2017-03-08" +scanid '1234' +view 'all' +startoffset '0' +endoffset '0' +repository "1"  -acceptRisk).
11^list^0^0^-1

The scanid does change per event which accurately reflects the scanids from security center that aren't being ingested.

Blu3fish · ‎05-30-2017

Worked with Tenable support on another issue (frequent timeouts when using the UI) and they had me adjust the "max_execution_time" value in /opt/sc/support/etc/php.ini:

# Backup the PHP file:
$ cp /opt/sc/support/etc/php.ini /opt/sc/support/etc/php.ini.bk

# Edit the PHP.ini file
$ vi /opt/sc/support/etc/php.ini

Scroll down to the max_execution_time setting and double/triple the value that is in there. The default is 30s so I increased mine to 90s. Save the file then restart SecurityCenter.

Since this change I've been able to pull all scan results into Splunk.

View solution in original post

Blu3fish · ‎05-30-2017

Worked with Tenable support on another issue (frequent timeouts when using the UI) and they had me adjust the "max_execution_time" value in /opt/sc/support/etc/php.ini:

# Backup the PHP file:
$ cp /opt/sc/support/etc/php.ini /opt/sc/support/etc/php.ini.bk

# Edit the PHP.ini file
$ vi /opt/sc/support/etc/php.ini

Scroll down to the max_execution_time setting and double/triple the value that is in there. The default is 30s so I increased mine to 90s. Save the file then restart SecurityCenter.

Since this change I've been able to pull all scan results into Splunk.

shirishkamat84 · ‎05-09-2017

Did anyone find a fix for this issue? I am having the same exact error message

hozhang_splunk · ‎03-26-2017

This seems an issue at Tenable side.
https://community.tenable.com/thread/9403

hozhang_splunk · ‎03-09-2017

Seems the log pasted is broken, would you please provide the raw logs?

lamars79 · ‎03-24-2017

I am having this same problem too. Has anyone been able to figure this out?

Blu3fish · ‎03-10-2017

2017-03-08 15:51:57,258 +0000 log_level=WARNING, pid=20668, tid=Thread-5, file=ta_tenable_sc_data_collector.py, func_name=_pre_process_ckpt, code_line_no=284 | [stanza_name="securitycenterserver" data="sc_vulnerability" server="securitycenterserver"] error_msg=Unable to process Vuln Query.
SecurityCenter could not process the vulnerability filter string (SC_ROOT=/opt/sc /opt/sc/bin/showvulns-individual +orgid "1" +groupid "0" +tool 'listvuln' +datedir "2017-03-08" +scanid '2275' +view 'all' +startoffset '0' +endoffset '0' +repository "1" -acceptRisk).
11^list^0^0^-1

Splunk Add-on for Tenable: Why do I receive "Unable to process Vuln Query" error message?

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases