Using v5.1.1 of the Splunk Add-on for Tenable (https://splunkbase.splunk.com/app/1710/) to pull scan results from Security Center (5.4.4). I'm receiving the occasional scan result but not all scan results and am seeing the following log repeated over and over in index=_internal sourcetype=tenable:sc:log:
2017-03-08 15:51:57,258 +0000 log_level=WARNING, pid=20668, tid=Thread-5, file=ta_tenable_sc_data_collector.py, func_name=_pre_process_ckpt, code_line_no=284 | [stanza_name="securitycenterserver" data="sc_vulnerability" server="securitycenterserver"] error_msg=Unable to process Vuln Query.
SecurityCenter could not process the vulnerability filter string (SC_ROOT=/opt/sc /opt/sc/bin/showvulns-individual +orgid "1" +groupid "0" +tool 'listvuln' +datedir "2017-03-08" +scanid '1234' +view 'all' +startoffset '0' +endoffset '0' +repository "1" -acceptRisk).
11^list^0^0^-1
The scanid does change per event which accurately reflects the scanids from security center that aren't being ingested.
Worked with Tenable support on another issue (frequent timeouts when using the UI) and they had me adjust the "max_execution_time" value in /opt/sc/support/etc/php.ini:
# Backup the PHP file:
$ cp /opt/sc/support/etc/php.ini /opt/sc/support/etc/php.ini.bk
# Edit the PHP.ini file
$ vi /opt/sc/support/etc/php.ini
Scroll down to the max_execution_time setting and double/triple the value that is in there. The default is 30s so I increased mine to 90s. Save the file then restart SecurityCenter.
Since this change I've been able to pull all scan results into Splunk.
Worked with Tenable support on another issue (frequent timeouts when using the UI) and they had me adjust the "max_execution_time" value in /opt/sc/support/etc/php.ini:
# Backup the PHP file:
$ cp /opt/sc/support/etc/php.ini /opt/sc/support/etc/php.ini.bk
# Edit the PHP.ini file
$ vi /opt/sc/support/etc/php.ini
Scroll down to the max_execution_time setting and double/triple the value that is in there. The default is 30s so I increased mine to 90s. Save the file then restart SecurityCenter.
Since this change I've been able to pull all scan results into Splunk.
Did anyone find a fix for this issue? I am having the same exact error message
This seems an issue at Tenable side.
https://community.tenable.com/thread/9403
Seems the log pasted is broken, would you please provide the raw logs?
I am having this same problem too. Has anyone been able to figure this out?
2017-03-08 15:51:57,258 +0000 log_level=WARNING, pid=20668, tid=Thread-5, file=ta_tenable_sc_data_collector.py, func_name=_pre_process_ckpt, code_line_no=284 | [stanza_name="securitycenterserver" data="sc_vulnerability" server="securitycenterserver"] error_msg=Unable to process Vuln Query.
SecurityCenter could not process the vulnerability filter string (SC_ROOT=/opt/sc /opt/sc/bin/showvulns-individual +orgid "1" +groupid "0" +tool 'listvuln' +datedir "2017-03-08" +scanid '2275' +view 'all' +startoffset '0' +endoffset '0' +repository "1" -acceptRisk).
11^list^0^0^-1