Hi All:
I am getting the following error, in which Splunk is unable to pull data (scans) from a security center. Splunk Add-on for Tenable is being utilized to pull the management scans. We have 8 security center servers, and Splunk successfully pulls scan data from all the 7 security center server, apart from this 8th security server. It's been since 1 and a half months, that log ingestion stopped. We are pulling lot of scan data's which Splunk doesn't seem to ingest. The application contact has been able to verify that they are receiving API logins from the Splunk account. This verifies that Splunk is trying to pull the management scan data but is unable to do so.
Verified the permissions for the Splunk account. Permissions looks good. Splunk account is provided the Security Manager, Security Analyst and Vulnerability Analyst roles to get the scan results.
In the Splunk internal logs, I see the following errors:
2017-05-19 18:53:46,264 +0000 log_level=ERROR, pid=11116, tid=Thread-5, file=ta_data_collector.py, func_name=_do_safe_index, code_line_no=161 | [stanza_name="SecurityCenterInputs07" data="sc_vulnerability" server="SecurityCenter07"] Failed to get msg Traceback (most recent call last): File "/oap/poap/a00/splunk/etc/apps/Splunk_TA_nessus/bin/splunk_ta_nessus/splunktaucclib/data_collection/ta_data_collector.py", line 151, in _do_safe_index events, ckpt = self._client.get() File "/oap/poap/a00/splunk/etc/apps/Splunk_TA_nessus/bin/splunk_ta_nessus/splunktaucclib/data_collection/ta_data_client.py", line 74, in get return self._gen.send(self.is_stopped()) File "/oap/poap/a00/splunk/etc/apps/Splunk_TA_nessus/bin/splunk_ta_nessus/ta_tenable_sc_data_collector.py", line 188, in _process_sc_vulnerability del scan_results[scan_id] KeyError: u'102
[stanza_name="SecurityCenterInputs07" data="sc_vulnerability" server="SecurityCenter07"] error_msg=Error getting Scan Result #102 for User #10 in Organization #1.
Scan Result #102 does not exist.
The object "102" is missing
Please help me out in troubleshooting this matter.
Thanks,
Obaid
↧