Troubleshooting

  1. I am getting a Splunk error.

    • Check the $SPLUNK_HOME/var/log/splunk/splunkd.log for Splunk related errors. If you see errors, contact your Splunk administrator.

    • Set your SPLUNK_HOME environment.

  2. I don’t see data after setting up mod input.

    • For Tenable Vulnerability Management mod-input, check the $SPLUNK_HOME/var/log/splunk/ta_tenable_tenable_io.log file.
    • For Tenable Security Center mod-input, check the $SPLUNK_HOME/var/log/splunk/ta_tenable_tenable_securitycenter.log .
    • For Tenable Security Center mobile mod-input, check the $SPLUNK_HOME/var/log/splunk/ta_tenable_tenable_securitycenter_mobile.log file.

  3. Data is not populating in the Tenable App dashboards.

    • Run an All Time saved search for Tenable Vulnerability Management or Tenable Security Center.  After running the All Time saved search, turn on and schedule a saved search.

    • Try expanding the time range from the last 24 hours.
    • Check the Tenable macro (get_tenable_index) and set the Tenable index correctly.

    • The dashboard can take some time to populate when data collection starts. To ensure you are receiving all available data, take the following steps:

      • search `get_tenable_index` | stats count by source type

      • You should see the following source types: tenable:io:vuln, tenable:io:assets, tenable:io:plugin, tenable:sc:vuln, tenable:sc:plugin, tenable:sc:assets, tenable:sc:mobile:vuln, tenable:sc:mobile:assets, tenable:nnm:vuln.

      • Check the log file for any errors - $SPLUNK_HOME/var/log/splunk/splunkd.log

      • The app only imports new information from Tenable Security Center. So if you have not scanned recently, there may not be any updates.

  4. While running Tenable Vulnerability Management, I get the following error: ERROR pid=106020 tid=MainThread file=io_connect.py:__checkResponse:83 | Tenable Error: response: Duplicate export not allowed. Please modify request or wait until existing export is complete.

    • Create a new, unique user and API login to use in Splunk.
  5. I can't set up a default Instance.
    • If you are unable to find the Tenable Vulnerability Center dashboard under the Managed Dashboards section in the Dashboards drop-down, make sure there are no trailing white spaces for the connection ID fetched from Admin Settings. Refer to Tenable Plugin for Splunk documentation.
  6. I am getting an error when applying internal self-signed SSL certificates to Tenable Security Center.

    • You may get the following error if your Tenable Security Center self-signed certificate is not installed to Splunk and the optional Verify SSL Certificate setting is enabled. Completing this installation allows Splunk to trust the designated SSL client certificate you installed.

    • You need to install the CA for the Splunk integration to trust. For more information, see Configure Tenable Certificates.
  7. Connection aborted due to "Remote end closed connection without response" error in Splunk logs.
    • If the “Remote end closed connection without response” error shows in either the ta_tenable_tenable_io.log, ta_tenable_tenable_securitycenter.log, or ta_tenable_tenable_securitycenter_mobile.log files at location $SPLUNK_HOME/var/log/splunk, make sure that there is no ongoing data collection process in Splunk while stopping the Splunk service or upgrading the Tenable Application for Splunk or Splunk Add-on. Whenever this type of error occurs, Splunk tries again to process the failed request by using the same checkpoint values after coming back online.
  8. Fields are not getting displayed on the “Inputs > Add Tenable.io” / “Inputs > Update Tenable.io” page.
    • If you are not able to see a few fields on the Inputs > Add Tenable.io and Inputs > Update Tenable.io pages after upgrading the Tenable Application for Splunk, reload cached content in the browser.

Known Issues

  1. User is able to see the Host Audit, Cloud Findings, and Web Application findings parameters in the Settings > Data Inputs Splunk user interface while creating the IO input from there, but these do not fetch the Host Audit, Cloud Findings, and Web Application findings data.
  2. User is able to see the Host Audit, Cloud Findings, and Web Application findings parameters in the inputs.conf($SPLUNK_HOME/etc/apps/TA-tenable/local/inputs.conf) while upgrading the add-on from 6.0.1 to 6.0.3, for the existing inputs, but these do not fetch the Host Audit, Cloud Findings, and Web Application findings data.