Troubleshooting

  1. I am getting a Splunk error.

    • Check the $SPLUNK_HOME/var/log/splunk/splunkd.log for Splunk related errors. If you see errors, contact your Splunk administrator.

    • Set your SPLUNK_HOME environment.

  2. I don’t see data after setting up mod input.

    • For Tenable Vulnerability Management mod-input, check the $SPLUNK_HOME/var/log/splunk/ta_tenable_tenable_io.log file.
    • For Tenable Security Center mod-input, check the $SPLUNK_HOME/var/log/splunk/ta_tenable_tenable_securitycenter.log.
    • For Tenable Security Center mobile mod-input, check the $SPLUNK_HOME/var/log/splunk/ta_tenable_tenable_securitycenter_mobile.log file.
    • For Tenable OT Security mod-input, check the $SPLUNK_HOME/var/log/splunk/ta_tenable_tenable_ot_security_icp.log file.
  3. Data is not populating the Tenable App dashboards.

    • Run an All Time saved search for Tenable Vulnerability Management or Tenable Security Center.  After running the All Time saved search, turn on and schedule a saved search.

    • Try expanding the time range from the last 24 hours.
    • Check the Tenable macro (get_tenable_index) and set the Tenable index correctly.
    • The dashboard can take some time to populate when data collection starts. To ensure you are receiving all available data, take the following steps:

      • search `get_tenable_index` | stats count by source type

      • You should see the following source types: tenable:io:vuln, tenable:io:assets, tenable:io:plugin, tenable:sc:vuln, tenable:sc:plugin, tenable:sc:assets, tenable:sc:mobile:vuln, tenable:sc:mobile:assets, tenable:nnm:vuln.

      • Check the log file for any errors - $SPLUNK_HOME/var/log/splunk/splunkd.log

      • The app only imports new information from Tenable Security Center. So if you have not scanned recently, there may not be any updates.

  4. While running Tenable Vulnerability Management, I get the following error: ERROR pid=106020 tid=MainThread file=io_connect.py:__checkResponse:83 | Tenable Error: response: Duplicate export not allowed. Please modify request or wait until existing export is complete.

    • Create a new, unique user and API login to use in Splunk.
  5. I can't set up a default Instance.
    • If you are unable to find the Tenable Vulnerability Center dashboard under the Managed Dashboards section in the Dashboards drop-down, make sure there are no trailing white spaces for the connection ID fetched from Admin Settings. Refer to Tenable Plugin for Splunk documentation.
  6. I am getting an error when applying internal self-signed SSL certificates to Tenable Security Center.
    • You may get the following error if your Tenable Security Center self-signed certificate is not installed to Splunk and the optional Verify SSL Certificate setting is enabled. Completing this installation allows Splunk to trust the designated SSL client certificate you installed.

    • You need to install the CA for the Splunk integration to trust. For more information, see Configure Tenable Certificates.
  7. Connection aborted due to "Remote end closed connection without response" error in Splunk logs.
    • If the “Remote end closed connection without response” error shows in either the ta_tenable_tenable_io.log, ta_tenable_tenable_securitycenter.log, or ta_tenable_tenable_securitycenter_mobile.log files at location $SPLUNK_HOME/var/log/splunk, make sure that there is no ongoing data collection process in Splunk while stopping the Splunk service or upgrading the Tenable Application for Splunk or Splunk Add-on. Whenever this type of error occurs, Splunk tries again to process the failed request by using the same checkpoint values after coming back online.
  8. Fields are not getting displayed on the “Inputs > Add Tenable.io” / “Inputs > Update Tenable.io” page.
    • If you are not able to see a few fields on the Inputs > Add Tenable.io and Inputs > Update Tenable.io pages after upgrading the Tenable Application for Splunk, reload cached content in the browser.
  9. Input is created successfully but data is not getting collected for OT Security.

    • Check the data by expanding the time range in Splunk search.

    • Make sure that you are entering the correct search query. For example, if you want to search OT Security assets data, the search query should be index = your_index sourcetype = tenable:ot:assets.

    • Check the log messages for any errors:

      • For logs related to OT Security data collection: You can view the logs in the ta_tenable_tenable_ot_security_icp.log log file by navigating to $SPLUNK_HOME/var/log/splunk/.

      • For logs related to OT Security account creation: You can view the logs in the ta_tenable_account_validation.log log file by navigating to $SPLUNK_HOME/var/log/splunk/.

      • Error log messages regarding OT Security data collection and account creation can also be seen from Splunk search in the _internal index.

        • Data collection: index = _internal source = *ta_tenable_tenable_ot_security_icp* ERROR

        • Account creation: index = _internal source = *ta_tenable_account_validation* ERROR

    Note: $SPLUNK_HOME is the path where Splunk is installed.