How to get the Splunk Add-on for Nessus to pull da...

donaldwayne1975 · ‎11-11-2015

Recently installed the Splunk Add-on for Nessus and have it successfully pulling data from my scanner. It is only showing scan data for the current month though. Is there a way to have it pull data further back. Nessus version is 6.5.2 and Splunk version 6.2.0.237341. Thank you in advance for your time.

rpille_splunk · ‎11-11-2015

The start_date parameter (called Start Time in the input UI if you are doing this in Splunk Web) is intended to control this. It should be pulling all scan data with a "host scan date" in Nessus later than the time you specify. Keeping the default of 1999/01/01 should collect everything. If that doesn't seem to be working as expected, please file a support case and send a diag so we can take a look.

donaldwayne1975 · ‎11-12-2015

I have adjusted this value a couple of times, followed by a restart of the service. I have seen one additional day worth of data from 2 months prior be populated into Splunk. Odd that it is not pulling the other days scan data. I am seeing these errors in the log.

ERROR pid=5600 tid=MainThread file=nessus_config.py:check_conf_mgr_result:26 | Cannot get the encrypted keys.

ERROR pid=5600 tid=MainThread file=nessus.py:get_nessus_modinput_configs:156 | Failed to setup config for nessus TA: Cannot get the encrypted keys.

AND

ERROR pid=5600 tid=MainThread file=nessus.py:get_nessus_modinput_configs:157 | Traceback (most recent call last):
File "C:\Program Files\Splunk\etc\apps\Splunk_TA_nessus\bin\nessus.py", line 147, in get_nessus_modinput_configs
input_conf = config.get_data_input(input_name)

How to get the Splunk Add-on for Nessus to pull data older than the current month from my scanner?

Get the T-shirt to Prove You Survived Splunk University Bootcamp

Introducing the Splunk Community Dashboard Challenge!

Wondering How to Build Resiliency in the Cloud?