Greetings Community, I am trying to integrate the Splunk Add-on tenable to collect scan details from Nessus. Unfotunately, no data has been collected. Here is what I confirmed to do: 1- I installed the add-on on my heavy forwarder and configured the correct index=nessus. 2- I also installed the add-on on the search head cluster as the guide suggested after deleting both "eventgen.conf" & "inputs.conf". (Splunk Add-on for Tenable, Splunk Docs) 3- Moreover, I ensured to get the correct keys from Nessus tenable when configuring the add-on on Splunk. (How_To_Guide_Tenable.io_Splunk_v2.pdf) 4- The indexers have the correct index. 5- Firewall ports have been allowed. By running a tcpdump on my Heavyforwarder, I couldn't see any packages sent/received between it and the Nessus server. However, I manged to find two repetitive errors in the Nessuslog file as follow: Error#1: 2017-08-26 19:38:42,209 +0000 log_level=ERROR, pid=6866, tid=MainThread, file=ta_mod_input.py, func_name=main, code_line_no=186 | Tenable task encounter exception Traceback (most recent call last): File "/opt/splunk/etc/apps/Splunk_TA_nessus/bin/splunk_ta_nessus/splunktaucclib/data_collection/ta_mod_input.py", line 183, in main config_cls=configer_cls) File "/opt/splunk/etc/apps/Splunk_TA_nessus/bin/splunk_ta_nessus/splunktaucclib/data_collection/ta_mod_input.py", line 100, in run tconfig = tc.create_ta_config(settings, config_cls or tc.TaConfig) File "/opt/splunk/etc/apps/Splunk_TA_nessus/bin/splunk_ta_nessus/splunktaucclib/data_collection/ta_config.py", line 181, in create_ta_config return config_cls(meta_config, settings) File "/opt/splunk/etc/apps/Splunk_TA_nessus/bin/splunk_ta_nessus/splunktaucclib/data_collection/ta_config.py", line 21, in __init__ meta_config[c.session_key]) File "/opt/splunk/etc/apps/Splunk_TA_nessus/bin/splunk_ta_nessus/splunktalib/splunk_cluster.py", line 26, in __init__ raise Exception("Failed to init ServerInfo") Exception: Failed to init ServerInfo Error#2: 2017-08-26 19:38:42,209 +0000 log_level=ERROR, pid=6866, tid=MainThread, file=rest.py, func_name=splunkd_request, code_line_no=42 | Failed to send rest request=https://127.0.0.1:8089/services/server/info, errcode=unknown, reason=Traceback (most recent call last): File "/opt/splunk/etc/apps/Splunk_TA_nessus/bin/splunk_ta_nessus/splunktalib/rest.py", line 40, in splunkd_request headers=headers, body=data) File "/opt/splunk/etc/apps/Splunk_TA_nessus/bin/splunk_ta_nessus/httplib2/__init__.py", line 1609, in request (response, content) = self._request(conn, authority, uri, request_uri, method, body, headers, redirections, cachekey) File "/opt/splunk/etc/apps/Splunk_TA_nessus/bin/splunk_ta_nessus/httplib2/__init__.py", line 1351, in _request (response, content) = self._conn_request(conn, request_uri, method, body, headers) File "/opt/splunk/etc/apps/Splunk_TA_nessus/bin/splunk_ta_nessus/httplib2/__init__.py", line 1272, in _conn_request conn.connect() File "/opt/splunk/etc/apps/Splunk_TA_nessus/bin/splunk_ta_nessus/httplib2/__init__.py", line 1075, in connect raise socket.error, msg error: [Errno 111] Connection refused ... View more

Greetings all, I am new to Splunk and trying to know my way around it. I created a home lab environment with the following details: * 1 search head, 1 indexer, and 1 Heavy forwarder ( All Linux). * 1 Universal forwarder ( my desktop). Right now, my windows logs are being sent from the Universal Forwarder to Heavy forwarder on TCP port 9998 (random port #). Then, the Heavy Forwarder receives on 9998 and sends on to the indexer on 9997. I can search from the search head and receive all data however they all go to index=main. I tried the following: * modify inputs.conf in Heavy forwarder with the following: [tcp://mydesktopIP:9998] index = desktop I also tried to modify the inputs.conf file in the launcher app: [splunktcp://9998] index = desktop ==== None of the options above worked. Also kindly note that I ensured that the indexes.conf file in my indexer has the "desktop" index information. Thanks in advance. ... View more