All Apps and Add-ons

How to configure the Splunk Add-on for Nessus?

junior87
Engager

Hi, i have a configuration problem the Splunk_TA_nessus and splunk, and run in debug gives me the following :

Checking filesystem compatibility...  Done
    Checking conf files for problems...
        Invalid key in stanza [default] in /root/splunk/etc/apps/Splunk_TA_nessus/local/inputs.conf, line 1:    srcdir  (value:  /root/splunk/etc/apps/Splunk_TA_nessus/spool/)
        Invalid key in stanza [default] in /root/splunk/etc/apps/Splunk_TA_nessus/local/inputs.conf, line 2:    tgtdir  (value:  $SPLUNK_HOME/var/spool/splunk)
        Your indexes and inputs configurations are not internally consistent. For more information, run 'splunk btool check --debug'
    Done
0 Karma

MuS
SplunkTrust
SplunkTrust

Hi junior87,

looking at the inputs.conf of this app it says:

## EXAMPLE Nessus scripted input using user-defined directories, full paths
#
# Purpose:
#
#   Converts .nessus format files (v1 or v2) to a Splunk-indexable format,
#   using the following directories as source and target:
#
#    srcdir = /opt/nessus/incoming
#    tgtdir = /opt/nessus/parsed
# 
# WARNING: This is only an example.
#
#   To utilize this input as shown, a Splunk "monitor" stanza would also need
#   to be configured to index parsed output files from the custom directory 
#   The configuration of the "monitor" stanza would need to be similar to
#   the configuration used for the default Splunk spool directory.
#   For instance:
#
#       [batch://<path_to_custom_spool_directory>]
#       move_policy = sinkhole
#       crcSalt = <SOURCE>

This means neither use srcdir nor tgtdir but setup a Splunk input monitor like in the [batch: ...] example or use the scripted input like this:

[script://./bin/nessus2splunk.py -s /opt/nessus/incoming -t /opt/nessus/parsed]
disabled = false
interval = 120
index = _internal
source = nessus2splunk
sourcetype = nessus2splunk

where -s is the source path and -t is the target path for the script. The target path will be monitored in Splunk.

Hope this helps to get you started ...

cheers, MuS

junior87
Engager

thank you

I fixed the error but not splunk_ta_nessus makes me view data

0 Karma

MuS
SplunkTrust
SplunkTrust

The Add-on will not provide any view, it 'only' provides the inputs and CIM-compatible knowledge to use Nessus data with other Splunk apps, such as Splunk App for Enterprise Security and Splunk App for PCI Compliance

jcoates_splunk
Splunk Employee
Splunk Employee

FYI, there are now pre-built panels in the Add-on, so you can add a dashboard and select from those to get some reports.
alt text

Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...