All Apps and Add-ons

Hurricane Labs Add-on for Nessus: Why am I getting error "The lookup table 'nessus_plugin_lookup' does not exist?

vinchakov_a
Path Finder
11-13-2015 08:20:42.654 +0300 ERROR LookupOperator - The lookup table 'nessus_plugin_lookup' does not exist. It is referenced by configuration 'nessus_vuln'.
11-13-2015 08:20:42.654 +0300 WARN  LookupOperator - Failed to find static lookup file: nessus_plugin_lookup.csv

I received this error. TA - 1.0.6BETA.

jeeames
Explorer

I had this error until I created empty files for:

splunk/etc/apps/TA-nessus/lookups/nessus_plugin_lookup.csv

and

splunk/etc/apps/TA-nessus/lookups/nessus_scans.csv

by typing "touch nessus_scans.csv" and "touch nessus_plugin_lookup.csv" in the splunk/etc/apps/TA-nessus/lookups directory

0 Karma

duartet
Path Finder

But it shouldn't need those files, since the nessus_plugin_lookup points to nessus_plugin.csv

0 Karma

vinchakov_a
Path Finder

I checked one of dashboard, and it is empty because it use "severity". If I delete severity in search string it works.

0 Karma

cschmidt_hurric
Path Finder

Try running an all-time search over sourcetype=nessus_vuln. Do you see any events? If the dashboards are empty, that probably means you have no indexed scan data.

Note: The user account that Splunk is using to log in to your Nessus scanner must be the same user that ran the scans.

EDIT: Sorry, I wrote index=nessus instead of sourcetype=nessus_vuln

0 Karma

vinchakov_a
Path Finder

Yes I see events in index=nessus.

0 Karma

cschmidt_hurric
Path Finder

Apologies, I meant sourcetype=nessus_vuln, not index=nessus.

Are the events in that sourcetype scan results?

0 Karma

vinchakov_a
Path Finder

sorry, index=nessus sourcetype=nessus_vuln same as index=nessus

0 Karma

vinchakov_a
Path Finder

I see new data in index=nessus. But in app it is empty. For an example I take request:

tag=vulnerability tag=report report_id=* severity=* NOT severity=informational | chart count over dest by severity | sort -count limit=10 | rename low as Low, medium as Medium, high as High, critical as Critical

It is in reply empty
Then I modify request (del severity and add index=nessus)

index=nessus tag=vulnerability tag=report report_id=* | chart count over dest by severity | sort -count limit=10 | rename low as Low, medium as Medium, high as High, critical as Critical

I obtain data.

0 Karma

tp92222
Explorer

i am not getting any data for sourcetype=nessus_vuln

0 Karma

cschmidt_hurric
Path Finder

Is the severity field "informational" in all of your Nessus scan results? The Hurricane Labs App for Vulnerability Management doesn't display informational scan results in its dashboards.

0 Karma

vinchakov_a
Path Finder

they have no field "severity"

0 Karma

vinchakov_a
Path Finder

I created empty csv and launched update_lookup.sh. It filled it. It downloaded data from nessus, I see them.
But in application empty dashboards.

0 Karma

sundareshr
Legend

check permissions?

0 Karma

vinchakov_a
Path Finder

all by root user

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...