Splunk Add-on for Nessus: Why am I unable to conne...

Jarrett · ‎08-02-2016

Hi There

This is my first ever forum question / post so please let me know if there is any further information I may need to provide in order to help with resolving my issue.

Issue

I have been going round in circles trying to connect my Nessus Professional instance with Splunk Enterprise and the Enterprise Security application via the Splunk Add-on for Nessus to send scan data periodically. However, the index I created for Nessus data to populate is not being populated and remains empty, I have checked the logs in index=_internal sourcetype=ta:nessus:log (Shown Below), and appears to not be able to connect to default - https://xxx.xxx.xxx.xxx:8834/scans.

Background

Setup: Splunk is sitting in a server farm on network 1, subnet A *, Nessus is sitting in a server farm on network 1, subnet B *, my client machine is sitting in the client area on network 1, subnet C *. I have left the Nessus settings as default i.e. specifically listening on port 8834, I have generated API keys on the Nessus device and have configured the Splunk Add-on for Nessus with the address of the Nessus device and the API keys.

Troubleshooting: I have tested telnet from my client machine to the Nessus device on port 8834, and netstat on the Nessus device shows a socket successfully created as socket clientMachine:ephemeralPort / xxx.xxx.xxx.xxx:xxxxxx. Telnet cannot be run from the Splunk Enterprise instance, however when i test cURL from Splunk Enterprise to Nessus I am not getting any downloads.

(for example)*

The point where it constantly fails is shown below in the log output from index=_internal sourcetype=ta:nessus:log -

2016-08-03 10:52:33,246 ERROR pid=2780 tid=MainThread file=nessus_rest_client.py:request:91 | Failed to connect https://xxx.xxx.xxx.xxx:8834/scans, reason=Traceback (most recent call last):
  File "D:\Program Files\Splunk\etc\apps\Splunk_TA_nessus\bin\nessus_rest_client.py", line 79, in request
    headers=headers)
  File "D:\Program Files\Splunk\etc\apps\Splunk_TA_nessus\bin\splunktalib\httplib2\__init__.py", line 1593, in request
    (response, content) = self._request(conn, authority, uri, request_uri, method, body, headers, redirections, cachekey)
  File "D:\Program Files\Splunk\etc\apps\Splunk_TA_nessus\bin\splunktalib\httplib2\__init__.py", line 1335, in _request
    (response, content) = self._conn_request(conn, request_uri, method, body, headers)
  File "D:\Program Files\Splunk\etc\apps\Splunk_TA_nessus\bin\splunktalib\httplib2\__init__.py", line 1291, in _conn_request
    response = conn.getresponse()
  File "D:\Program Files\Splunk\Python-2.7\Lib\httplib.py", line 1123, in getresponse
    raise ResponseNotReady()
ResponseNotReady

Any help is much appreciated, thanks.

sjohnson_splunk · ‎08-03-2016

If you don't have telnet on the Splunk server, try using the openssl command:

openssl s_client -connect xxx:8834

This will tell you if you have a firewall block.

Jarrett · ‎08-14-2016

If the certificate is expired or not valid could this cause the data to not be input into the index?

Jarrett · ‎08-03-2016

Thanks, I tried openssl it is either not installed or is not in the path variables. The Splunk instance is on a windows server but I come from a Unix background, from what I can see I am guessing Openssl is not installed or enabled by default?

coltwanger · ‎08-03-2016

You can run the OpenSSL command from Splunk's bin directory at "C:\Program Files\Splunk\bin\"

Splunk Add-on for Nessus: Why am I unable to connect to my Nessus Professional instance?

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor