Hello,
My environment uses Nessus for vulnerability scanning, and we are importing the results of those scans via the Splunk Add-on for Tenable, here: https://splunkbase.splunk.com/app/1710/#/overview The events are correctly being indexed into Splunk.
However, approximately 90% of the events generated from the Nessus scans are "Informative", which we do not wish to index into Splunk.
I've added a TRANSFORMS in the props.conf and a stanza in transforms.conf to find the appropriate "Informative" events with a regex, and discard them using the queue nullQueue, but, I have been unsuccessful in filtering out "Informative" events from new scans results as they are being indexed.
The Splunk Add-on for Tenable is installed on a heavy forwarder. I have attempted both having the props and transforms on the heavy forwarder, and having them on the indexers. Neither has worked as I intended. See added props and transforms below:
props.conf
[tenable:sc:vuln]
#To remove "severity = informative" events from being logged in to Splunk, to reduce events
TRANSFORMS-null= tenable_remove_severity_informative
transforms.conf
#To remove "severity = informative" events from being logged in to Splunk, to reduce events
[tenable_remove_severity_informative]
REGEX ="severity":\s\{(?:"name"|"description"|"id"):\s(?:"Info"|"Informative"|"0"),\s(?:"name"|"description"|"id"):\s(?:"Info"|"Informative"|"0"),\s(?:"name"|"description"|"id"):\s(?:"Info"|"Informative"|"0")\}
DEST_KEY = queue
FORMAT = nullQueue
I've tried other, simplier, regex terms (thinking maybe it was just a regex problem), but, I'm nearly certain I've eliminated that as a possibly. When I copy/paste the above regex to test again the logs, it correctly finds the text I'm looking for.
Any advise is greatly appreciated! Thank you!
I don't know why, but, after I replaced
TRANSFORMS-null= tenable_remove_severity_informative
with
TRANSFORMS = tenable_remove_severity_informative
It started working. Not sure why I had to omit the namespace.
I don't know why, but, after I replaced
TRANSFORMS-null= tenable_remove_severity_informative
with
TRANSFORMS = tenable_remove_severity_informative
It started working. Not sure why I had to omit the namespace.