Getting Data In

Configuring tenable Nessus with Splunk Enterprise

Mystica856
Explorer

Greetings Community,

I am trying to integrate the Splunk Add-on tenable to collect scan details from Nessus. Unfotunately, no data has been collected. Here is what I confirmed to do:
1- I installed the add-on on my heavy forwarder and configured the correct index=nessus.
2- I also installed the add-on on the search head cluster as the guide suggested after deleting both "eventgen.conf" & "inputs.conf". (Splunk Add-on for Tenable, Splunk Docs)
3- Moreover, I ensured to get the correct keys from Nessus tenable when configuring the add-on on Splunk.
(How_To_Guide_Tenable.io_Splunk_v2.pdf)
4- The indexers have the correct index.
5- Firewall ports have been allowed.

By running a tcpdump on my Heavyforwarder, I couldn't see any packages sent/received between it and the Nessus server. However, I manged to find two repetitive errors in the Nessuslog file as follow:

Error#1:

2017-08-26 19:38:42,209 +0000 log_level=ERROR, pid=6866, tid=MainThread, file=ta_mod_input.py, func_name=main, code_line_no=186 | Tenable task encounter exception
Traceback (most recent call last):
  File "/opt/splunk/etc/apps/Splunk_TA_nessus/bin/splunk_ta_nessus/splunktaucclib/data_collection/ta_mod_input.py", line 183, in main
    config_cls=configer_cls)
  File "/opt/splunk/etc/apps/Splunk_TA_nessus/bin/splunk_ta_nessus/splunktaucclib/data_collection/ta_mod_input.py", line 100, in run
    tconfig = tc.create_ta_config(settings, config_cls or tc.TaConfig)
  File "/opt/splunk/etc/apps/Splunk_TA_nessus/bin/splunk_ta_nessus/splunktaucclib/data_collection/ta_config.py", line 181, in create_ta_config
    return config_cls(meta_config, settings)
  File "/opt/splunk/etc/apps/Splunk_TA_nessus/bin/splunk_ta_nessus/splunktaucclib/data_collection/ta_config.py", line 21, in __init__
    meta_config[c.session_key])
  File "/opt/splunk/etc/apps/Splunk_TA_nessus/bin/splunk_ta_nessus/splunktalib/splunk_cluster.py", line 26, in __init__
    raise Exception("Failed to init ServerInfo")
Exception: Failed to init ServerInfo

Error#2:

2017-08-26 19:38:42,209 +0000 log_level=ERROR, pid=6866, tid=MainThread, file=rest.py, func_name=splunkd_request, code_line_no=42 | Failed to send rest request=https://127.0.0.1:8089/services/server/info, errcode=unknown, reason=Traceback (most recent call last):
  File "/opt/splunk/etc/apps/Splunk_TA_nessus/bin/splunk_ta_nessus/splunktalib/rest.py", line 40, in splunkd_request
    headers=headers, body=data)
  File "/opt/splunk/etc/apps/Splunk_TA_nessus/bin/splunk_ta_nessus/httplib2/__init__.py", line 1609, in request
    (response, content) = self._request(conn, authority, uri, request_uri, method, body, headers, redirections, cachekey)
  File "/opt/splunk/etc/apps/Splunk_TA_nessus/bin/splunk_ta_nessus/httplib2/__init__.py", line 1351, in _request
    (response, content) = self._conn_request(conn, request_uri, method, body, headers)
  File "/opt/splunk/etc/apps/Splunk_TA_nessus/bin/splunk_ta_nessus/httplib2/__init__.py", line 1272, in _conn_request
    conn.connect()
  File "/opt/splunk/etc/apps/Splunk_TA_nessus/bin/splunk_ta_nessus/httplib2/__init__.py", line 1075, in connect
    raise socket.error, msg
error: [Errno 111] Connection refused
0 Karma

wanderson7
Explorer

Hi, I realize this is an older question, and I am not sure if this directly answers your question, but perhaps it could be of some help.

I recently developed a free open-source application called TenaPull, which processes Nessus data for ingestion by Splunk.  There is more information here:

https://community.splunk.com/t5/Getting-Data-In/I-developed-an-application-to-process-Nessus-data-fo...

GitHub repo:
https://github.com/billyJoePiano/TenaPull

0 Karma

Grumpalot
Communicator

@Mystica856 the few times I did run into the above issue was due to a bad API or Secret Key. Hopefuly when you generated your key you copied it down from Nessus. If you do have to pull new keys make sure that you copy them down in a safe place and try adding them back to both Host and Plugin on the HF configuration page.

0 Karma

Mystica856
Explorer

Hi Grmpalot, thanks for taking the time to answer the question. I double checked the API but no luck. I am not sure what the exact issue is. Still looking around.

0 Karma

hward6
Engager
  1. Download Splunk Add-on for Tenable https://splunkbase.splunk.com/app/1710
  2. In Splunk, Manage apps (gear)>Install app from file>browse>Splunk-add-on-for-nessus
  3. After installing Launch app under actions column. Configure the Security Cetner Server. After the prompts adding the scanner will finalize the "input" configs.
  4. In Splunk, navigate to Searching & Reporting> Data Summary> sources tab

Tenable Nessus allows a splunk software admin to collect tenable vuln scan data from nessus and SecurityCenter via the REST API.

For more information, depending on why type of data you are trying to forward can be found in this document. I hope this is helpful.

https://jp.tenable.com/sites/drupal.dmz.tenablesecurity.com/files/integrations/How_To_Guide_Splunk.p...

Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...