Greetings Community,
I am trying to integrate the Splunk Add-on tenable to collect scan details from Nessus. Unfotunately, no data has been collected. Here is what I confirmed to do:
1- I installed the add-on on my heavy forwarder and configured the correct index=nessus.
2- I also installed the add-on on the search head cluster as the guide suggested after deleting both "eventgen.conf" & "inputs.conf". (Splunk Add-on for Tenable, Splunk Docs)
3- Moreover, I ensured to get the correct keys from Nessus tenable when configuring the add-on on Splunk.
(How_To_Guide_Tenable.io_Splunk_v2.pdf)
4- The indexers have the correct index.
5- Firewall ports have been allowed.
By running a tcpdump on my Heavyforwarder, I couldn't see any packages sent/received between it and the Nessus server. However, I manged to find two repetitive errors in the Nessuslog file as follow:
Error#1:
2017-08-26 19:38:42,209 +0000 log_level=ERROR, pid=6866, tid=MainThread, file=ta_mod_input.py, func_name=main, code_line_no=186 | Tenable task encounter exception
Traceback (most recent call last):
File "/opt/splunk/etc/apps/Splunk_TA_nessus/bin/splunk_ta_nessus/splunktaucclib/data_collection/ta_mod_input.py", line 183, in main
config_cls=configer_cls)
File "/opt/splunk/etc/apps/Splunk_TA_nessus/bin/splunk_ta_nessus/splunktaucclib/data_collection/ta_mod_input.py", line 100, in run
tconfig = tc.create_ta_config(settings, config_cls or tc.TaConfig)
File "/opt/splunk/etc/apps/Splunk_TA_nessus/bin/splunk_ta_nessus/splunktaucclib/data_collection/ta_config.py", line 181, in create_ta_config
return config_cls(meta_config, settings)
File "/opt/splunk/etc/apps/Splunk_TA_nessus/bin/splunk_ta_nessus/splunktaucclib/data_collection/ta_config.py", line 21, in __init__
meta_config[c.session_key])
File "/opt/splunk/etc/apps/Splunk_TA_nessus/bin/splunk_ta_nessus/splunktalib/splunk_cluster.py", line 26, in __init__
raise Exception("Failed to init ServerInfo")
Exception: Failed to init ServerInfo
Error#2:
2017-08-26 19:38:42,209 +0000 log_level=ERROR, pid=6866, tid=MainThread, file=rest.py, func_name=splunkd_request, code_line_no=42 | Failed to send rest request=https://127.0.0.1:8089/services/server/info, errcode=unknown, reason=Traceback (most recent call last):
File "/opt/splunk/etc/apps/Splunk_TA_nessus/bin/splunk_ta_nessus/splunktalib/rest.py", line 40, in splunkd_request
headers=headers, body=data)
File "/opt/splunk/etc/apps/Splunk_TA_nessus/bin/splunk_ta_nessus/httplib2/__init__.py", line 1609, in request
(response, content) = self._request(conn, authority, uri, request_uri, method, body, headers, redirections, cachekey)
File "/opt/splunk/etc/apps/Splunk_TA_nessus/bin/splunk_ta_nessus/httplib2/__init__.py", line 1351, in _request
(response, content) = self._conn_request(conn, request_uri, method, body, headers)
File "/opt/splunk/etc/apps/Splunk_TA_nessus/bin/splunk_ta_nessus/httplib2/__init__.py", line 1272, in _conn_request
conn.connect()
File "/opt/splunk/etc/apps/Splunk_TA_nessus/bin/splunk_ta_nessus/httplib2/__init__.py", line 1075, in connect
raise socket.error, msg
error: [Errno 111] Connection refused
Hi, I realize this is an older question, and I am not sure if this directly answers your question, but perhaps it could be of some help.
I recently developed a free open-source application called TenaPull, which processes Nessus data for ingestion by Splunk. There is more information here:
https://community.splunk.com/t5/Getting-Data-In/I-developed-an-application-to-process-Nessus-data-fo...
GitHub repo:
https://github.com/billyJoePiano/TenaPull
@Mystica856 the few times I did run into the above issue was due to a bad API or Secret Key. Hopefuly when you generated your key you copied it down from Nessus. If you do have to pull new keys make sure that you copy them down in a safe place and try adding them back to both Host and Plugin on the HF configuration page.
Hi Grmpalot, thanks for taking the time to answer the question. I double checked the API but no luck. I am not sure what the exact issue is. Still looking around.
Tenable Nessus allows a splunk software admin to collect tenable vuln scan data from nessus and SecurityCenter via the REST API.
For more information, depending on why type of data you are trying to forward can be found in this document. I hope this is helpful.