All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to configure the Splunk Add-on for Nessus?

junior87
Engager
‎02-02-2015 05:18 AM

Hi, i have a configuration problem the Splunk_TA_nessus and splunk, and run in debug gives me the following :

Checking filesystem compatibility...  Done
    Checking conf files for problems...
        Invalid key in stanza [default] in /root/splunk/etc/apps/Splunk_TA_nessus/local/inputs.conf, line 1:    srcdir  (value:  /root/splunk/etc/apps/Splunk_TA_nessus/spool/)
        Invalid key in stanza [default] in /root/splunk/etc/apps/Splunk_TA_nessus/local/inputs.conf, line 2:    tgtdir  (value:  $SPLUNK_HOME/var/spool/splunk)
        Your indexes and inputs configurations are not internally consistent. For more information, run 'splunk btool check --debug'
    Done
0 Karma
Reply

MuS
Legend
‎02-02-2015 05:46 AM

Hi junior87,

looking at the inputs.conf of this app it says:

## EXAMPLE Nessus scripted input using user-defined directories, full paths
#
# Purpose:
#
#   Converts .nessus format files (v1 or v2) to a Splunk-indexable format,
#   using the following directories as source and target:
#
#    srcdir = /opt/nessus/incoming
#    tgtdir = /opt/nessus/parsed
# 
# WARNING: This is only an example.
#
#   To utilize this input as shown, a Splunk "monitor" stanza would also need
#   to be configured to index parsed output files from the custom directory 
#   The configuration of the "monitor" stanza would need to be similar to
#   the configuration used for the default Splunk spool directory.
#   For instance:
#
#       [batch://<path_to_custom_spool_directory>]
#       move_policy = sinkhole
#       crcSalt = <SOURCE>

This means neither use srcdir nor tgtdir but setup a Splunk input monitor like in the [batch: ...] example or use the scripted input like this:

[script://./bin/nessus2splunk.py -s /opt/nessus/incoming -t /opt/nessus/parsed]
disabled = false
interval = 120
index = _internal
source = nessus2splunk
sourcetype = nessus2splunk

where -s is the source path and -t is the target path for the script. The target path will be monitored in Splunk.

Hope this helps to get you started ...

cheers, MuS

Reply

junior87
Engager
‎02-02-2015 06:06 AM

thank you

I fixed the error but not splunk_ta_nessus makes me view data

0 Karma
Reply

MuS
Legend
‎02-02-2015 06:29 AM

The Add-on will not provide any view, it 'only' provides the inputs and CIM-compatible knowledge to use Nessus data with other Splunk apps, such as Splunk App for Enterprise Security and Splunk App for PCI Compliance

Reply

jcoates_splunk
Splunk Employee
Splunk Employee
‎03-14-2015 05:29 PM

FYI, there are now pre-built panels in the Add-on, so you can add a dashboard and select from those to get some reports.
alt text

Reply
Get Updates on the Splunk Community!

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...