Splunk Add-on for Tenable: No Data

edwinmae · ‎12-07-2017

Hi,

I installed the Tenable Add-on for Tenable, but I don's see any data or events

When checking the nessus index, it's 0 -- so there is no traffic/data

I use Splunk v7.0 and have Security Center 5.6.0

The only 2 lines in the ta_nessus.log
2017-12-07 10:21:37,796 INFO pid=61967 tid=MainThread file=nessus_config.py:get_nessus_conf:71 | Try to get encrypted proxy username & password
2017-12-07 10:21:37,796 INFO pid=61967 tid=MainThread file=nessus.py:get_nessus_modinput_configs:142 | Set loglevel to WARN

--

inputs.conf (/opt/splunk/etc/apps/Splunk_TA_nessus/local)

[nessus://xxxxx]
access_key = ********
batch_size = 100000
index = nessus
interval = 43200
metric = nessus_scan
secret_key = ********
start_date = 2017/11/01
url = https://xxxxx:8834

--

Please advise

/Edwin

kamlesh_vaghela · ‎12-15-2017

Hi @edwinmae,

Does your issue resolve? If it is resolved then can you please share your workarounds?

Thanks

edwinmae · ‎12-15-2017

Actually, the hostname could not be resolved. With the IP address it seems to work

kamlesh_vaghela · ‎12-15-2017

is that a complete log you provided from ta_nessus.log??

Yunagi · ‎12-14-2017

Hello Edwin,

Here are a few thoughts:

1) Check that your Splunk instance is able to connect to your Security Center on port 8834. You can check via:

curl -k https://xxxxx:8834

2) When adding a Security Center Server in Splunk, you must specify a username and a password. Make sure that this user has sufficient permissions to access the scans in Security Center.

3) When running your Splunk search (index=nessus) set the time range to the last 30 days or even longer. The default search time range is 24 hours but the scan results might be older than that.

Splunk Add-on for Tenable: No Data

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

.conf24 | Personalize your .conf experience with Learning Paths!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...