topic Re: Splunk Add-on for Nessus: Why is "nessus:plugin" not working? in All Apps and Add-ons

Splunk Add-on for Nessus: Why is "nessus:plugin" not working?

rajbir1 — Wed, 28 Oct 2015 21:38:49 GMT

I have Splunk Add-on for Nessus running in a distributed environment. I successfully configured "nessus:scan" and the data is coming in, but I am having issues with "nessus:plugin". I have created a similar input for "nesssus:plugin", but when I enable the inputs, I am seeing the following errors in internal logs:

10-28-2015 17:31:57.196 -0400 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/Splunk_TA_nessus/bin/nessus.py"     for plugin in plugins:
10-28-2015 17:31:57.196 -0400 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/Splunk_TA_nessus/bin/nessus.py"   File "/opt/splunk/etc/apps/Splunk_TA_nessus/bin/nessus_data_collector.py", line 331, in _collect_plugin_id
10-28-2015 17:31:57.196 -0400 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/Splunk_TA_nessus/bin/nessus.py"     plugin_id_set = self._collect_plugin_id(plugin_families)
10-28-2015 17:31:57.196 -0400 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/Splunk_TA_nessus/bin/nessus.py"   File "/opt/splunk/etc/apps/Splunk_TA_nessus/bin/nessus_data_collector.py", line 443, in collect_plugin_data
10-28-2015 17:31:57.196 -0400 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/Splunk_TA_nessus/bin/nessus.py"     collector.collect_plugin_data()

Here is my inputs on the heavy forwarder:

[nessus://Nessus-plugins]
access_key = ********
batch_size = 100000
interval = 300
metric = nessus_plugin
secret_key = ********
start_date = 2015/01/01
url = https://x.x.x.x:8834
index = nessus
disabled = 0

Re: Splunk Add-on for Nessus: Why is "nessus:plugin" not working?

muebel — Thu, 29 Oct 2015 01:40:31 GMT

Hi rajbir1, Looks like it could be a problem with your python config on the system. I'd check the documentation for the Nessus add-on and ensure that everything is sorted out in that way. Let me know if this helps!

Re: Splunk Add-on for Nessus: Why is "nessus:plugin" not working?

rajbir1 — Fri, 30 Oct 2015 13:06:00 GMT

Thanks Matt, I haven't modified anything in the python scripts though, using everything out of the box

Re: Splunk Add-on for Nessus: Why is "nessus:plugin" not working?

rajbir1 — Mon, 02 Nov 2015 16:11:56 GMT

Any other thoughts on this issue Matt?

Re: Splunk Add-on for Nessus: Why is "nessus:plugin" not working?

rajbir1 — Tue, 29 Sep 2020 07:46:00 GMT

I changed the logging level to Info on TA nessus and noticed that nessus_plugin inputs is not creating a checkpoint file under "/opt/splunk/var/lib/splunk/modinputs/nessus". It’s able to connect to the host as we are seeing response code of 200.

2015-11-04 16:55:36,580 INFO pid=11310 tid=MainThread file=nessus_rest_client.py:request:80 | Response status: 200
2015-11-04 16:55:36,515 INFO pid=11310 tid=MainThread file=nessus_rest_client.py:request:77 | Send request: https://x.x.x.x:8834/plugins/families
2015-11-04 16:55:36,515 INFO pid=11310 tid=MainThread file=nessus_rest_client.py:request:69 | start https://x.x.x.x:8834/plugins/families
2015-11-04 16:55:36,515 INFO pid=11310 tid=MainThread file=nessus_checkpoint.py:read:65 | Checkpoint file format is incorrect. Checkpoint file doesn't exist
2015-11-04 16:55:36,514 INFO pid=11310 tid=MainThread file=nessus_checkpoint.py:read:53 | Read Checkpoint from file /opt/splunk/var/lib/splunk/modinputs/nessus/nessus_plugin_Nessus-plugins_https_x_x_x_x_8834.ckpt

I tried creating “Nessus-plugins_https_x_x_x_x_8834.ckpt” file with the following content, but still didn’t fix the issue.

{
    "https://x.x.x.x:8834": {
        "start_date": "1999/10/01"
    }
}

I even blew away everything and tried fresh by reinstalling the TA nessus, but nessus plugin checkpoint file wasn’t created again.

Re: Splunk Add-on for Nessus: Why is "nessus:plugin" not working?

rpille_splunk — Thu, 05 Nov 2015 03:29:15 GMT

Hi Rajbir, can you confirm that you have enabled the saved searches? Also, can you tell us what version of Splunk Enterprise you are running on?

Re: Splunk Add-on for Nessus: Why is "nessus:plugin" not working?

rajbir1 — Thu, 05 Nov 2015 18:49:10 GMT

Thanks! I have Splunk TA nessus running on heavy forwarder so I assume we don't need to have those saved searches enabled on heavy forwarder, right?. I do have those enabled on the search heads. We are running splunk enterprise 6.3

Re: Splunk Add-on for Nessus: Why is "nessus:plugin" not working?

jcoates_splunk — Sat, 07 Nov 2015 22:58:46 GMT

please file a support ticket so we can see a diag.

Re: Splunk Add-on for Nessus: Why is "nessus:plugin" not working?

tp92222 — Fri, 12 Feb 2016 09:39:34 GMT

I am facing same problem.i am also able to see nessus:scan results but not nessus:plugins reports can anyone tell me step by step procedure

i checked log there are no errors
saved searches are also enabled

Re: Splunk Add-on for Nessus: Why is "nessus:plugin" not working?

rajbir1 — Fri, 12 Feb 2016 14:46:16 GMT

what are using as your "start date" for the nessus:plugins inputs?

Re: Splunk Add-on for Nessus: Why is "nessus:plugin" not working?

dferentinos — Thu, 26 May 2016 07:58:11 GMT

any solution for this?

10 searches enabled, date 1999/01/01, Splunk 6.3.3, no modification on scripts.
With index=nessus (we do not use the main index) we see sourcetype nessus:scan but NO nessus:plugin.

Can it be the workflows? What will happen if Splunk can not connect to the urls in the nessus workflows?

Re: Splunk Add-on for Nessus: Why is "nessus:plugin" not working?

tp92222 — Thu, 26 May 2016 12:32:09 GMT

Yah thanks i was using wrong date