topic Re: Splunk Add-on for Tenable: Using add-on without a heavy forwarder in All Apps and Add-ons

Splunk Add-on for Tenable: Using add-on without a heavy forwarder

rsanders30 — Tue, 26 Dec 2017 21:14:29 GMT

So I've been going through the documentation for the Nessus Add-on. It states that you will need to install the add-on on a Heavy Forwarder, however, our environment does not contain one. Our Nessus Pro Vulnerability Scanner sits on a Windows Server. I did see that within the add-on there is an inputs.conf.windows, but doesn't seem to be any different than the inputs.conf. What is the best way to approach this?

Re: Splunk Add-on for Tenable: Using add-on without a heavy forwarder

kamlesh_vaghela — Wed, 27 Dec 2017 10:17:09 GMT

Hi @rsanders30,

Yes, there is a minor difference between inputs.conf and inputs.conf.windows. But if this difference only useful to you if you are using Nessus 5.X. For "Splunk Add-on for Tenable" installation, can you please share basic details of your Splunk & Nessus instance?

Re: Splunk Add-on for Tenable: Using add-on without a heavy forwarder

nickhills — Wed, 27 Dec 2017 10:40:18 GMT

Just to save you some time (and possibly pain) - what version of Nessus pro are you using?

The good people at Tenable have recently changed Nessus pro and disabled the REST APIs which the TA makes use of to extract scan results.

If you are running an older version, stay there, if you are running 7x, there is currently no programmatic way to extract scan data into a format Splunk can consume.

(See: https://answers.splunk.com/answers/598658/splunk-add-on-for-tenable-support-for-nessus-profe.html)

The future looks a bit bleak for Splunk & Nessus Pro users. Tenable are trying to guide people to either Security Center or Tenable.IO which still supports the REST API.

The Splunk Add-on for Tenable is designed to connect to Nessus SC, over the restAPi - which is why it is suggested to use an HF for this (as it can be quite heavy if you have a lot of scan results) it is not picking up local files in this configuration.

If you are running the older Nessus Pro then the scripts in the package can be used to extract results from your scanner - there is no reason why you cant run these on your nessus box if you wish, but I think you will need a full heavy forwarder rather than a UF, because it relies on the python interpreter.

Re: Splunk Add-on for Tenable: Using add-on without a heavy forwarder

rsanders30 — Wed, 27 Dec 2017 15:02:21 GMT

Our environment contains:
Nessus Pro Vulnerability Scanner 6.5.6 (less than 1000 systems scanned)
Splunk Enterprise 6.5.3
Search Heads
Enterprise Security
Indexes
Deployment Server
Universal Forwarders

I believe Nessus 6.5.6 still contains the REST API functionality. If I can get away with a Universal Forwarder, I would prefer that for now. Thanks for the help!

Re: Splunk Add-on for Tenable: Using add-on without a heavy forwarder

nickhills — Wed, 27 Dec 2017 15:09:14 GMT

You cant use a UF because the TA leverages the REST API using the Python Framework - This is not part of the Splunk UF, so you will have to install a heavy forwarder (on your nessus server would be fine).

You can then configure the inputs via the webUI on the HF, or via configuration files as you choose.

Re: Splunk Add-on for Tenable: Using add-on without a heavy forwarder

rsanders30 — Wed, 27 Dec 2017 15:58:52 GMT

Thank you. I will have to look at setting up a HF. Just seems inconvenient to do this for this one thing. However, I am hoping the outcome will be worth it. Appreciate your help!