All Apps and Add-ons

Failed to setup config for nessus TA

sylim_splunk
Splunk Employee
Splunk Employee

I have installed the Nessus plugin and I have setup the API Keys in Nessus.
I have followed all the documentation to set it up, but when I check for Nessus Scan data it isn't there.
Troubleshooting the issue I ran the following search -

" index=_internal sourcetype=ta:nessus:log"

Error Log

2015-11-12 09:52:38,499 ERROR pid=2208 tid=MainThread file=nessus_config.py:check_conf_mgr_result:26 | Failed to get stanza Nessus Admin Scans by data_input manager.
2015-11-12 09:52:38,499 ERROR pid=2208 tid=MainThread file=nessus.py:get_nessus_modinput_configs:156 | Failed to setup config for nessus TA: Failed to get stanza Nessus Admin Scans by data_input manager.
2015-11-12 09:52:38,499 ERROR pid=2208 tid=MainThread file=nessus.py:get_nessus_modinput_configs:157 | Traceback (most recent call last):
File "D:\Splunk\etc\apps\Splunk_TA_nessus\bin\nessus.py", line 147, in get_nessus_modinput_configs
input_conf = config.get_data_input(input_name)
File "D:\Splunk\etc\apps\Splunk_TA_nessus\bin\nessus_config.py", line 177, in get_data_input
input_stanza = self._get_raw_stanza(name, stanza_type="data_input")

sylim_splunk
Splunk Employee
Splunk Employee

I have been able to resolve this myself.

Under the splunkd error log I saw this.

11-20-2015 10:29:33.389 +1100 ERROR ExecProcessor - message from "python D:\Splunk\etc\apps\Splunk_TA_nessus\bin\nessus.py" IOError: [Errno 13] Permission denied: u'D:\Splunk\var\lib\splunk\modinputs\nessus\nessus_scan_Nessus_Import.ckpt.new'

host = xxx-01
source = D:\Splunk\var\log\splunk\splunkd.log
sourcetype = splunkd

So I went to that location on our Windows 2012 Server, and the folder had full rights for the splunk service only for the folder and not files under it, so our splunk service had no rights on that file to read it.

sylim_splunk
Splunk Employee
Splunk Employee

I have recreated the Nessus Scan name without a space and I think I got further, I now get these errors.
Does the Splunk App have an issue if the Nessus SSL is a self signed one ? as it creates a warning when you go there.

2015-11-13 11:20:21,976 ERROR pid=3648 tid=MainThread file=nessus_rest_client.py:request:91 | Failed to connect https://192.168.14.222:8834/scans/51, reason=Traceback (most recent call last):
File "D:\Splunk\etc\apps\Splunk_TA_nessus\bin\nessus_rest_client.py", line 79, in request headers=headers)
File "D:\Splunk\etc\apps\Splunk_TA_nessus\bin\splunktalib\httplib2_init.py", line 1593, in request (response, content) = self._request(conn, authority, uri, request_uri, method, body, headers, redirections, cachekey)
2015-11-13 11:19:51,974 ERROR pid=3648 tid=MainThread file=nessus_rest_client.py:request:91 | Failed to connect https://192.168.14.222:8834/scans/51, reason=Traceback (most recent call last):
File "D:\Splunk\etc\apps\Splunk_TA_nessus\bin\nessus_rest_client.py", line 79, in request headers=headers)
File "D:\Splunk\etc\apps\Splunk_TA_nessus\bin\splunktalib\httplib2__init
.py", line 1593, in request (response, content) = self._request(conn, authority, uri, request_uri, method, body, headers, redirections, cachekey)
File "D:\Splunk\etc\apps\Splunk_TA_nessus\bin\splunktalib\httplib2__init
.py", line 1335, in _request (response, content) = self._conn_request(conn, request_uri, method, body, headers)
File "D:\Splunk\etc\apps\Splunk_TA_nessus\bin\splunktalib\httplib2__init
_.py", line 1291, in _conn_request response = conn.getresponse()
File "D:\Splunk\Python-2.7\Lib\httplib.py", line 1067, in getresponse response.begin()
File "D:\Splunk\Python-2.7\Lib\httplib.py", line 409, in begin version, status, reason = self._read_status()
File "D:\Splunk\Python-2.7\Lib\httplib.py", line 365, in _read_status line = self.fp.readline(_MAXLINE + 1)
File "D:\Splunk\Python-2.7\Lib\socket.py", line 476, in readline data = self._sock.recv(self._rbufsize)
File "D:\Splunk\Python-2.7\Lib\ssl.py", line 250, in recv return self.read(buflen)
File "D:\Splunk\Python-2.7\Lib\ssl.py", line 169, in read return self._sslobj.read(len)
SSLError: The read operation timed out

0 Karma
Get Updates on the Splunk Community!

Technical Workshop Series: Splunk Data Management and SPL2 | Register here!

Hey, Splunk Community! Ready to take your data management skills to the next level? Join us for a 3-part ...

Spotting Financial Fraud in the Haystack: A Guide to Behavioral Analytics with Splunk

In today's digital financial ecosystem, security teams face an unprecedented challenge. The sheer volume of ...

Solve Problems Faster with New, Smarter AI and Integrations in Splunk Observability

Solve Problems Faster with New, Smarter AI and Integrations in Splunk Observability As businesses scale ...