I have installed the Nessus plugin and I have setup the API Keys in Nessus.
I have followed all the documentation to set it up, but when I check for Nessus Scan data it isn't there.
Troubleshooting the issue I ran the following search -
" index=_internal sourcetype=ta:nessus:log"
Error Log
2015-11-12 09:52:38,499 ERROR pid=2208 tid=MainThread file=nessus_config.py:check_conf_mgr_result:26 | Failed to get stanza Nessus Admin Scans by data_input manager.
2015-11-12 09:52:38,499 ERROR pid=2208 tid=MainThread file=nessus.py:get_nessus_modinput_configs:156 | Failed to setup config for nessus TA: Failed to get stanza Nessus Admin Scans by data_input manager.
2015-11-12 09:52:38,499 ERROR pid=2208 tid=MainThread file=nessus.py:get_nessus_modinput_configs:157 | Traceback (most recent call last):
File "D:\Splunk\etc\apps\Splunk_TA_nessus\bin\nessus.py", line 147, in get_nessus_modinput_configs
input_conf = config.get_data_input(input_name)
File "D:\Splunk\etc\apps\Splunk_TA_nessus\bin\nessus_config.py", line 177, in get_data_input
input_stanza = self._get_raw_stanza(name, stanza_type="data_input")
I have been able to resolve this myself.
Under the splunkd error log I saw this.
11-20-2015 10:29:33.389 +1100 ERROR ExecProcessor - message from "python D:\Splunk\etc\apps\Splunk_TA_nessus\bin\nessus.py" IOError: [Errno 13] Permission denied: u'D:\Splunk\var\lib\splunk\modinputs\nessus\nessus_scan_Nessus_Import.ckpt.new'
host = xxx-01
source = D:\Splunk\var\log\splunk\splunkd.log
sourcetype = splunkd
So I went to that location on our Windows 2012 Server, and the folder had full rights for the splunk service only for the folder and not files under it, so our splunk service had no rights on that file to read it.
I have recreated the Nessus Scan name without a space and I think I got further, I now get these errors.
Does the Splunk App have an issue if the Nessus SSL is a self signed one ? as it creates a warning when you go there.
2015-11-13 11:20:21,976 ERROR pid=3648 tid=MainThread file=nessus_rest_client.py:request:91 | Failed to connect https://192.168.14.222:8834/scans/51, reason=Traceback (most recent call last):
File "D:\Splunk\etc\apps\Splunk_TA_nessus\bin\nessus_rest_client.py", line 79, in request headers=headers)
File "D:\Splunk\etc\apps\Splunk_TA_nessus\bin\splunktalib\httplib2_init.py", line 1593, in request (response, content) = self._request(conn, authority, uri, request_uri, method, body, headers, redirections, cachekey)
2015-11-13 11:19:51,974 ERROR pid=3648 tid=MainThread file=nessus_rest_client.py:request:91 | Failed to connect https://192.168.14.222:8834/scans/51, reason=Traceback (most recent call last):
File "D:\Splunk\etc\apps\Splunk_TA_nessus\bin\nessus_rest_client.py", line 79, in request headers=headers)
File "D:\Splunk\etc\apps\Splunk_TA_nessus\bin\splunktalib\httplib2__init.py", line 1593, in request (response, content) = self._request(conn, authority, uri, request_uri, method, body, headers, redirections, cachekey)
File "D:\Splunk\etc\apps\Splunk_TA_nessus\bin\splunktalib\httplib2__init.py", line 1335, in _request (response, content) = self._conn_request(conn, request_uri, method, body, headers)
File "D:\Splunk\etc\apps\Splunk_TA_nessus\bin\splunktalib\httplib2__init_.py", line 1291, in _conn_request response = conn.getresponse()
File "D:\Splunk\Python-2.7\Lib\httplib.py", line 1067, in getresponse response.begin()
File "D:\Splunk\Python-2.7\Lib\httplib.py", line 409, in begin version, status, reason = self._read_status()
File "D:\Splunk\Python-2.7\Lib\httplib.py", line 365, in _read_status line = self.fp.readline(_MAXLINE + 1)
File "D:\Splunk\Python-2.7\Lib\socket.py", line 476, in readline data = self._sock.recv(self._rbufsize)
File "D:\Splunk\Python-2.7\Lib\ssl.py", line 250, in recv return self.read(buflen)
File "D:\Splunk\Python-2.7\Lib\ssl.py", line 169, in read return self._sslobj.read(len)
SSLError: The read operation timed out