- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How do I get scan data from Tenable.io to Splunk?
I followed this guide from Tenable and installed the Splunk Add-on for Tenable to add my on-premise scanners and when I look up nessus sources, I only see these log sources:
/opt/splunk/var/log/splunk/splunk_ta_nessus_tenable_sc.log
/opt/splunk/var/log/splunk/splunk_ta_nessus_ucc_lib.log
/opt/splunk/var/log/splunk/ta_nessus.log
What do I need to do to see scan data from Tenable.io?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Tenable has just released a new app with Tenable.io and SecurityCenter support. https://splunkbase.splunk.com/app/4060/
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have set this up as above, and I can get data from the "nessus:plugins", but not the "Nessus Host Scans", has anyone seen this and solved the issue before?
We have tried putting the user up to 'administrator' as a test, and still no joy.
I cant see any other settings that would allow access to these logs.
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Under the Splunk Add-on For Tenable, add a new input and choose "Nessus".
You then need to name this input (NessusCloud or Tenable IO, or something more meaningful to yourself).
The URL you will use shall be "https://cloud.tenable.com" (no ports are needed, as it's just 443/https).
You still need to use the Secret/Access key from your Tenable IO user profile, the documentation is reasonably accurate here.
Everything else is going to be the same, so long as your Splunk instance can reach https://cloud.tenable.com then you should be working ok.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content


This is not a supported scenario and will cause intermittent authorization errors and data loss.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
In what way is it not supported? I have it working in three different environments in exactly this manner, collecting data every 6 hours from both plugins and scan data.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content

Your link is broken (not your fault! Google also points to that same document and their link is also broken!), so until Tenable puts that back up somewhere we can see it, we may not be able to answer this easily.
(Unless someone actually does tenable.io and knows this answer off hand, of course. We do on premise Security Center - if tenable.io acts like "Security Center in the Cloud" then maybe I can help. But if it's more like "Nessus Manager in the cloud" I may not be able to. Do you know which method/methodology it uses?)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I can confirm, it is like Nessus Manager. I have this working in Splunk now using the Nessus TA. Follow this guide https://webcache.googleusercontent.com/search?q=cache:-5V-FbT4TQ0J:https://www.tenable.com/sites/dru...
The trick is that data will show up in Splunk using the timestamp from the scan - not the index time.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content

Which means Splunk will pulling scan data from the Nessus scan boxes directly. So I wonder, where does Tenable.io come into play, and if it does come into play how do we get whatever extra data it has? Hmm.
Will have to do more research.
Still, this thread is still alive. 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Tenable.io is "Nessus Manager" and "Nessus Scanners" in the cloud - so you just need to point it to cloud.tenable.com and give it your API keys
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I did follow that guide when it was available. Do I specify my on-premise scanner ip or cloud.tenable.com under "Nessus Server URL"? What source or sourcetype should I be searching for to see the scan data?
