All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to configure the Splunk Add-on for Nessus?

junior87
Engager
‎02-02-2015 05:18 AM

Hi, i have a configuration problem the Splunk_TA_nessus and splunk, and run in debug gives me the following :

Checking filesystem compatibility...  Done
    Checking conf files for problems...
        Invalid key in stanza [default] in /root/splunk/etc/apps/Splunk_TA_nessus/local/inputs.conf, line 1:    srcdir  (value:  /root/splunk/etc/apps/Splunk_TA_nessus/spool/)
        Invalid key in stanza [default] in /root/splunk/etc/apps/Splunk_TA_nessus/local/inputs.conf, line 2:    tgtdir  (value:  $SPLUNK_HOME/var/spool/splunk)
        Your indexes and inputs configurations are not internally consistent. For more information, run 'splunk btool check --debug'
    Done
0 Karma
Reply

MuS
SplunkTrust
SplunkTrust
‎02-02-2015 05:46 AM

Hi junior87,

looking at the inputs.conf of this app it says:

## EXAMPLE Nessus scripted input using user-defined directories, full paths
#
# Purpose:
#
#   Converts .nessus format files (v1 or v2) to a Splunk-indexable format,
#   using the following directories as source and target:
#
#    srcdir = /opt/nessus/incoming
#    tgtdir = /opt/nessus/parsed
# 
# WARNING: This is only an example.
#
#   To utilize this input as shown, a Splunk "monitor" stanza would also need
#   to be configured to index parsed output files from the custom directory 
#   The configuration of the "monitor" stanza would need to be similar to
#   the configuration used for the default Splunk spool directory.
#   For instance:
#
#       [batch://<path_to_custom_spool_directory>]
#       move_policy = sinkhole
#       crcSalt = <SOURCE>

This means neither use srcdir nor tgtdir but setup a Splunk input monitor like in the [batch: ...] example or use the scripted input like this:

[script://./bin/nessus2splunk.py -s /opt/nessus/incoming -t /opt/nessus/parsed]
disabled = false
interval = 120
index = _internal
source = nessus2splunk
sourcetype = nessus2splunk

where -s is the source path and -t is the target path for the script. The target path will be monitored in Splunk.

Hope this helps to get you started ...

cheers, MuS

Reply

junior87
Engager
‎02-02-2015 06:06 AM

thank you

I fixed the error but not splunk_ta_nessus makes me view data

0 Karma
Reply

MuS
SplunkTrust
SplunkTrust
‎02-02-2015 06:29 AM

The Add-on will not provide any view, it 'only' provides the inputs and CIM-compatible knowledge to use Nessus data with other Splunk apps, such as Splunk App for Enterprise Security and Splunk App for PCI Compliance

Reply

jcoates_splunk
Splunk Employee
Splunk Employee
‎03-14-2015 05:29 PM

FYI, there are now pre-built panels in the Add-on, so you can add a dashboard and select from those to get some reports.
alt text

Reply
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...