All Apps and Add-ons
Highlighted

How to configure the Splunk Add-on for Nessus?

Engager

Hi, i have a configuration problem the SplunkTAnessus and splunk, and run in debug gives me the following :

Checking filesystem compatibility...  Done
    Checking conf files for problems...
        Invalid key in stanza [default] in /root/splunk/etc/apps/Splunk_TA_nessus/local/inputs.conf, line 1:    srcdir  (value:  /root/splunk/etc/apps/Splunk_TA_nessus/spool/)
        Invalid key in stanza [default] in /root/splunk/etc/apps/Splunk_TA_nessus/local/inputs.conf, line 2:    tgtdir  (value:  $SPLUNK_HOME/var/spool/splunk)
        Your indexes and inputs configurations are not internally consistent. For more information, run 'splunk btool check --debug'
    Done
0 Karma
Highlighted

Re: How to configure the Splunk Add-on for Nessus?

SplunkTrust
SplunkTrust

Hi junior87,

looking at the inputs.conf of this app it says:

## EXAMPLE Nessus scripted input using user-defined directories, full paths
#
# Purpose:
#
#   Converts .nessus format files (v1 or v2) to a Splunk-indexable format,
#   using the following directories as source and target:
#
#    srcdir = /opt/nessus/incoming
#    tgtdir = /opt/nessus/parsed
# 
# WARNING: This is only an example.
#
#   To utilize this input as shown, a Splunk "monitor" stanza would also need
#   to be configured to index parsed output files from the custom directory 
#   The configuration of the "monitor" stanza would need to be similar to
#   the configuration used for the default Splunk spool directory.
#   For instance:
#
#       [batch://<path_to_custom_spool_directory>]
#       move_policy = sinkhole
#       crcSalt = <SOURCE>

This means neither use srcdir nor tgtdir but setup a Splunk input monitor like in the [batch: ...] example or use the scripted input like this:

[script://./bin/nessus2splunk.py -s /opt/nessus/incoming -t /opt/nessus/parsed]
disabled = false
interval = 120
index = _internal
source = nessus2splunk
sourcetype = nessus2splunk

where -s is the source path and -t is the target path for the script. The target path will be monitored in Splunk.

Hope this helps to get you started ...

cheers, MuS

Highlighted

Re: How to configure the Splunk Add-on for Nessus?

Engager

thank you

I fixed the error but not splunktanessus makes me view data

0 Karma
Highlighted

Re: How to configure the Splunk Add-on for Nessus?

SplunkTrust
SplunkTrust

The Add-on will not provide any view, it 'only' provides the inputs and CIM-compatible knowledge to use Nessus data with other Splunk apps, such as Splunk App for Enterprise Security and Splunk App for PCI Compliance

Highlighted

Re: How to configure the Splunk Add-on for Nessus?

Champion

FYI, there are now pre-built panels in the Add-on, so you can add a dashboard and select from those to get some reports.
alt text