All Apps and Add-ons

How to configure the Splunk Add-on for Nessus?

junior87
Engager

Hi, i have a configuration problem the Splunk_TA_nessus and splunk, and run in debug gives me the following :

Checking filesystem compatibility...  Done
    Checking conf files for problems...
        Invalid key in stanza [default] in /root/splunk/etc/apps/Splunk_TA_nessus/local/inputs.conf, line 1:    srcdir  (value:  /root/splunk/etc/apps/Splunk_TA_nessus/spool/)
        Invalid key in stanza [default] in /root/splunk/etc/apps/Splunk_TA_nessus/local/inputs.conf, line 2:    tgtdir  (value:  $SPLUNK_HOME/var/spool/splunk)
        Your indexes and inputs configurations are not internally consistent. For more information, run 'splunk btool check --debug'
    Done
0 Karma

MuS
Legend

Hi junior87,

looking at the inputs.conf of this app it says:

## EXAMPLE Nessus scripted input using user-defined directories, full paths
#
# Purpose:
#
#   Converts .nessus format files (v1 or v2) to a Splunk-indexable format,
#   using the following directories as source and target:
#
#    srcdir = /opt/nessus/incoming
#    tgtdir = /opt/nessus/parsed
# 
# WARNING: This is only an example.
#
#   To utilize this input as shown, a Splunk "monitor" stanza would also need
#   to be configured to index parsed output files from the custom directory 
#   The configuration of the "monitor" stanza would need to be similar to
#   the configuration used for the default Splunk spool directory.
#   For instance:
#
#       [batch://<path_to_custom_spool_directory>]
#       move_policy = sinkhole
#       crcSalt = <SOURCE>

This means neither use srcdir nor tgtdir but setup a Splunk input monitor like in the [batch: ...] example or use the scripted input like this:

[script://./bin/nessus2splunk.py -s /opt/nessus/incoming -t /opt/nessus/parsed]
disabled = false
interval = 120
index = _internal
source = nessus2splunk
sourcetype = nessus2splunk

where -s is the source path and -t is the target path for the script. The target path will be monitored in Splunk.

Hope this helps to get you started ...

cheers, MuS

junior87
Engager

thank you

I fixed the error but not splunk_ta_nessus makes me view data

0 Karma

MuS
Legend

The Add-on will not provide any view, it 'only' provides the inputs and CIM-compatible knowledge to use Nessus data with other Splunk apps, such as Splunk App for Enterprise Security and Splunk App for PCI Compliance

jcoates_splunk
Splunk Employee
Splunk Employee

FYI, there are now pre-built panels in the Add-on, so you can add a dashboard and select from those to get some reports.
alt text

Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...