Hurricane Labs Add-on for Nessus: Why am I getting...

vinchakov_a · ‎11-12-2015

11-13-2015 08:20:42.654 +0300 ERROR LookupOperator - The lookup table 'nessus_plugin_lookup' does not exist. It is referenced by configuration 'nessus_vuln'.
11-13-2015 08:20:42.654 +0300 WARN  LookupOperator - Failed to find static lookup file: nessus_plugin_lookup.csv

I received this error. TA - 1.0.6BETA.

jeeames · ‎03-09-2016

I had this error until I created empty files for:

splunk/etc/apps/TA-nessus/lookups/nessus_plugin_lookup.csv

and

splunk/etc/apps/TA-nessus/lookups/nessus_scans.csv

by typing "touch nessus_scans.csv" and "touch nessus_plugin_lookup.csv" in the splunk/etc/apps/TA-nessus/lookups directory

duartet · ‎08-17-2018

But it shouldn't need those files, since the nessus_plugin_lookup points to nessus_plugin.csv

vinchakov_a · ‎11-13-2015

I checked one of dashboard, and it is empty because it use "severity". If I delete severity in search string it works.

cschmidt_hurric · ‎11-13-2015

Try running an all-time search over sourcetype=nessus_vuln. Do you see any events? If the dashboards are empty, that probably means you have no indexed scan data.

Note: The user account that Splunk is using to log in to your Nessus scanner must be the same user that ran the scans.

EDIT: Sorry, I wrote index=nessus instead of sourcetype=nessus_vuln

vinchakov_a · ‎11-13-2015

Yes I see events in index=nessus.

cschmidt_hurric · ‎11-13-2015

Apologies, I meant sourcetype=nessus_vuln, not index=nessus.

Are the events in that sourcetype scan results?

vinchakov_a · ‎11-13-2015

sorry, index=nessus sourcetype=nessus_vuln same as index=nessus

vinchakov_a · ‎11-15-2015

I see new data in index=nessus. But in app it is empty. For an example I take request:

tag=vulnerability tag=report report_id=* severity=* NOT severity=informational | chart count over dest by severity | sort -count limit=10 | rename low as Low, medium as Medium, high as High, critical as Critical

It is in reply empty
Then I modify request (del severity and add index=nessus)

index=nessus tag=vulnerability tag=report report_id=* | chart count over dest by severity | sort -count limit=10 | rename low as Low, medium as Medium, high as High, critical as Critical

I obtain data.

tp92222 · ‎02-17-2016

i am not getting any data for sourcetype=nessus_vuln

cschmidt_hurric · ‎11-16-2015

Is the severity field "informational" in all of your Nessus scan results? The Hurricane Labs App for Vulnerability Management doesn't display informational scan results in its dashboards.

vinchakov_a · ‎11-16-2015

they have no field "severity"

vinchakov_a · ‎11-12-2015

I created empty csv and launched update_lookup.sh. It filled it. It downloaded data from nessus, I see them.
But in application empty dashboards.

sundareshr · ‎11-13-2015

check permissions?

vinchakov_a · ‎11-13-2015

all by root user

Hurricane Labs Add-on for Nessus: Why am I getting error "The lookup table 'nessus_plugin_lookup' does not exist?

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor