11-13-2015 08:20:42.654 +0300 ERROR LookupOperator - The lookup table 'nessus_plugin_lookup' does not exist. It is referenced by configuration 'nessus_vuln'.
11-13-2015 08:20:42.654 +0300 WARN LookupOperator - Failed to find static lookup file: nessus_plugin_lookup.csv
I received this error. TA - 1.0.6BETA.
I had this error until I created empty files for:
splunk/etc/apps/TA-nessus/lookups/nessus_plugin_lookup.csv
and
splunk/etc/apps/TA-nessus/lookups/nessus_scans.csv
by typing "touch nessus_scans.csv" and "touch nessus_plugin_lookup.csv" in the splunk/etc/apps/TA-nessus/lookups directory
But it shouldn't need those files, since the nessus_plugin_lookup points to nessus_plugin.csv
I checked one of dashboard, and it is empty because it use "severity". If I delete severity in search string it works.
Try running an all-time search over sourcetype=nessus_vuln. Do you see any events? If the dashboards are empty, that probably means you have no indexed scan data.
Note: The user account that Splunk is using to log in to your Nessus scanner must be the same user that ran the scans.
EDIT: Sorry, I wrote index=nessus instead of sourcetype=nessus_vuln
Yes I see events in index=nessus.
Apologies, I meant sourcetype=nessus_vuln, not index=nessus.
Are the events in that sourcetype scan results?
sorry, index=nessus sourcetype=nessus_vuln same as index=nessus
I see new data in index=nessus. But in app it is empty. For an example I take request:
tag=vulnerability tag=report report_id=* severity=* NOT severity=informational | chart count over dest by severity | sort -count limit=10 | rename low as Low, medium as Medium, high as High, critical as Critical
It is in reply empty
Then I modify request (del severity and add index=nessus)
index=nessus tag=vulnerability tag=report report_id=* | chart count over dest by severity | sort -count limit=10 | rename low as Low, medium as Medium, high as High, critical as Critical
I obtain data.
i am not getting any data for sourcetype=nessus_vuln
Is the severity field "informational" in all of your Nessus scan results? The Hurricane Labs App for Vulnerability Management doesn't display informational scan results in its dashboards.
they have no field "severity"
I created empty csv and launched update_lookup.sh. It filled it. It downloaded data from nessus, I see them.
But in application empty dashboards.
check permissions?
all by root user