All Apps and Add-ons

Hurricane Labs Add-on for Nessus: Why am I getting error "The lookup table 'nessus_plugin_lookup' does not exist?

vinchakov_a
Path Finder
11-13-2015 08:20:42.654 +0300 ERROR LookupOperator - The lookup table 'nessus_plugin_lookup' does not exist. It is referenced by configuration 'nessus_vuln'.
11-13-2015 08:20:42.654 +0300 WARN  LookupOperator - Failed to find static lookup file: nessus_plugin_lookup.csv

I received this error. TA - 1.0.6BETA.

jeeames
Explorer

I had this error until I created empty files for:

splunk/etc/apps/TA-nessus/lookups/nessus_plugin_lookup.csv

and

splunk/etc/apps/TA-nessus/lookups/nessus_scans.csv

by typing "touch nessus_scans.csv" and "touch nessus_plugin_lookup.csv" in the splunk/etc/apps/TA-nessus/lookups directory

0 Karma

duartet
Path Finder

But it shouldn't need those files, since the nessus_plugin_lookup points to nessus_plugin.csv

0 Karma

vinchakov_a
Path Finder

I checked one of dashboard, and it is empty because it use "severity". If I delete severity in search string it works.

0 Karma

cschmidt_hurric
Path Finder

Try running an all-time search over sourcetype=nessus_vuln. Do you see any events? If the dashboards are empty, that probably means you have no indexed scan data.

Note: The user account that Splunk is using to log in to your Nessus scanner must be the same user that ran the scans.

EDIT: Sorry, I wrote index=nessus instead of sourcetype=nessus_vuln

0 Karma

vinchakov_a
Path Finder

Yes I see events in index=nessus.

0 Karma

cschmidt_hurric
Path Finder

Apologies, I meant sourcetype=nessus_vuln, not index=nessus.

Are the events in that sourcetype scan results?

0 Karma

vinchakov_a
Path Finder

sorry, index=nessus sourcetype=nessus_vuln same as index=nessus

0 Karma

vinchakov_a
Path Finder

I see new data in index=nessus. But in app it is empty. For an example I take request:

tag=vulnerability tag=report report_id=* severity=* NOT severity=informational | chart count over dest by severity | sort -count limit=10 | rename low as Low, medium as Medium, high as High, critical as Critical

It is in reply empty
Then I modify request (del severity and add index=nessus)

index=nessus tag=vulnerability tag=report report_id=* | chart count over dest by severity | sort -count limit=10 | rename low as Low, medium as Medium, high as High, critical as Critical

I obtain data.

0 Karma

tp92222
Explorer

i am not getting any data for sourcetype=nessus_vuln

0 Karma

cschmidt_hurric
Path Finder

Is the severity field "informational" in all of your Nessus scan results? The Hurricane Labs App for Vulnerability Management doesn't display informational scan results in its dashboards.

0 Karma

vinchakov_a
Path Finder

they have no field "severity"

0 Karma

vinchakov_a
Path Finder

I created empty csv and launched update_lookup.sh. It filled it. It downloaded data from nessus, I see them.
But in application empty dashboards.

0 Karma

sundareshr
Legend

check permissions?

0 Karma

vinchakov_a
Path Finder

all by root user

0 Karma
.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!