All Apps and Add-ons

Nessus Data Importer: Why am I getting error "No such file or directory..." when running nessus2splunkjson.sh?

rveal
Explorer

When running nessus2splunkjson.sh, I get a successful connection to my Nessus system. The scans get processed, but then the script crashes out with an error:

File "nessus2splunkjson.py", line 310, in <module>
with open(filename, 'a') as outfilewhen:
IOError: [Errno 2] No such file or directory: '/splunk/etc/apps/TA-nessus_json/drop/sid_108_name web audit of http://"systemname";

I have changed the name to protect internal server names. The only change I made to the script was to change the default splunk install location from /opt to /splunk. I have tried running it with my default Python 2.6.6 and also with an altinstall of 2.7.10

Nothing gets generated in the drop directory, but there are lots of json files generated for the scans in the pickup directory. The file and directory permissions look fine, and I have tried running as splunk and root...

Any help much appreciated!

0 Karma
1 Solution

amorgado
Path Finder

@rveal, i have been doing some testing and it appears the spaces are ok, the "/" characters are what it does not like... did you get rid of the "//" after "http:" if thats the case then this is the reason it worked. That is, the removal of the "//". Can you confirm this and correctly mark this as the answer if so?

thanks

View solution in original post

IshanGirdhar
New Member

I have given a easiest scan name with special character/digits/spaces in scan name 'TEST' but it still gives the same error:

Traceback (most recent call last):

  File "./nessus2splunkjson.py", line 313, in <module>
    with open(filename, 'a') as outfile:
IOError: [Errno 2] No such file or directory: '/opt/splunk/etc/apps/TA-nessus_json/drop/sid_146_name_TEST_hid_162.json'
0 Karma

amorgado
Path Finder

@rveal, i have been doing some testing and it appears the spaces are ok, the "/" characters are what it does not like... did you get rid of the "//" after "http:" if thats the case then this is the reason it worked. That is, the removal of the "//". Can you confirm this and correctly mark this as the answer if so?

thanks

amorgado
Path Finder

for version 1.3 of nessus data importer, scan names with spaces are not compatible. Rename the scan or rerun under a different (non-space) name.

amorgado
Path Finder

sorry your having this issue
on the file , nessus2splunkjson.py

look at lines 33 and 34 , are your "dropdir" and "pickupdir" correct and match your enviroment?

-also can you paste lines 310-315 from your nessus2splunkjson.py
-are you running the latest version 1.3?

0 Karma

amorgado
Path Finder

taking a guess here but it can also be the spaces in your scan name, if your scan(s) has spaces the same way your example does.. if this is the case please be sure to let me know.... ill test out as well.

0 Karma

rveal
Explorer

Drop and pickup dirs are fine - they were the only thing I changed I believe (other than adding credentials etc.)

I attempted to import a scan without any spaces or underscores in the scan name and the script executed without any errors. There is a json file for the scan in the pickup directory.

On further inspection I have noticed that the default/inputs.conf file also has /opt/splunk set as the default for pickups directory so I have edited this too and hopefully this scan will get indexed.

Below are the code lines you requested:

                                        with open(filename, 'a') as outfile:
                                            json.dump(d, outfile)
                                            sys.stdout.write("\rHost {0} of {1}".format(count, hostlen))
                #drop file, do some logging
                pickupfile = '{0}/sid_{1}_name_{2}_hid_{3}.json'.format(pickupdir,s,n,hid)
0 Karma

amorgado
Path Finder

ok great(kind off) I would recommend you change the scan name to non-spaces if you want it immediately. I note this and see if its something I can work on for future versions.. that is " importing scan names with spaces"

0 Karma
Get Updates on the Splunk Community!

March Community Office Hours Security Series Uncovered!

Hello Splunk Community! In March, Splunk Community Office Hours spotlighted our fabulous Splunk Threat ...

Stay Connected: Your Guide to April Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars in April. This post ...

Want to Reduce Costs, Mitigate Risk, Improve Performance, or Increase Efficiencies? ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...