I have setup the Nessus add-on and Splunk appears to be retrieving data via the API but the scans do not seem to provide any useful information. How can I have Splunk retrieve the actual results from the scan? This is with Nessus Pro. 6.5.4 and Splunk 6.3.1
Here is an example of one of the scans that appears when I search for sourcetype="nessus:scan":
control: true count: 47 edit_allowed: true folder_id: 846 hasaudittrail: true haskb: true host-fqdn: rnxxxxx host-ip: 10.xx.xx.xx host_end: Mon Feb 01 13:43:07 2016 host_id: 2 host_start: Mon Feb 01 13:42:19 2016 hostcount: 1 hostname: rnxxxxx name: Policy Audit Testing netbios-name: RNxxxx object_id: 1007 pci-can-upload: false plugin_family: Port scanners plugin_id: 34220 plugin_name: Netstat Portscanner (WMI) policy: QA - Win10 Audit Policy scan_end: 1454352190 scan_start: 1454352139 scan_type: local scanner_end: 1454352187 scanner_name: Local Scanner scanner_start: 1454352139 severity: 0 severity_index: 1 sid: 1007 status: completed targets: RNxxxxx timestamp: 1454352190 user_permissions: 128 uuid: 66dc112c-83cc-fb92-746d-1f13b987192fdab3db0239ddc279 vuln_index: 2
I had the same issue and changed for another app: https://splunkbase.splunk.com/app/2740/. This app downloads the data in JSON format with the full information we need. Try installing it.
Hope this helps.
If you ever found an answer to this I'd be interested as well. I have Nessus 6.5.5 and Splunk 6.3.3 and I am getting scan data, but something seems missing. The data contains information on the hosts, plugins, etc, as above, but there is very little information on the results on those scans like open ports, TLS versions...
Unfortunately, I have not found an answer to this yet. If I do, i'll be sure to share.