I have setup the Nessus add-on and Splunk appears to be retrieving data via the API but the scans do not seem to provide any useful information. How can I have Splunk retrieve the actual results from the scan? This is with Nessus Pro. 6.5.4 and Splunk 6.3.1
Here is an example of one of the scans that appears when I search for sourcetype="nessus:scan":
control: true
count: 47
edit_allowed: true
folder_id: 846
hasaudittrail: true
haskb: true
host-fqdn: rnxxxxx
host-ip: 10.xx.xx.xx
host_end: Mon Feb 01 13:43:07 2016
host_id: 2
host_start: Mon Feb 01 13:42:19 2016
hostcount: 1
hostname: rnxxxxx
name: Policy Audit Testing
netbios-name: RNxxxx
object_id: 1007
pci-can-upload: false
plugin_family: Port scanners
plugin_id: 34220
plugin_name: Netstat Portscanner (WMI)
policy: QA - Win10 Audit Policy
scan_end: 1454352190
scan_start: 1454352139
scan_type: local
scanner_end: 1454352187
scanner_name: Local Scanner
scanner_start: 1454352139
severity: 0
severity_index: 1
sid: 1007
status: completed
targets: RNxxxxx
timestamp: 1454352190
user_permissions: 128
uuid: 66dc112c-83cc-fb92-746d-1f13b987192fdab3db0239ddc279
vuln_index: 2
Hi jpolcari,
I had the same issue and changed for another app: https://splunkbase.splunk.com/app/2740/. This app downloads the data in JSON format with the full information we need. Try installing it.
Hope this helps.
If you ever found an answer to this I'd be interested as well. I have Nessus 6.5.5 and Splunk 6.3.3 and I am getting scan data, but something seems missing. The data contains information on the hosts, plugins, etc, as above, but there is very little information on the results on those scans like open ports, TLS versions...
Unfortunately, I have not found an answer to this yet. If I do, i'll be sure to share.