All Apps and Add-ons

Splunk Add-on for Nessus: Why is "nessus:plugin" not working?

rajbir1
Explorer

Hi

I have Splunk Add-on for Nessus running in a distributed environment. I successfully configured "nessus:scan" and the data is coming in, but I am having issues with "nessus:plugin". I have created a similar input for "nesssus:plugin", but when I enable the inputs, I am seeing the following errors in internal logs:

10-28-2015 17:31:57.196 -0400 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/Splunk_TA_nessus/bin/nessus.py"     for plugin in plugins:
10-28-2015 17:31:57.196 -0400 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/Splunk_TA_nessus/bin/nessus.py"   File "/opt/splunk/etc/apps/Splunk_TA_nessus/bin/nessus_data_collector.py", line 331, in _collect_plugin_id
10-28-2015 17:31:57.196 -0400 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/Splunk_TA_nessus/bin/nessus.py"     plugin_id_set = self._collect_plugin_id(plugin_families)
10-28-2015 17:31:57.196 -0400 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/Splunk_TA_nessus/bin/nessus.py"   File "/opt/splunk/etc/apps/Splunk_TA_nessus/bin/nessus_data_collector.py", line 443, in collect_plugin_data
10-28-2015 17:31:57.196 -0400 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/Splunk_TA_nessus/bin/nessus.py"     collector.collect_plugin_data()

Here is my inputs on the heavy forwarder:

[nessus://Nessus-plugins]
access_key = ********
batch_size = 100000
interval = 300
metric = nessus_plugin
secret_key = ********
start_date = 2015/01/01
url = https://x.x.x.x:8834
index = nessus
disabled = 0
0 Karma

tp92222
Explorer

I am facing same problem.i am also able to see nessus:scan results but not nessus:plugins reports can anyone tell me step by step procedure

i checked log there are no errors
saved searches are also enabled

0 Karma

rajbir1
Explorer

what are using as your "start date" for the nessus:plugins inputs?

0 Karma

tp92222
Explorer

Yah thanks i was using wrong date

0 Karma

rpille_splunk
Splunk Employee
Splunk Employee

Hi Rajbir, can you confirm that you have enabled the saved searches? Also, can you tell us what version of Splunk Enterprise you are running on?

0 Karma

dferentinos
New Member

any solution for this?

10 searches enabled, date 1999/01/01, Splunk 6.3.3, no modification on scripts.
With index=nessus (we do not use the main index) we see sourcetype nessus:scan but NO nessus:plugin.

Can it be the workflows? What will happen if Splunk can not connect to the urls in the nessus workflows?

0 Karma

rajbir1
Explorer

Thanks! I have Splunk TA nessus running on heavy forwarder so I assume we don't need to have those saved searches enabled on heavy forwarder, right?. I do have those enabled on the search heads. We are running splunk enterprise 6.3

0 Karma

rajbir1
Explorer

I changed the logging level to Info on TA nessus and noticed that nessus_plugin inputs is not creating a checkpoint file under "/opt/splunk/var/lib/splunk/modinputs/nessus". It’s able to connect to the host as we are seeing response code of 200.

2015-11-04 16:55:36,580 INFO pid=11310 tid=MainThread file=nessus_rest_client.py:request:80 | Response status: 200
2015-11-04 16:55:36,515 INFO pid=11310 tid=MainThread file=nessus_rest_client.py:request:77 | Send request: https://x.x.x.x:8834/plugins/families
2015-11-04 16:55:36,515 INFO pid=11310 tid=MainThread file=nessus_rest_client.py:request:69 | start https://x.x.x.x:8834/plugins/families
2015-11-04 16:55:36,515 INFO pid=11310 tid=MainThread file=nessus_checkpoint.py:read:65 | Checkpoint file format is incorrect. Checkpoint file doesn't exist
2015-11-04 16:55:36,514 INFO pid=11310 tid=MainThread file=nessus_checkpoint.py:read:53 | Read Checkpoint from file /opt/splunk/var/lib/splunk/modinputs/nessus/nessus_plugin_Nessus-plugins_https_x_x_x_x_8834.ckpt

I tried creating “Nessus-plugins_https_x_x_x_x_8834.ckpt” file with the following content, but still didn’t fix the issue.

{
    "https://x.x.x.x:8834": {
        "start_date": "1999/10/01"
    }
}

I even blew away everything and tried fresh by reinstalling the TA nessus, but nessus plugin checkpoint file wasn’t created again.

0 Karma

muebel
SplunkTrust
SplunkTrust

Hi rajbir1, Looks like it could be a problem with your python config on the system. I'd check the documentation for the Nessus add-on and ensure that everything is sorted out in that way. Let me know if this helps!

0 Karma

rajbir1
Explorer

Thanks Matt, I haven't modified anything in the python scripts though, using everything out of the box

0 Karma

rajbir1
Explorer

Any other thoughts on this issue Matt?

0 Karma

jcoates_splunk
Splunk Employee
Splunk Employee

please file a support ticket so we can see a diag.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...