All Apps and Add-ons

Splunk Add-on for Nessus: Why is "nessus:plugin" not working?

Explorer

Hi

I have Splunk Add-on for Nessus running in a distributed environment. I successfully configured "nessus:scan" and the data is coming in, but I am having issues with "nessus:plugin". I have created a similar input for "nesssus:plugin", but when I enable the inputs, I am seeing the following errors in internal logs:

10-28-2015 17:31:57.196 -0400 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/Splunk_TA_nessus/bin/nessus.py"     for plugin in plugins:
10-28-2015 17:31:57.196 -0400 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/Splunk_TA_nessus/bin/nessus.py"   File "/opt/splunk/etc/apps/Splunk_TA_nessus/bin/nessus_data_collector.py", line 331, in _collect_plugin_id
10-28-2015 17:31:57.196 -0400 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/Splunk_TA_nessus/bin/nessus.py"     plugin_id_set = self._collect_plugin_id(plugin_families)
10-28-2015 17:31:57.196 -0400 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/Splunk_TA_nessus/bin/nessus.py"   File "/opt/splunk/etc/apps/Splunk_TA_nessus/bin/nessus_data_collector.py", line 443, in collect_plugin_data
10-28-2015 17:31:57.196 -0400 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/Splunk_TA_nessus/bin/nessus.py"     collector.collect_plugin_data()

Here is my inputs on the heavy forwarder:

[nessus://Nessus-plugins]
access_key = ********
batch_size = 100000
interval = 300
metric = nessus_plugin
secret_key = ********
start_date = 2015/01/01
url = https://x.x.x.x:8834
index = nessus
disabled = 0
0 Karma

Explorer

I am facing same problem.i am also able to see nessus:scan results but not nessus:plugins reports can anyone tell me step by step procedure

i checked log there are no errors
saved searches are also enabled

0 Karma

Explorer

what are using as your "start date" for the nessus:plugins inputs?

0 Karma

Explorer

Yah thanks i was using wrong date

0 Karma

Splunk Employee
Splunk Employee

Hi Rajbir, can you confirm that you have enabled the saved searches? Also, can you tell us what version of Splunk Enterprise you are running on?

0 Karma

New Member

any solution for this?

10 searches enabled, date 1999/01/01, Splunk 6.3.3, no modification on scripts.
With index=nessus (we do not use the main index) we see sourcetype nessus:scan but NO nessus:plugin.

Can it be the workflows? What will happen if Splunk can not connect to the urls in the nessus workflows?

0 Karma

Explorer

Thanks! I have Splunk TA nessus running on heavy forwarder so I assume we don't need to have those saved searches enabled on heavy forwarder, right?. I do have those enabled on the search heads. We are running splunk enterprise 6.3

0 Karma

Explorer

I changed the logging level to Info on TA nessus and noticed that nessus_plugin inputs is not creating a checkpoint file under "/opt/splunk/var/lib/splunk/modinputs/nessus". It’s able to connect to the host as we are seeing response code of 200.

2015-11-04 16:55:36,580 INFO pid=11310 tid=MainThread file=nessus_rest_client.py:request:80 | Response status: 200
2015-11-04 16:55:36,515 INFO pid=11310 tid=MainThread file=nessus_rest_client.py:request:77 | Send request: https://x.x.x.x:8834/plugins/families
2015-11-04 16:55:36,515 INFO pid=11310 tid=MainThread file=nessus_rest_client.py:request:69 | start https://x.x.x.x:8834/plugins/families
2015-11-04 16:55:36,515 INFO pid=11310 tid=MainThread file=nessus_checkpoint.py:read:65 | Checkpoint file format is incorrect. Checkpoint file doesn't exist
2015-11-04 16:55:36,514 INFO pid=11310 tid=MainThread file=nessus_checkpoint.py:read:53 | Read Checkpoint from file /opt/splunk/var/lib/splunk/modinputs/nessus/nessus_plugin_Nessus-plugins_https_x_x_x_x_8834.ckpt

I tried creating “Nessus-pluginshttpsxxxx8834.ckpt” file with the following content, but still didn’t fix the issue.

{
    "https://x.x.x.x:8834": {
        "start_date": "1999/10/01"
    }
}

I even blew away everything and tried fresh by reinstalling the TA nessus, but nessus plugin checkpoint file wasn’t created again.

0 Karma

SplunkTrust
SplunkTrust

Hi rajbir1, Looks like it could be a problem with your python config on the system. I'd check the documentation for the Nessus add-on and ensure that everything is sorted out in that way. Let me know if this helps!

0 Karma

Explorer

Thanks Matt, I haven't modified anything in the python scripts though, using everything out of the box

0 Karma

Explorer

Any other thoughts on this issue Matt?

0 Karma

Splunk Employee
Splunk Employee

please file a support ticket so we can see a diag.

0 Karma