All Apps and Add-ons
Highlighted

Splunk Add-on for Tenable: How to correctly filter events to nullQueue from Tenable?

Path Finder

Hello,

My environment uses Nessus for vulnerability scanning, and we are importing the results of those scans via the Splunk Add-on for Tenable, here: https://splunkbase.splunk.com/app/1710/#/overview The events are correctly being indexed into Splunk.

However, approximately 90% of the events generated from the Nessus scans are "Informative", which we do not wish to index into Splunk.

I've added a TRANSFORMS in the props.conf and a stanza in transforms.conf to find the appropriate "Informative" events with a regex, and discard them using the queue nullQueue, but, I have been unsuccessful in filtering out "Informative" events from new scans results as they are being indexed.

The Splunk Add-on for Tenable is installed on a heavy forwarder. I have attempted both having the props and transforms on the heavy forwarder, and having them on the indexers. Neither has worked as I intended. See added props and transforms below:

props.conf

[tenable:sc:vuln]
#To remove "severity = informative" events from being logged in to Splunk, to reduce events
TRANSFORMS-null= tenable_remove_severity_informative

transforms.conf

#To remove "severity = informative" events from being logged in to Splunk, to reduce events
[tenable_remove_severity_informative]
REGEX ="severity":\s\{(?:"name"|"description"|"id"):\s(?:"Info"|"Informative"|"0"),\s(?:"name"|"description"|"id"):\s(?:"Info"|"Informative"|"0"),\s(?:"name"|"description"|"id"):\s(?:"Info"|"Informative"|"0")\}
DEST_KEY = queue
FORMAT = nullQueue

I've tried other, simplier, regex terms (thinking maybe it was just a regex problem), but, I'm nearly certain I've eliminated that as a possibly. When I copy/paste the above regex to test again the logs, it correctly finds the text I'm looking for.

Any advise is greatly appreciated! Thank you!

Highlighted

Re: Splunk Add-on for Tenable: How to correctly filter events to nullQueue from Tenable?

Path Finder

I don't know why, but, after I replaced

TRANSFORMS-null= tenable_remove_severity_informative

with

TRANSFORMS = tenable_remove_severity_informative

It started working. Not sure why I had to omit the namespace.

View solution in original post

0 Karma