All Apps and Add-ons

Splunk Add-on for Tenable: How to correctly filter events to nullQueue from Tenable?

Path Finder

Hello,

My environment uses Nessus for vulnerability scanning, and we are importing the results of those scans via the Splunk Add-on for Tenable, here: https://splunkbase.splunk.com/app/1710/#/overview The events are correctly being indexed into Splunk.

However, approximately 90% of the events generated from the Nessus scans are "Informative", which we do not wish to index into Splunk.

I've added a TRANSFORMS in the props.conf and a stanza in transforms.conf to find the appropriate "Informative" events with a regex, and discard them using the queue nullQueue, but, I have been unsuccessful in filtering out "Informative" events from new scans results as they are being indexed.

The Splunk Add-on for Tenable is installed on a heavy forwarder. I have attempted both having the props and transforms on the heavy forwarder, and having them on the indexers. Neither has worked as I intended. See added props and transforms below:

props.conf

[tenable:sc:vuln]
#To remove "severity = informative" events from being logged in to Splunk, to reduce events
TRANSFORMS-null= tenable_remove_severity_informative

transforms.conf

#To remove "severity = informative" events from being logged in to Splunk, to reduce events
[tenable_remove_severity_informative]
REGEX ="severity":\s\{(?:"name"|"description"|"id"):\s(?:"Info"|"Informative"|"0"),\s(?:"name"|"description"|"id"):\s(?:"Info"|"Informative"|"0"),\s(?:"name"|"description"|"id"):\s(?:"Info"|"Informative"|"0")\}
DEST_KEY = queue
FORMAT = nullQueue

I've tried other, simplier, regex terms (thinking maybe it was just a regex problem), but, I'm nearly certain I've eliminated that as a possibly. When I copy/paste the above regex to test again the logs, it correctly finds the text I'm looking for.

Any advise is greatly appreciated! Thank you!

1 Solution

Path Finder

I don't know why, but, after I replaced

TRANSFORMS-null= tenable_remove_severity_informative

with

TRANSFORMS = tenable_remove_severity_informative

It started working. Not sure why I had to omit the namespace.

View solution in original post

0 Karma

Path Finder

I don't know why, but, after I replaced

TRANSFORMS-null= tenable_remove_severity_informative

with

TRANSFORMS = tenable_remove_severity_informative

It started working. Not sure why I had to omit the namespace.

View solution in original post

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!