All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splunk Add-on for Tenable: Using add-on without a heavy forwarder

rsanders30
Path Finder
‎12-26-2017 01:14 PM

So I've been going through the documentation for the Nessus Add-on. It states that you will need to install the add-on on a Heavy Forwarder, however, our environment does not contain one. Our Nessus Pro Vulnerability Scanner sits on a Windows Server. I did see that within the add-on there is an inputs.conf.windows, but doesn't seem to be any different than the inputs.conf. What is the best way to approach this?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

nickhills
Ultra Champion
‎12-27-2017 02:40 AM

Just to save you some time (and possibly pain) - what version of Nessus pro are you using?

The good people at Tenable have recently changed Nessus pro and disabled the REST APIs which the TA makes use of to extract scan results.

If you are running an older version, stay there, if you are running 7x, there is currently no programmatic way to extract scan data into a format Splunk can consume.

(See: https://answers.splunk.com/answers/598658/splunk-add-on-for-tenable-support-for-nessus-profe.html)

The future looks a bit bleak for Splunk & Nessus Pro users. Tenable are trying to guide people to either Security Center or Tenable.IO which still supports the REST API.

The Splunk Add-on for Tenable is designed to connect to Nessus SC, over the restAPi - which is why it is suggested to use an HF for this (as it can be quite heavy if you have a lot of scan results) it is not picking up local files in this configuration.

If you are running the older Nessus Pro then the scripts in the package can be used to extract results from your scanner - there is no reason why you cant run these on your nessus box if you wish, but I think you will need a full heavy forwarder rather than a UF, because it relies on the python interpreter.

If my comment helps, please give it a thumbs up!

View solution in original post

Reply
Solved! Jump to solution

rsanders30
Path Finder
‎12-27-2017 07:02 AM

Our environment contains:
Nessus Pro Vulnerability Scanner 6.5.6 (less than 1000 systems scanned)
Splunk Enterprise 6.5.3
Search Heads
Enterprise Security
Indexes
Deployment Server
Universal Forwarders

I believe Nessus 6.5.6 still contains the REST API functionality. If I can get away with a Universal Forwarder, I would prefer that for now. Thanks for the help!

0 Karma
Reply
Solved! Jump to solution
Solution

nickhills
Ultra Champion
‎12-27-2017 02:40 AM

Just to save you some time (and possibly pain) - what version of Nessus pro are you using?

The good people at Tenable have recently changed Nessus pro and disabled the REST APIs which the TA makes use of to extract scan results.

If you are running an older version, stay there, if you are running 7x, there is currently no programmatic way to extract scan data into a format Splunk can consume.

(See: https://answers.splunk.com/answers/598658/splunk-add-on-for-tenable-support-for-nessus-profe.html)

The future looks a bit bleak for Splunk & Nessus Pro users. Tenable are trying to guide people to either Security Center or Tenable.IO which still supports the REST API.

The Splunk Add-on for Tenable is designed to connect to Nessus SC, over the restAPi - which is why it is suggested to use an HF for this (as it can be quite heavy if you have a lot of scan results) it is not picking up local files in this configuration.

If you are running the older Nessus Pro then the scripts in the package can be used to extract results from your scanner - there is no reason why you cant run these on your nessus box if you wish, but I think you will need a full heavy forwarder rather than a UF, because it relies on the python interpreter.

If my comment helps, please give it a thumbs up!
Reply
Solved! Jump to solution

nickhills
Ultra Champion
‎12-27-2017 07:09 AM

You cant use a UF because the TA leverages the REST API using the Python Framework - This is not part of the Splunk UF, so you will have to install a heavy forwarder (on your nessus server would be fine).

You can then configure the inputs via the webUI on the HF, or via configuration files as you choose.

If my comment helps, please give it a thumbs up!
0 Karma
Reply
Solved! Jump to solution

rsanders30
Path Finder
‎12-27-2017 07:58 AM

Thank you. I will have to look at setting up a HF. Just seems inconvenient to do this for this one thing. However, I am hoping the outcome will be worth it. Appreciate your help!

0 Karma
Reply
Solved! Jump to solution

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎12-27-2017 02:17 AM

Hi @rsanders30,

Yes, there is a minor difference between inputs.conf and inputs.conf.windows. But if this difference only useful to you if you are using Nessus 5.X. For "Splunk Add-on for Tenable" installation, can you please share basic details of your Splunk & Nessus instance?

0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...