Getting Data In
Highlighted

Configuring tenable Nessus with Splunk Enterprise

Explorer

Greetings Community,

I am trying to integrate the Splunk Add-on tenable to collect scan details from Nessus. Unfotunately, no data has been collected. Here is what I confirmed to do:
1- I installed the add-on on my heavy forwarder and configured the correct index=nessus.
2- I also installed the add-on on the search head cluster as the guide suggested after deleting both "eventgen.conf" & "inputs.conf". (Splunk Add-on for Tenable, Splunk Docs)
3- Moreover, I ensured to get the correct keys from Nessus tenable when configuring the add-on on Splunk.
(HowToGuideTenable.ioSplunk_v2.pdf)
4- The indexers have the correct index.
5- Firewall ports have been allowed.

By running a tcpdump on my Heavyforwarder, I couldn't see any packages sent/received between it and the Nessus server. However, I manged to find two repetitive errors in the Nessuslog file as follow:

Error#1:

2017-08-26 19:38:42,209 +0000 log_level=ERROR, pid=6866, tid=MainThread, file=ta_mod_input.py, func_name=main, code_line_no=186 | Tenable task encounter exception
Traceback (most recent call last):
  File "/opt/splunk/etc/apps/Splunk_TA_nessus/bin/splunk_ta_nessus/splunktaucclib/data_collection/ta_mod_input.py", line 183, in main
    config_cls=configer_cls)
  File "/opt/splunk/etc/apps/Splunk_TA_nessus/bin/splunk_ta_nessus/splunktaucclib/data_collection/ta_mod_input.py", line 100, in run
    tconfig = tc.create_ta_config(settings, config_cls or tc.TaConfig)
  File "/opt/splunk/etc/apps/Splunk_TA_nessus/bin/splunk_ta_nessus/splunktaucclib/data_collection/ta_config.py", line 181, in create_ta_config
    return config_cls(meta_config, settings)
  File "/opt/splunk/etc/apps/Splunk_TA_nessus/bin/splunk_ta_nessus/splunktaucclib/data_collection/ta_config.py", line 21, in __init__
    meta_config[c.session_key])
  File "/opt/splunk/etc/apps/Splunk_TA_nessus/bin/splunk_ta_nessus/splunktalib/splunk_cluster.py", line 26, in __init__
    raise Exception("Failed to init ServerInfo")
Exception: Failed to init ServerInfo

Error#2:

2017-08-26 19:38:42,209 +0000 log_level=ERROR, pid=6866, tid=MainThread, file=rest.py, func_name=splunkd_request, code_line_no=42 | Failed to send rest request=https://127.0.0.1:8089/services/server/info, errcode=unknown, reason=Traceback (most recent call last):
  File "/opt/splunk/etc/apps/Splunk_TA_nessus/bin/splunk_ta_nessus/splunktalib/rest.py", line 40, in splunkd_request
    headers=headers, body=data)
  File "/opt/splunk/etc/apps/Splunk_TA_nessus/bin/splunk_ta_nessus/httplib2/__init__.py", line 1609, in request
    (response, content) = self._request(conn, authority, uri, request_uri, method, body, headers, redirections, cachekey)
  File "/opt/splunk/etc/apps/Splunk_TA_nessus/bin/splunk_ta_nessus/httplib2/__init__.py", line 1351, in _request
    (response, content) = self._conn_request(conn, request_uri, method, body, headers)
  File "/opt/splunk/etc/apps/Splunk_TA_nessus/bin/splunk_ta_nessus/httplib2/__init__.py", line 1272, in _conn_request
    conn.connect()
  File "/opt/splunk/etc/apps/Splunk_TA_nessus/bin/splunk_ta_nessus/httplib2/__init__.py", line 1075, in connect
    raise socket.error, msg
error: [Errno 111] Connection refused
0 Karma
Highlighted

Re: Configuring tenable Nessus with Splunk Enterprise

Engager
  1. Download Splunk Add-on for Tenable https://splunkbase.splunk.com/app/1710
  2. In Splunk, Manage apps (gear)>Install app from file>browse>Splunk-add-on-for-nessus
  3. After installing Launch app under actions column. Configure the Security Cetner Server. After the prompts adding the scanner will finalize the "input" configs.
  4. In Splunk, navigate to Searching & Reporting> Data Summary> sources tab

Tenable Nessus allows a splunk software admin to collect tenable vuln scan data from nessus and SecurityCenter via the REST API.

For more information, depending on why type of data you are trying to forward can be found in this document. I hope this is helpful.

https://jp.tenable.com/sites/drupal.dmz.tenablesecurity.com/files/integrations/How_To_Guide_Splunk.p...

Highlighted

Re: Configuring tenable Nessus with Splunk Enterprise

Communicator

@Mystica856 the few times I did run into the above issue was due to a bad API or Secret Key. Hopefuly when you generated your key you copied it down from Nessus. If you do have to pull new keys make sure that you copy them down in a safe place and try adding them back to both Host and Plugin on the HF configuration page.

0 Karma
Highlighted

Re: Configuring tenable Nessus with Splunk Enterprise

Explorer

Hi Grmpalot, thanks for taking the time to answer the question. I double checked the API but no luck. I am not sure what the exact issue is. Still looking around.

0 Karma