Getting Data In

Nessus Add-On 4.0.0 not working - no data

Magnus_001
Explorer

Hello,

I have Splunk Enterprise 6.2.5 running in a distributed environment and I can't seem to get the Nessus Add-on 4.0.0 to work. I have it installed on one of my search heads and configured as follows but I am not getting any data written to the nessus index. Am I missing something? Thanks in advance for any help.

inputs.conf

[nessus://nessus_scan]
interval = 86400
url = https://myserver.myco.com:8834
access_key = ********
secret_key = ********
start_date = 2015/01/01
page_size = 1000
metric = nessus_scan
batch_size = 100000
index = nessus

[nessus://nessus_plugin]
interval = 604800
url = https://myserver.myco.com:8834
access_key = ********
secret_key = ********
start_date = 2015/01/01
page_size = 1000
metric = nessus_plugin
batch_size = 100000
index = nessus

ta_nessus.log

2015-11-20 10:15:23,386 INFO pid=8117 tid=MainThread file=nessus.py:main:260 | Start nessus TA
2015-11-20 10:15:23,525 INFO pid=8121 tid=MainThread file=nessus.py:main:260 | Start nessus TA
2015-11-20 10:15:23,589 INFO pid=8117 tid=MainThread file=nessus_config.py:get_nessus_conf:80 | Try to get encrypted proxy username & password
2015-11-20 10:15:23,590 INFO pid=8117 tid=MainThread file=nessus_config.py:update_nessus_conf:66 | Update nessus.conf
2015-11-20 10:15:23,590 INFO pid=8117 tid=MainThread file=nessus_config.py:_encrypt_nessus_conf:198 | Encrypt the proxy username & password
2015-11-20 10:15:23,590 INFO pid=8117 tid=MainThread file=nessus_config.py:_encrypt_nessus_conf:206 | Proxy username is empty. Try to delete the encrypted proxy username & password
2015-11-20 10:15:23,657 INFO pid=8121 tid=MainThread file=nessus_config.py:get_nessus_conf:80 | Try to get encrypted proxy username & password
2015-11-20 10:15:23,657 INFO pid=8121 tid=MainThread file=nessus_config.py:update_nessus_conf:66 | Update nessus.conf
2015-11-20 10:15:23,657 INFO pid=8121 tid=MainThread file=nessus_config.py:_encrypt_nessus_conf:198 | Encrypt the proxy username & password
2015-11-20 10:15:23,657 INFO pid=8121 tid=MainThread file=nessus_config.py:_encrypt_nessus_conf:206 | Proxy username is empty. Try to delete the encrypted proxy username & password
2015-11-20 10:15:23,667 INFO pid=8117 tid=MainThread file=nessus.py:get_nessus_modinput_configs:142 | Set loglevel to WARN
2015-11-20 10:15:23,738 INFO pid=8121 tid=MainThread file=nessus.py:get_nessus_modinput_configs:142 | Set loglevel to WARN

/opt/splunk/var/lib/splunk/modinputs/nessus/nessus_scan_nessus_scan.ckpt
{
"https://myserver.myco.com:8834": {
"start_date": "2015/01/01",
"scans": {
"80": {
"hosts": [],
"history_id": 81
},
"74": {
"hosts": [],
"history_id": 75
},
"5": {
"hosts": [],
"history_id": 6
},
"12": {
"hosts": [],
"history_id": 149
},
"126": {
"hosts": [],
"history_id": 154
},
"8": {
"hosts": [],
"history_id": 76
},
"70": {
"hosts": [],
"history_id": 147
}
}
}
}

0 Karma

pnwhitmore
New Member

In my case, I had inadvertently altered permissions to the \Splunk\var\lib\splunk\modinputs\nessus\ directory when I opened it in Windows Explorer and UAC updated the folder permissions. Afterward, Splunk did not have permissions to write data to this folder as seen in splunkd.log:

06-15-2016 14:30:48.160 -0400 ERROR ExecProcessor - message from "python "C:\Program Files\Splunk\etc\apps\Splunk_TA_nessus\bin\nessus.py"" IOError: [Errno 13] Permission denied: u'C:\\SPLUNKDATA\\Splunk\\var\\lib\\splunk\\modinputs\\nessus\\nessus_scan_nessus_scan.ckpt.new'

I manually edited permissions on the \nessus directory and gave Administrators full control of all subfolders and files. I restarted Splunk to trigger the Nessus plugin actions and it immediately started working.

0 Karma

Magnus_001
Explorer

Hi,

Glad yours is working and that it was a simple permissions issue. My problem ended up being the Nessus app was installed on the same search head as my Enterprise Security app (3.3.x). For some reason, I couldn't get the secret keys to encrypt no matter what I tried. As soon as I moved the Nessus app to a different search head without ES, it started working fine....a bit odd.

0 Karma

kerryc
Explorer

You should upgrade the nessus addon to the latest version and let it read directly from the Nessus API.

0 Karma

ramighebral
Path Finder

addon version is the latest, and can you clarify what read "directly" means ? how else ?

0 Karma

Magnus_001
Explorer

I did notice the following errors from nessus.py in the splunkd.log on the search head.

11-20-2015 10:15:25.539 -0600 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/Splunk_TA_nessus/bin/nessus.py" Traceback (most recent call last):
11-20-2015 10:15:25.539 -0600 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/Splunk_TA_nessus/bin/nessus.py" File "/opt/splunk/etc/apps/Splunk_TA_nessus/bin/nessus.py", line 266, in
11-20-2015 10:15:25.539 -0600 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/Splunk_TA_nessus/bin/nessus.py" main()
11-20-2015 10:15:25.539 -0600 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/Splunk_TA_nessus/bin/nessus.py" File "/opt/splunk/etc/apps/Splunk_TA_nessus/bin/nessus.py", line 261, in main
11-20-2015 10:15:25.539 -0600 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/Splunk_TA_nessus/bin/nessus.py" run()
11-20-2015 10:15:25.539 -0600 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/Splunk_TA_nessus/bin/nessus.py" File "/opt/splunk/etc/apps/Splunk_TA_nessus/bin/nessus.py", line 176, in run
11-20-2015 10:15:25.539 -0600 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/Splunk_TA_nessus/bin/nessus.py" collector.collect_plugin_data()
11-20-2015 10:15:25.539 -0600 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/Splunk_TA_nessus/bin/nessus.py" File "/opt/splunk/etc/apps/Splunk_TA_nessus/bin/nessus_data_collector.py", line 443, in collect_plugin_data
11-20-2015 10:15:25.540 -0600 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/Splunk_TA_nessus/bin/nessus.py" plugin_id_set = self._collect_plugin_id(plugin_families)
11-20-2015 10:15:25.540 -0600 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/Splunk_TA_nessus/bin/nessus.py" File "/opt/splunk/etc/apps/Splunk_TA_nessus/bin/nessus_data_collector.py", line 331, in _collect_plugin_id
11-20-2015 10:15:25.540 -0600 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/Splunk_TA_nessus/bin/nessus.py" for plugin in plugins:
11-20-2015 10:15:25.540 -0600 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/Splunk_TA_nessus/bin/nessus.py" TypeError: 'NoneType' object is not iterable

0 Karma

ramighebral
Path Finder

I am getting the same error, any progress ?

0 Karma

Magnus_001
Explorer

I did notice the following errors from nessus.py in the splunkd.log on the search head.

11-20-2015 10:15:25.539 -0600 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/Splunk_TA_nessus/bin/nessus.py" Traceback (most recent call last):
11-20-2015 10:15:25.539 -0600 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/Splunk_TA_nessus/bin/nessus.py" File "/opt/splunk/etc/apps/Splunk_TA_nessus/bin/nessus.py", line 266, in
11-20-2015 10:15:25.539 -0600 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/Splunk_TA_nessus/bin/nessus.py" main()
11-20-2015 10:15:25.539 -0600 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/Splunk_TA_nessus/bin/nessus.py" File "/opt/splunk/etc/apps/Splunk_TA_nessus/bin/nessus.py", line 261, in main
11-20-2015 10:15:25.539 -0600 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/Splunk_TA_nessus/bin/nessus.py" run()
11-20-2015 10:15:25.539 -0600 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/Splunk_TA_nessus/bin/nessus.py" File "/opt/splunk/etc/apps/Splunk_TA_nessus/bin/nessus.py", line 176, in run
11-20-2015 10:15:25.539 -0600 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/Splunk_TA_nessus/bin/nessus.py" collector.collect_plugin_data()
11-20-2015 10:15:25.539 -0600 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/Splunk_TA_nessus/bin/nessus.py" File "/opt/splunk/etc/apps/Splunk_TA_nessus/bin/nessus_data_collector.py", line 443, in collect_plugin_data
11-20-2015 10:15:25.540 -0600 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/Splunk_TA_nessus/bin/nessus.py" plugin_id_set = self._collect_plugin_id(plugin_families)
11-20-2015 10:15:25.540 -0600 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/Splunk_TA_nessus/bin/nessus.py" File "/opt/splunk/etc/apps/Splunk_TA_nessus/bin/nessus_data_collector.py", line 331, in _collect_plugin_id
11-20-2015 10:15:25.540 -0600 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/Splunk_TA_nessus/bin/nessus.py" for plugin in plugins:
11-20-2015 10:15:25.540 -0600 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/Splunk_TA_nessus/bin/nessus.py" TypeError: 'NoneType' object is not iterable

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!