Hello,
I have Splunk Enterprise 6.2.5 running in a distributed environment and I can't seem to get the Nessus Add-on 4.0.0 to work. I have it installed on one of my search heads and configured as follows but I am not getting any data written to the nessus index. Am I missing something? Thanks in advance for any help.
inputs.conf
[nessus://nessus_scan]
interval = 86400
url = https://myserver.myco.com:8834
access_key = ********
secret_key = ********
start_date = 2015/01/01
page_size = 1000
metric = nessus_scan
batch_size = 100000
index = nessus
[nessus://nessus_plugin]
interval = 604800
url = https://myserver.myco.com:8834
access_key = ********
secret_key = ********
start_date = 2015/01/01
page_size = 1000
metric = nessus_plugin
batch_size = 100000
index = nessus
ta_nessus.log
2015-11-20 10:15:23,386 INFO pid=8117 tid=MainThread file=nessus.py:main:260 | Start nessus TA
2015-11-20 10:15:23,525 INFO pid=8121 tid=MainThread file=nessus.py:main:260 | Start nessus TA
2015-11-20 10:15:23,589 INFO pid=8117 tid=MainThread file=nessus_config.py:get_nessus_conf:80 | Try to get encrypted proxy username & password
2015-11-20 10:15:23,590 INFO pid=8117 tid=MainThread file=nessus_config.py:update_nessus_conf:66 | Update nessus.conf
2015-11-20 10:15:23,590 INFO pid=8117 tid=MainThread file=nessus_config.py:_encrypt_nessus_conf:198 | Encrypt the proxy username & password
2015-11-20 10:15:23,590 INFO pid=8117 tid=MainThread file=nessus_config.py:_encrypt_nessus_conf:206 | Proxy username is empty. Try to delete the encrypted proxy username & password
2015-11-20 10:15:23,657 INFO pid=8121 tid=MainThread file=nessus_config.py:get_nessus_conf:80 | Try to get encrypted proxy username & password
2015-11-20 10:15:23,657 INFO pid=8121 tid=MainThread file=nessus_config.py:update_nessus_conf:66 | Update nessus.conf
2015-11-20 10:15:23,657 INFO pid=8121 tid=MainThread file=nessus_config.py:_encrypt_nessus_conf:198 | Encrypt the proxy username & password
2015-11-20 10:15:23,657 INFO pid=8121 tid=MainThread file=nessus_config.py:_encrypt_nessus_conf:206 | Proxy username is empty. Try to delete the encrypted proxy username & password
2015-11-20 10:15:23,667 INFO pid=8117 tid=MainThread file=nessus.py:get_nessus_modinput_configs:142 | Set loglevel to WARN
2015-11-20 10:15:23,738 INFO pid=8121 tid=MainThread file=nessus.py:get_nessus_modinput_configs:142 | Set loglevel to WARN
/opt/splunk/var/lib/splunk/modinputs/nessus/nessus_scan_nessus_scan.ckpt
{
"https://myserver.myco.com:8834": {
"start_date": "2015/01/01",
"scans": {
"80": {
"hosts": [],
"history_id": 81
},
"74": {
"hosts": [],
"history_id": 75
},
"5": {
"hosts": [],
"history_id": 6
},
"12": {
"hosts": [],
"history_id": 149
},
"126": {
"hosts": [],
"history_id": 154
},
"8": {
"hosts": [],
"history_id": 76
},
"70": {
"hosts": [],
"history_id": 147
}
}
}
}
In my case, I had inadvertently altered permissions to the \Splunk\var\lib\splunk\modinputs\nessus\
directory when I opened it in Windows Explorer and UAC updated the folder permissions. Afterward, Splunk did not have permissions to write data to this folder as seen in splunkd.log:
06-15-2016 14:30:48.160 -0400 ERROR ExecProcessor - message from "python "C:\Program Files\Splunk\etc\apps\Splunk_TA_nessus\bin\nessus.py"" IOError: [Errno 13] Permission denied: u'C:\\SPLUNKDATA\\Splunk\\var\\lib\\splunk\\modinputs\\nessus\\nessus_scan_nessus_scan.ckpt.new'
I manually edited permissions on the \nessus directory and gave Administrators full control of all subfolders and files. I restarted Splunk to trigger the Nessus plugin actions and it immediately started working.
Hi,
Glad yours is working and that it was a simple permissions issue. My problem ended up being the Nessus app was installed on the same search head as my Enterprise Security app (3.3.x). For some reason, I couldn't get the secret keys to encrypt no matter what I tried. As soon as I moved the Nessus app to a different search head without ES, it started working fine....a bit odd.
You should upgrade the nessus addon to the latest version and let it read directly from the Nessus API.
addon version is the latest, and can you clarify what read "directly" means ? how else ?
I did notice the following errors from nessus.py in the splunkd.log on the search head.
11-20-2015 10:15:25.539 -0600 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/Splunk_TA_nessus/bin/nessus.py" Traceback (most recent call last):
11-20-2015 10:15:25.539 -0600 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/Splunk_TA_nessus/bin/nessus.py" File "/opt/splunk/etc/apps/Splunk_TA_nessus/bin/nessus.py", line 266, in
11-20-2015 10:15:25.539 -0600 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/Splunk_TA_nessus/bin/nessus.py" main()
11-20-2015 10:15:25.539 -0600 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/Splunk_TA_nessus/bin/nessus.py" File "/opt/splunk/etc/apps/Splunk_TA_nessus/bin/nessus.py", line 261, in main
11-20-2015 10:15:25.539 -0600 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/Splunk_TA_nessus/bin/nessus.py" run()
11-20-2015 10:15:25.539 -0600 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/Splunk_TA_nessus/bin/nessus.py" File "/opt/splunk/etc/apps/Splunk_TA_nessus/bin/nessus.py", line 176, in run
11-20-2015 10:15:25.539 -0600 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/Splunk_TA_nessus/bin/nessus.py" collector.collect_plugin_data()
11-20-2015 10:15:25.539 -0600 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/Splunk_TA_nessus/bin/nessus.py" File "/opt/splunk/etc/apps/Splunk_TA_nessus/bin/nessus_data_collector.py", line 443, in collect_plugin_data
11-20-2015 10:15:25.540 -0600 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/Splunk_TA_nessus/bin/nessus.py" plugin_id_set = self._collect_plugin_id(plugin_families)
11-20-2015 10:15:25.540 -0600 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/Splunk_TA_nessus/bin/nessus.py" File "/opt/splunk/etc/apps/Splunk_TA_nessus/bin/nessus_data_collector.py", line 331, in _collect_plugin_id
11-20-2015 10:15:25.540 -0600 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/Splunk_TA_nessus/bin/nessus.py" for plugin in plugins:
11-20-2015 10:15:25.540 -0600 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/Splunk_TA_nessus/bin/nessus.py" TypeError: 'NoneType' object is not iterable
I am getting the same error, any progress ?
I did notice the following errors from nessus.py in the splunkd.log on the search head.
11-20-2015 10:15:25.539 -0600 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/Splunk_TA_nessus/bin/nessus.py" Traceback (most recent call last):
11-20-2015 10:15:25.539 -0600 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/Splunk_TA_nessus/bin/nessus.py" File "/opt/splunk/etc/apps/Splunk_TA_nessus/bin/nessus.py", line 266, in
11-20-2015 10:15:25.539 -0600 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/Splunk_TA_nessus/bin/nessus.py" main()
11-20-2015 10:15:25.539 -0600 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/Splunk_TA_nessus/bin/nessus.py" File "/opt/splunk/etc/apps/Splunk_TA_nessus/bin/nessus.py", line 261, in main
11-20-2015 10:15:25.539 -0600 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/Splunk_TA_nessus/bin/nessus.py" run()
11-20-2015 10:15:25.539 -0600 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/Splunk_TA_nessus/bin/nessus.py" File "/opt/splunk/etc/apps/Splunk_TA_nessus/bin/nessus.py", line 176, in run
11-20-2015 10:15:25.539 -0600 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/Splunk_TA_nessus/bin/nessus.py" collector.collect_plugin_data()
11-20-2015 10:15:25.539 -0600 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/Splunk_TA_nessus/bin/nessus.py" File "/opt/splunk/etc/apps/Splunk_TA_nessus/bin/nessus_data_collector.py", line 443, in collect_plugin_data
11-20-2015 10:15:25.540 -0600 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/Splunk_TA_nessus/bin/nessus.py" plugin_id_set = self._collect_plugin_id(plugin_families)
11-20-2015 10:15:25.540 -0600 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/Splunk_TA_nessus/bin/nessus.py" File "/opt/splunk/etc/apps/Splunk_TA_nessus/bin/nessus_data_collector.py", line 331, in _collect_plugin_id
11-20-2015 10:15:25.540 -0600 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/Splunk_TA_nessus/bin/nessus.py" for plugin in plugins:
11-20-2015 10:15:25.540 -0600 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/Splunk_TA_nessus/bin/nessus.py" TypeError: 'NoneType' object is not iterable