Splunk Enterprise Security

Splunk Add-on for Nessus: Why am I unable to connect to my Nessus Professional instance?

New Member

Hi There

This is my first ever forum question / post so please let me know if there is any further information I may need to provide in order to help with resolving my issue.


I have been going round in circles trying to connect my Nessus Professional instance with Splunk Enterprise and the Enterprise Security application via the Splunk Add-on for Nessus to send scan data periodically. However, the index I created for Nessus data to populate is not being populated and remains empty, I have checked the logs in index=_internal sourcetype=ta:nessus:log (Shown Below), and appears to not be able to connect to default - https://xxx.xxx.xxx.xxx:8834/scans.


Setup: Splunk is sitting in a server farm on network 1, subnet A *, Nessus is sitting in a server farm on network 1, subnet B *, my client machine is sitting in the client area on network 1, subnet C *. I have left the Nessus settings as default i.e. specifically listening on port 8834, I have generated API keys on the Nessus device and have configured the Splunk Add-on for Nessus with the address of the Nessus device and the API keys.

Troubleshooting: I have tested telnet from my client machine to the Nessus device on port 8834, and netstat on the Nessus device shows a socket successfully created as socket clientMachine:ephemeralPort / xxx.xxx.xxx.xxx:xxxxxx. Telnet cannot be run from the Splunk Enterprise instance, however when i test cURL from Splunk Enterprise to Nessus I am not getting any downloads.

(for example)*

The point where it constantly fails is shown below in the log output from index=_internal sourcetype=ta:nessus:log -

2016-08-03 10:52:33,246 ERROR pid=2780 tid=MainThread file=nessus_rest_client.py:request:91 | Failed to connect https://xxx.xxx.xxx.xxx:8834/scans, reason=Traceback (most recent call last):
  File "D:\Program Files\Splunk\etc\apps\Splunk_TA_nessus\bin\nessus_rest_client.py", line 79, in request
  File "D:\Program Files\Splunk\etc\apps\Splunk_TA_nessus\bin\splunktalib\httplib2\__init__.py", line 1593, in request
    (response, content) = self._request(conn, authority, uri, request_uri, method, body, headers, redirections, cachekey)
  File "D:\Program Files\Splunk\etc\apps\Splunk_TA_nessus\bin\splunktalib\httplib2\__init__.py", line 1335, in _request
    (response, content) = self._conn_request(conn, request_uri, method, body, headers)
  File "D:\Program Files\Splunk\etc\apps\Splunk_TA_nessus\bin\splunktalib\httplib2\__init__.py", line 1291, in _conn_request
    response = conn.getresponse()
  File "D:\Program Files\Splunk\Python-2.7\Lib\httplib.py", line 1123, in getresponse
    raise ResponseNotReady()

Any help is much appreciated, thanks.

0 Karma

Splunk Employee
Splunk Employee

If you don't have telnet on the Splunk server, try using the openssl command:

openssl s_client -connect xxx:8834

This will tell you if you have a firewall block.

0 Karma

New Member

If the certificate is expired or not valid could this cause the data to not be input into the index?

alt text

0 Karma

New Member

Thanks, I tried openssl it is either not installed or is not in the path variables. The Splunk instance is on a windows server but I come from a Unix background, from what I can see I am guessing Openssl is not installed or enabled by default?

0 Karma


You can run the OpenSSL command from Splunk's bin directory at "C:\Program Files\Splunk\bin\"

0 Karma
Get Updates on the Splunk Community!

Splunk APM & RUM | Upcoming Planned Maintenance

There will be planned maintenance of Splunk APM’s and Splunk RUM’s streaming infrastructure in the coming ...

Part 2: Diving Deeper With AIOps

Getting the Most Out of Event Correlation and Alert Storm Detection in Splunk IT Service Intelligence   Watch ...

User Groups | Upcoming Events!

If by chance you weren't already aware, the Splunk Community is host to numerous User Groups, organized ...