Splunk Enterprise Security

Splunk Add-on for Nessus: Why am I unable to connect to my Nessus Professional instance?

Jarrett
New Member

Hi There

This is my first ever forum question / post so please let me know if there is any further information I may need to provide in order to help with resolving my issue.

Issue

I have been going round in circles trying to connect my Nessus Professional instance with Splunk Enterprise and the Enterprise Security application via the Splunk Add-on for Nessus to send scan data periodically. However, the index I created for Nessus data to populate is not being populated and remains empty, I have checked the logs in index=_internal sourcetype=ta:nessus:log (Shown Below), and appears to not be able to connect to default - https://xxx.xxx.xxx.xxx:8834/scans.

Background

Setup: Splunk is sitting in a server farm on network 1, subnet A *, Nessus is sitting in a server farm on network 1, subnet B *, my client machine is sitting in the client area on network 1, subnet C *. I have left the Nessus settings as default i.e. specifically listening on port 8834, I have generated API keys on the Nessus device and have configured the Splunk Add-on for Nessus with the address of the Nessus device and the API keys.

Troubleshooting: I have tested telnet from my client machine to the Nessus device on port 8834, and netstat on the Nessus device shows a socket successfully created as socket clientMachine:ephemeralPort / xxx.xxx.xxx.xxx:xxxxxx. Telnet cannot be run from the Splunk Enterprise instance, however when i test cURL from Splunk Enterprise to Nessus I am not getting any downloads.

(for example)*

The point where it constantly fails is shown below in the log output from index=_internal sourcetype=ta:nessus:log -

2016-08-03 10:52:33,246 ERROR pid=2780 tid=MainThread file=nessus_rest_client.py:request:91 | Failed to connect https://xxx.xxx.xxx.xxx:8834/scans, reason=Traceback (most recent call last):
  File "D:\Program Files\Splunk\etc\apps\Splunk_TA_nessus\bin\nessus_rest_client.py", line 79, in request
    headers=headers)
  File "D:\Program Files\Splunk\etc\apps\Splunk_TA_nessus\bin\splunktalib\httplib2\__init__.py", line 1593, in request
    (response, content) = self._request(conn, authority, uri, request_uri, method, body, headers, redirections, cachekey)
  File "D:\Program Files\Splunk\etc\apps\Splunk_TA_nessus\bin\splunktalib\httplib2\__init__.py", line 1335, in _request
    (response, content) = self._conn_request(conn, request_uri, method, body, headers)
  File "D:\Program Files\Splunk\etc\apps\Splunk_TA_nessus\bin\splunktalib\httplib2\__init__.py", line 1291, in _conn_request
    response = conn.getresponse()
  File "D:\Program Files\Splunk\Python-2.7\Lib\httplib.py", line 1123, in getresponse
    raise ResponseNotReady()
ResponseNotReady

Any help is much appreciated, thanks.

0 Karma

sjohnson_splunk
Splunk Employee
Splunk Employee

If you don't have telnet on the Splunk server, try using the openssl command:

openssl s_client -connect xxx:8834

This will tell you if you have a firewall block.

0 Karma

Jarrett
New Member

If the certificate is expired or not valid could this cause the data to not be input into the index?

alt text

0 Karma

Jarrett
New Member

Thanks, I tried openssl it is either not installed or is not in the path variables. The Splunk instance is on a windows server but I come from a Unix background, from what I can see I am guessing Openssl is not installed or enabled by default?

0 Karma

coltwanger
Contributor

You can run the OpenSSL command from Splunk's bin directory at "C:\Program Files\Splunk\bin\"

0 Karma
Get Updates on the Splunk Community!

Optimize Cloud Monitoring

  TECH TALKS Optimize Cloud Monitoring Tuesday, August 13, 2024  |  11:00AM–12:00PM PST   Register to ...

What's New in Splunk Cloud Platform 9.2.2403?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.2.2403! Analysts can ...

Stay Connected: Your Guide to July and August Tech Talks, Office Hours, and Webinars!

Dive into our sizzling summer lineup for July and August Community Office Hours and Tech Talks. Scroll down to ...