This is my first ever forum question / post so please let me know if there is any further information I may need to provide in order to help with resolving my issue.
I have been going round in circles trying to connect my Nessus Professional instance with Splunk Enterprise and the Enterprise Security application via the Splunk Add-on for Nessus to send scan data periodically. However, the index I created for Nessus data to populate is not being populated and remains empty, I have checked the logs in
index=_internal sourcetype=ta:nessus:log (Shown Below), and appears to not be able to connect to default - https://xxx.xxx.xxx.xxx:8834/scans.
Setup: Splunk is sitting in a server farm on network 1,
subnet A *, Nessus is sitting in a server farm on network 1,
subnet B *, my client machine is sitting in the client area on network 1,
subnet C *. I have left the Nessus settings as default i.e. specifically listening on port 8834, I have generated API keys on the Nessus device and have configured the Splunk Add-on for Nessus with the address of the Nessus device and the API keys.
Troubleshooting: I have tested telnet from my client machine to the Nessus device on port 8834, and netstat on the Nessus device shows a socket successfully created as socket clientMachine:ephemeralPort / xxx.xxx.xxx.xxx:xxxxxx. Telnet cannot be run from the Splunk Enterprise instance, however when i test cURL from Splunk Enterprise to Nessus I am not getting any downloads.
The point where it constantly fails is shown below in the log output from index=_internal sourcetype=ta:nessus:log -
2016-08-03 10:52:33,246 ERROR pid=2780 tid=MainThread file=nessus_rest_client.py:request:91 | Failed to connect https://xxx.xxx.xxx.xxx:8834/scans, reason=Traceback (most recent call last): File "D:\Program Files\Splunk\etc\apps\Splunk_TA_nessus\bin\nessus_rest_client.py", line 79, in request headers=headers) File "D:\Program Files\Splunk\etc\apps\Splunk_TA_nessus\bin\splunktalib\httplib2\__init__.py", line 1593, in request (response, content) = self._request(conn, authority, uri, request_uri, method, body, headers, redirections, cachekey) File "D:\Program Files\Splunk\etc\apps\Splunk_TA_nessus\bin\splunktalib\httplib2\__init__.py", line 1335, in _request (response, content) = self._conn_request(conn, request_uri, method, body, headers) File "D:\Program Files\Splunk\etc\apps\Splunk_TA_nessus\bin\splunktalib\httplib2\__init__.py", line 1291, in _conn_request response = conn.getresponse() File "D:\Program Files\Splunk\Python-2.7\Lib\httplib.py", line 1123, in getresponse raise ResponseNotReady() ResponseNotReady
Any help is much appreciated, thanks.
If you don't have telnet on the Splunk server, try using the openssl command:
openssl s_client -connect xxx:8834
This will tell you if you have a firewall block.
If the certificate is expired or not valid could this cause the data to not be input into the index?
Thanks, I tried openssl it is either not installed or is not in the path variables. The Splunk instance is on a windows server but I come from a Unix background, from what I can see I am guessing Openssl is not installed or enabled by default?
You can run the OpenSSL command from Splunk's bin directory at "C:\Program Files\Splunk\bin\"