Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Nessus in Splunk - pull scans from Windows Server
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Nessus in Splunk - pull scans from Windows Server
I'm running Splunk on a Linux box. Nessus is running on another Linux box, but I'm using the Nessus web GUI from a Windows box to run scans. Scans are downloaded to that Windows box and saved as .csv files. Currently, I have to copy the files to the Splunk (indexer) box to get NessusInSplunk to see and index the data, using RegEx. I want to point the NessusInSplunk app to my Windows box so I don't have to copy the files to the Linux box. What entry should I make in the inputs.conf file, or how do I set the path through the Splunk GUI. When I try \servername\homes$\dir2\dir3\ I get error, "In Handler: 'monitor': Parameter name: Path must be absolute." I see a comment that splunk must have access to the network share. What user in that? Do I have to mount a network share on the Splunk (Linux) box? Or how must I share the directory on the Windows box?
A related question: How can I get server names in the Nessus scans to show up (not IP addresses in the NessusInSplunk app?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi John
did you ever get the Slunk add-on TA work on the windows box? I run into the same issue.
on the windows OS,
i have
1. universal forwarder
1. e:\nessus\incoming folder
2. e:\nessus\parsed folder
inputs.conf
[script://./bin/nessus2splunk.py -s e:\nessus\incoming -t c:\nessus\parsed]
disabled = false
interval = 120
index = nessus
source = nessus2splunk
sourcetype = nessus2splunk
I run a scan on nessus and drop scan result in e:\nessus\incoming folder
but it doesn't work.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
John,
If you have a Splunk Universal forwarder installed on the Windows system you should be able to monitor the directory that you want to pull these CSV's from. Just ensure that you specify the sourcetype and index.
The host names versus the IP addresses are dependent on the settings in Nessus and not the app.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Index This | What travels the world but is also stuck in place?
Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data
Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...
