Splunk Search

Nessus in Splunk - pull scans from Windows Server

New Member

I'm running Splunk on a Linux box. Nessus is running on another Linux box, but I'm using the Nessus web GUI from a Windows box to run scans. Scans are downloaded to that Windows box and saved as .csv files. Currently, I have to copy the files to the Splunk (indexer) box to get NessusInSplunk to see and index the data, using RegEx. I want to point the NessusInSplunk app to my Windows box so I don't have to copy the files to the Linux box. What entry should I make in the inputs.conf file, or how do I set the path through the Splunk GUI. When I try \servername\homes$\dir2\dir3\ I get error, "In Handler: 'monitor': Parameter name: Path must be absolute." I see a comment that splunk must have access to the network share. What user in that? Do I have to mount a network share on the Splunk (Linux) box? Or how must I share the directory on the Windows box?
A related question: How can I get server names in the Nessus scans to show up (not IP addresses in the NessusInSplunk app?

0 Karma


Hi John
did you ever get the Slunk add-on TA work on the windows box? I run into the same issue.

on the windows OS,
i have
1. universal forwarder
1. e:\nessus\incoming folder
2. e:\nessus\parsed folder

[script://./bin/nessus2splunk.py -s e:\nessus\incoming -t c:\nessus\parsed]
disabled = false
interval = 120
index = nessus
source = nessus2splunk
sourcetype = nessus2splunk

I run a scan on nessus and drop scan result in e:\nessus\incoming folder
but it doesn't work.

0 Karma



If you have a Splunk Universal forwarder installed on the Windows system you should be able to monitor the directory that you want to pull these CSV's from. Just ensure that you specify the sourcetype and index.

The host names versus the IP addresses are dependent on the settings in Nessus and not the app.

0 Karma
.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!