I am trying to integrate the Splunk Add-on tenable to collect scan details from Nessus. Unfotunately, no data has been collected. Here is what I confirmed to do:
1- I installed the add-on on my heavy forwarder and configured the correct index=nessus.
2- I also installed the add-on on the search head cluster as the guide suggested after deleting both "eventgen.conf" & "inputs.conf". (Splunk Add-on for Tenable, Splunk Docs)
3- Moreover, I ensured to get the correct keys from Nessus tenable when configuring the add-on on Splunk.
4- The indexers have the correct index.
5- Firewall ports have been allowed.
By running a tcpdump on my Heavyforwarder, I couldn't see any packages sent/received between it and the Nessus server. However, I manged to find two repetitive errors in the Nessuslog file as follow:
2017-08-26 19:38:42,209 +0000 log_level=ERROR, pid=6866, tid=MainThread, file=ta_mod_input.py, func_name=main, code_line_no=186 | Tenable task encounter exception
Traceback (most recent call last):
File "/opt/splunk/etc/apps/Splunk_TA_nessus/bin/splunk_ta_nessus/splunktaucclib/data_collection/ta_mod_input.py", line 183, in main
File "/opt/splunk/etc/apps/Splunk_TA_nessus/bin/splunk_ta_nessus/splunktaucclib/data_collection/ta_mod_input.py", line 100, in run
tconfig = tc.create_ta_config(settings, config_cls or tc.TaConfig)
File "/opt/splunk/etc/apps/Splunk_TA_nessus/bin/splunk_ta_nessus/splunktaucclib/data_collection/ta_config.py", line 181, in create_ta_config
return config_cls(meta_config, settings)
File "/opt/splunk/etc/apps/Splunk_TA_nessus/bin/splunk_ta_nessus/splunktaucclib/data_collection/ta_config.py", line 21, in __init__
File "/opt/splunk/etc/apps/Splunk_TA_nessus/bin/splunk_ta_nessus/splunktalib/splunk_cluster.py", line 26, in __init__
raise Exception("Failed to init ServerInfo")
Exception: Failed to init ServerInfo
2017-08-26 19:38:42,209 +0000 log_level=ERROR, pid=6866, tid=MainThread, file=rest.py, func_name=splunkd_request, code_line_no=42 | Failed to send rest request=https://127.0.0.1:8089/services/server/info, errcode=unknown, reason=Traceback (most recent call last):
File "/opt/splunk/etc/apps/Splunk_TA_nessus/bin/splunk_ta_nessus/splunktalib/rest.py", line 40, in splunkd_request
File "/opt/splunk/etc/apps/Splunk_TA_nessus/bin/splunk_ta_nessus/httplib2/__init__.py", line 1609, in request
(response, content) = self._request(conn, authority, uri, request_uri, method, body, headers, redirections, cachekey)
File "/opt/splunk/etc/apps/Splunk_TA_nessus/bin/splunk_ta_nessus/httplib2/__init__.py", line 1351, in _request
(response, content) = self._conn_request(conn, request_uri, method, body, headers)
File "/opt/splunk/etc/apps/Splunk_TA_nessus/bin/splunk_ta_nessus/httplib2/__init__.py", line 1272, in _conn_request
File "/opt/splunk/etc/apps/Splunk_TA_nessus/bin/splunk_ta_nessus/httplib2/__init__.py", line 1075, in connect
raise socket.error, msg
error: [Errno 111] Connection refused
... View more
That did fix it. But what I did is I went to each source/stanza in my "D:/programfiles/splunkuniversalforwarder/etc/apps/splunkuniversalforwarder/local/inputs.conf" and added index=desktop to each. My question is, is there a way to do it on a global level. Meaning, can I tell the universal forwarder that the logs sent to port 9998 should go to index=desktop without editing each stanza?
Thanks for the solution.
... View more
I am new to Splunk and trying to know my way around it. I created a home lab environment with the following details:
* 1 search head, 1 indexer, and 1 Heavy forwarder ( All Linux).
* 1 Universal forwarder ( my desktop).
Right now, my windows logs are being sent from the Universal Forwarder to Heavy forwarder on TCP port 9998 (random port #). Then, the Heavy Forwarder receives on 9998 and sends on to the indexer on 9997. I can search from the search head and receive all data however they all go to index=main.
I tried the following:
* modify inputs.conf in Heavy forwarder with the following:
index = desktop
I also tried to modify the inputs.conf file in the launcher app:
index = desktop
None of the options above worked. Also kindly note that I ensured that the indexes.conf file in my indexer has the "desktop" index information.
Thanks in advance.
... View more