Thanks @Grumpalot for your quick reply. So here is such an example:
Nessus: https://postimg.org/image/60wd5vzcr/
Splunk: https://postimg.org/image/830vwywvp/
In this examle, the plugin output consists of two sections because it applies to two ports. In Splunk, it is all grouped together into one section without the port/host information and without proper line breaks.
If you could fix that issue, that would be great.
Edit:
Here is what the JSON output from the Nessus API looks like:
https://postimg.org/image/t40t8fw1x/
In nessus_data_collector.py there is the code section "get the port info". Since the plugin output is specific for each port, perhaps in this code section we can extract the plugin output data for each port.
Edit 2:
Okay so I made some changes myself. As I said, I put your "#get plugin_output data" and "# get the port info" sections together because the plugin output is different for each port. In the original nessus_data_collector.py script, I replaced the lines 192-211 with the following:
# get the port info
plugin_id = vuln.get("plugin_id", "")
port_info = []
if plugin_id:
plugin_uri = "{}/plugins/{}".format(host_uri,
plugin_id)
plugin_outputs = self.client.request(plugin_uri).get(
"content", {}).get("outputs")
for output in plugin_outputs:
ports = output.get("ports", {}).keys()
plugin_output = output.get("plugin_output", "")
if plugin_output:
plugin_output = str(plugin_output)
plugin_output = plugin_output.replace("\n", "#NL#")
plugin_output = plugin_output.replace("\\", "#BL#")
else:
plugin_output = "N/A"
for port in ports:
port_elem = {}
port_items = re.split(r"\s*/\s*", port)
port_elem["port"] = int(port_items[0])
if port_items[1]:
port_elem["transport"] = port_items[1]
else:
port_elem["transport"] = "N/A"
if port_items[2]:
port_elem["protocol"] = port_items[2]
else:
port_elem["protocol"] = "N/A"
port_elem["plugin_output"] = plugin_output
port_info.append(port_elem)
I don't understand why I don't see newline and backslash characters in Splunk. So in the collector script I replace them with "#NL#" and "#BL#" and later in Splunk convert them back to \n and \. It's not pretty. But at least it's now working for me.
... View more