Nessus and Splunk Integration

Nessus and Splunk Integration

Many Companies today are using Splunk as their SIEM platform, a central accommodation for all the logs from the security devices/tools. One such tool is Tenable Nessus, the leading name in the domain of vulnerability scan and assessment, having the vulnerability information of your assets comes handy

This post is going to guide you through the process of bringing your nessus scan reports into Splunk.

Step 1:  On your Nessus instance go to Settings >> My Account >> API Keys and Click on Generate.

This will generate an Access key and Secret key Pair, save it to a different location carefully as they are irrecoverable and are generated only one time.


For demo we have some scans as shown below, the reports of which we want to index in Splunk.


Step 2: Download the Splunk TA – Nessus Data Importer

NOTE : As of current version this add on is designed only to work with *nix based systems.


Step 3: On your Splunk Instance go to Manage Apps >> Install app from file and upload the add-on you just downloaded.


Step 4: Restart your Splunk , go to Settings >> Server controls and click on Restart Splunk.

NOTE: The current version of this add-on has no GUI, so all the configuration changes must be done using the CLI.

You can also know about :  A Quick Guide On Using Splunk For Financial Services

Step 5: Open the CLI of your Splunk Instance and go to $SPLUNK_HOME/etc/apps/TA-nessus_json


Step 6: Open this directory and navigate to bin, under bin locate the file


Step 7: Open this file, we are going to edit this file.

>> vim

> Locate and replace the value of url with that of Nessus hostname/ip:port


> Provide the Access Key and Secret key.


>> Save the changes to the file.

Step 8: Run this python script

> Python


This script will push the data to your index (main, by default)

Step 9: Log into Splunk and verify.


As you may suspect you need to run the script manually to import your data to splunk, If you wish you can run this script on a schedule, check the below link for help,

While setting the script you can also change the index to any other of your choice in inputs.conf.

That’s all for now, hope you enjoyed the post.

Happy Splunking!!

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.