Nessus and Splunk Integration
Many Companies today are using Splunk as their SIEM platform, a central accommodation for all the logs from the security devices/tools. One such tool is Tenable Nessus, the leading name in the domain of vulnerability scan and assessment, having the vulnerability information of your assets comes handy
This post is going to guide you through the process of bringing your nessus scan reports into Splunk.
Step 1: On your Nessus instance go to Settings >> My Account >> API Keys and Click on Generate.
This will generate an Access key and Secret key Pair, save it to a different location carefully as they are irrecoverable and are generated only one time.
For demo we have some scans as shown below, the reports of which we want to index in Splunk.
Step 2: Download the Splunk TA – Nessus Data Importer
https://splunkbase.splunk.com/app/2740/
NOTE : As of current version this add on is designed only to work with *nix based systems.
Step 3: On your Splunk Instance go to Manage Apps >> Install app from file and upload the add-on you just downloaded.
Step 4: Restart your Splunk , go to Settings >> Server controls and click on Restart Splunk.
NOTE: The current version of this add-on has no GUI, so all the configuration changes must be done using the CLI.
Step 5: Open the CLI of your Splunk Instance and go to $SPLUNK_HOME/etc/apps/TA-nessus_json
Step 6: Open this directory and navigate to bin, under bin locate the file nessus2splunkjson.py
Step 7: Open this file nessus2splunkjson.py, we are going to edit this file.
>> vim nessus2splunkjson.py
> Locate and replace the value of url with that of Nessus hostname/ip:port
> Provide the Access Key and Secret key.
>> Save the changes to the file.
Step 8: Run this python script
> Python nessus2splunkjson.py
This script will push the data to your index (main, by default)
Step 9: Log into Splunk and verify.
As you may suspect you need to run the script nessus2splunkjson.py manually to import your data to splunk, If you wish you can run this script on a schedule, check the below link for help,
https://docs.splunk.com/Documentation/Splunk/8.0.2/AdvancedDev/ScriptSetup
While setting the script you can also change the index to any other of your choice in inputs.conf.
That’s all for now, hope you enjoyed the post.
Happy Splunking!!