So you want to pull your data from Nessus to Splunk for better log management? Well the first thing to do is head on over to Splunk’s website and check for the add-on: https://splunkbase.splunk.com/app/4060
First thing I note when logging in here is you check the installation steps and well…..
Well Tenable has you covered. You can pull up the documentation from Tenable’s own website showing the steps: https://docs.tenable.com/integrations/Splunk/Content/Splunk2/TenableAppforSplunk.htm
Now you can get about 5 minutes into this documentation till you realize this is for Tenable Security Center, Tenable Vulnerability Management, Tenable Nessus Network Monitor and some other products, none of which is our basic Nessus Professional scanner.
Currently Tenable no longer appears to be offering a Splunk integration for a basic Nessus scanner then so is there still a way to integrate these?
Well Lets run over here to an Enterprise Splunk application and navigate to: Data>Data Inputs>HTTP Event Collector
So of course, what is the HTTP Event Collector? Taken from the docs:
HTTP Event Collector- The HTTP Event Collector is an endpoint that lets developers send application events directly to the Splunk platform via HTTP or HTTPS using a token-based authentication model.
Method 1. I would go into detail here but someone has already done that for us and it is a great walk-through you can find here: Wagner Lucena.
Method 2. If that doesn’t sound like the kind of build you are looking for you can also check out this Github project that uses JSON in a similar fashion:TENAPULL
Method 3. Really this method is another version of the last two. Tenable’s team has put together a Library in Python that is built to help build out API calls against their more famous products. PyTenable, this should probably be taken with a grain of salt as this will not build out an integration with a Splunk application on it’s own and mostly functions as a good base to build from to make something like Tenapull or the idea from Wagner Lucena above.
