I am building and integration I can install and it seems to run with no issues but I am not getting any data. I am not sure where I am going wrong. This is running on version 8.19.4.
I see this in the messages.
"message": [ "request finished: 0 events published"
If I run the following on the Nessus host, I get the data that I am looking for.
# --- one-time TLS bypass (optional if Nessus uses self-signed cert) ---
add-type @"
using System.Net;
using System.Security.Cryptography.X509Certificates;
public class TrustAllCertsPolicy : ICertificatePolicy {
public bool CheckValidationResult(ServicePoint srvPoint, X509Certificate certificate,
WebRequest request, int certificateProblem) { return true; }
}
"@
[System.Net.ServicePointManager]::CertificatePolicy = New-Object TrustAllCertsPolicy
[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12
# --- config ---
$Nessus = "https://localhost:8834"
$AccessKey = <access_key>
$SecretKey = <secret_key>
$Headers = @{
"X-ApiKeys" = "accessKey=$AccessKey; secretKey=$SecretKey"
"Accept" = "application/json"
}
# 1) /scans -> save first few items
$scans = Invoke-RestMethod -Method Get -Uri "$Nessus/scans" -Headers $Headers
$scans | ConvertTo-Json -Depth 6 | Out-File -Encoding UTF8 .\scans.json
$scanId = [int]( ($scans.scans | Select-Object -First 1).id )
# 2) /scans/{scan_id} -> hosts array
$scanDetails = Invoke-RestMethod -Method Get -Uri "$Nessus/scans/$scanId" -Headers $Headers
$scanDetails | ConvertTo-Json -Depth 8 | Out-File -Encoding UTF8 .\scan_$scanId.json
$hostId = [int]( ($scanDetails.hosts | Select-Object -First 1).host_id )
# 3) /scans/{scan_id}/hosts/{host_id} -> vulnerabilities array
$hostDetails = Invoke-RestMethod -Method Get -Uri "$Nessus/scans/$scanId/hosts/$hostId" -Headers $Headers
$hostDetails | ConvertTo-Json -Depth 10 | Out-File -Encoding UTF8 .\scan_${scanId}_host_${hostId}.json
Here is my httpjson.yml.hbs
interval: '{{#if interval}}{{ interval }}{{else}}5m{{/if}}'
# ROOT: list scans (no split here on purpose)
request:
method: GET
url: '{{ nessus_url }}/scans'
timeout: 60s
ssl:
verification_mode: 'none'
supported_protocols: [TLSv1.2]
transforms:
- set: { target: header.User-Agent, value: 'Elastic-NessusPro/0.1 (Elastic-Agent {{agent.version}})' }
- set: { target: header.Accept, value: 'application/json' }
- set:
target: header.X-ApiKeys
value: 'accessKey={{ access_key }}; secretKey={{ secret_key }}'
# keep whole root body available to JSONPath (no split here)
response:
split:
target: body._noop
keep_parent: true
chain:
- step:
# STEP 1: scan details for each scan id (URL has $. => must have replace)
request:
method: GET
url: '{{ nessus_url }}/scans/$.body.scans[:].id'
timeout: 60s
ssl:
verification_mode: 'none'
supported_protocols: [TLSv1.2]
transforms:
- set: { target: header.User-Agent, value: 'Elastic-NessusPro/0.1 (Elastic-Agent {{agent.version}})' }
- set: { target: header.Accept, value: 'application/json' }
- set:
target: header.X-ApiKeys
value: 'accessKey={{ access_key }}; secretKey={{ secret_key }}'
replace: $.body.scans[:].id
# this response *does* have hosts[]
response:
split:
target: body.hosts
keep_parent: true
chain:
- step:
# STEP 2: host details for each host_id (URL has $. => must have replace)
request:
method: GET
url: '{{ nessus_url }}/scans/{{parent.parent.body.scans.id}}/hosts/$.body.hosts[:].host_id'
timeout: 60s
ssl:
verification_mode: 'none'
supported_protocols: [TLSv1.2]
transforms:
- set: { target: header.User-Agent, value: 'Elastic-NessusPro/0.1 (Elastic-Agent {{agent.version}})' }
- set: { target: header.Accept, value: 'application/json' }
- set:
target: header.X-ApiKeys
value: 'accessKey={{ access_key }}; secretKey={{ secret_key }}'
replace: $.body.hosts[:].host_id
response:
split:
target: body.vulnerabilities
keep_parent: true
transforms:
- set: { target: body._event_id, value: '{{parent.parent.body.scans.id}}-{{parent.body.hosts.host_id}}-{{body.vulnerabilities.plugin_id}}-{{body.vulnerabilities.port}}-{{body.vulnerabilities.protocol}}' }
- set: { target: body.scan.id, value: '{{parent.parent.body.scans.id}}' }
- set: { target: body.scan.name, value: '{{parent.parent.body.scans.name}}' }
- set: { target: body.host.id, value: '{{parent.body.hosts.host_id}}' }
- set: { target: body.host.hostname, value: '{{parent.body.hosts.hostname}}' }
- set: { target: body.host.ip, value: '{{parent.body.hosts.hostname}}' }
- set: { target: body.vuln.id, value: '{{body.vulnerabilities.plugin_id}}' }
- set: { target: body.vuln.port, value: '{{body.vulnerabilities.port}}' }
- set: { target: body.vuln.protocol, value: '{{body.vulnerabilities.protocol}}' }
- set: { target: body.vuln.severity, value: '{{body.vulnerabilities.severity}}' }
- set: { target: body.vuln.plugin_name, value: '{{body.vulnerabilities.plugin_name}}' }
- set: { target: body.vuln.plugin_family, value: '{{body.vulnerabilities.plugin_family}}' }
- set: { target: body.vuln.cve, value: '{{body.vulnerabilities.cve}}' }
- set: { target: body.vuln.cvss.base_score, value: '{{body.vulnerabilities.cvss.base_score}}' }
under_root: true
add_fields:
event:
id: '{{body._event_id}}'
kind: 'enrichment'
category: ['vulnerability']
type: ['info']
vulnerability:
id: '{{body.vuln.id}}'
scanner:
vendor: 'Tenable'
type: 'Nessus'
severity: '{{body.vuln.severity}}'
score:
base: '{{body.vuln.cvss.base_score}}'
reference: '{{body.vuln.cve}}'
host:
id: '{{body.host.id}}'
hostname: '{{body.host.hostname}}'
ip: '{{body.host.ip}}'
observer:
vendor: 'Tenable'
product: 'Nessus'
labels:
nessus.scan_id: '{{body.scan.id}}'
nessus.scan_name: '{{body.scan.name}}'
nessus.plugin_family: '{{body.vuln.plugin_family}}'