I am having a really difficult time getting my Nessus files to parse correctly if at all.
This is my Logstash config:
input {
file {
path => "/opt/nessus/*"
mode => "read"
start_position => "beginning"
file_completed_action => "delete"
sincedb_path => "/dev/null"
type => "nessus"
tags => "nessus"
file_chunk_size => 3276800
codec => multiline {
pattern => "(?=</.*>)"
negate => true
what => "previous"
auto_flush_interval => 1
max_lines => 1000000
max_bytes => "50 MiB"
}
}
}
filter {
if [type] == "nessus" {
xml {
source => "message"
store_xml => false
xpath => [
"/NessusClientData_v2/Report/@name)", "report_name",
"/NessusClientData_v2/Report/ReportHost/@name", "host",
"/NessusClientData_v2/Report/ReportHost/HostProperties/tag[@name='host-ip']/text()", "host_ip",
"/NessusClientData_v2/Report/ReportHost/HostProperties/tag[@name='HOST_END']/text()", "host_end",
"/NessusClientData_v2/Report/ReportHost/HostProperties/tag[@name='HOST_START']/text()", "host_start",
"/NessusClientData_v2/Report/ReportHost/ReportItem/@port", "port",
"/NessusClientData_v2/Report/ReportHost/ReportItem/@svc_name", "svc_name",
"/NessusClientData_v2/Report/ReportHost/ReportItem/@protocol", "protocol",
"/NessusClientData_v2/Report/ReportHost/ReportItem/@severity", "severity",
"/NessusClientData_v2/Report/ReportHost/ReportItem/@pluginID", "pluginID",
"/NessusClientData_v2/Report/ReportHost/ReportItem/@pluginName", "pluginName",
"/NessusClientData_v2/Report/ReportHost/ReportItem/@pluginFamily", "pluginFamily",
"/NessusClientData_v2/Report/ReportHost/ReportItem/cpe", "cpe",
"/NessusClientData_v2/Report/ReportHost/HostProperties/tag[@name=patch-summary-total-cves]/text()", "cve",
"/NessusClientData_v2/Report/ReportHost/ReportItem/@description", "description",
"/NessusClientData_v2/Report/ReportHost/ReportItem/@fname", "fname",
"/NessusClientData_v2/Report/ReportHost/ReportItem/@plugin_modification_date", "plugin_mod_date",
"/NessusClientData_v2/Report/ReportHost/ReportItem/@plugin_name", "plugin_name",
"/NessusClientData_v2/Report/ReportHost/ReportItem/@plugin_publication_date", "plugin_publication_date",
"/NessusClientData_v2/Report/ReportHost/ReportItem/@plugin_type", "plugin_type",
"/NessusClientData_v2/Report/ReportHost/ReportItem/@risk_factor", "risk",
"/NessusClientData_v2/Report/ReportHost/ReportItem/@script_version", "script_version",
"/NessusClientData_v2/Report/ReportHost/ReportItem/@see_also", "see_also",
"/NessusClientData_v2/Report/ReportHost/ReportItem/@solution", "solution",
"/NessusClientData_v2/Report/ReportHost/ReportItem/@synopsis", "synopsis",
"/NessusClientData_v2/Report/ReportHost/ReportItem/@plugin_output", "plugin_output",
"/NessusClientData_v2/Report/ReportHost/ReportItem/@asset_inventory", "asset_inventory"
]
}
mutate {
convert => {
"severity" => "integer"
"risk" => "integer"
}
add_field => {
report_name => "%{report_name}"
report_host => "%{host}"
host_ip => "%[host_ip}"
}
}
date {
match => ["host_start", "EEE MMM dd HH:mm:ss yyyy"]
target => "host_start"
locale => "en_US"
}
date {
match => ["host_end", "EEE MMM dd HH:mm:ss yyyy"]
target => "host_end"
locale => "en_US"
}
}
}
output {
stdout {
codec => "rubydebug"
}
csv {
path => "/home/USER/Desktop/%report_name-%{+YYYY-MM-dd}.csv"
fields => ["host_ip","host_start","host_end","port","svc_name","protocol","severity","pluginID","pluginName","pluginFamily","cpe","cve","description","fname","plugin_mod_date","plugin_name","plugin_piblication_date","plugin_type","risk","script_version","see_also","solutions","synopsis","plugin_output","asset_inventory"]
}
}
This is a sanitized and truncated sample of my data:
<?xml version="1.0" ?>
<NessusClientData_v2>
<Policy><policyName>Vulnerability Scan Policy</policyName>
<Preferences><ServerPreferences><preference><name>max_simult_tcp_sessions</name>
<value>unlimited</value>
</preference>
<preference><name>scan.enable_utf8_output</name>
<value>no</value>
</preference>
<preference><name>bw_prevent_core_updates</name>
<value>yes</value>
</Policy>
<Report name="Servers" xmlns:cm="http://www.nessus.org/cm">
<ReportHost name="192.168.1.134"><HostProperties>
<tag name="HOST_END_TIMESTAMP">1632974554</tag>
<tag name="HOST_END">Wed Sep 29 22:02:34 2021</tag>
<tag name="patch-summary-total-cves">0</tag>
<tag name="HOST_START_TIMESTAMP">1632974404</tag>
<tag name="HOST_START">Wed Sep 29 22:00:04 2021</tag>
</HostProperties>
<ReportItem port="623" svc_name="asf-rmcp" protocol="udp" severity="0" pluginID="72063" pluginName="IPMI Versions Supported" pluginFamily="General">
<description>This script detects which IPMI versions are supported by the remote service for managing the system, as well as additional settings.</description>
<fname>ipmi_supported_versions.nbin</fname>
<plugin_modification_date>2021/07/12</plugin_modification_date>
<plugin_name>IPMI Versions Supported</plugin_name>
<plugin_publication_date>2014/01/21</plugin_publication_date>
<plugin_type>remote</plugin_type>
<risk_factor>None</risk_factor>
<script_version>1.51</script_version>
<solution>n/a</solution>
<synopsis>The remote service implements a management protocol.</synopsis>
<plugin_output>
Nessus was able to extract the following settings for the
administrator authentication level on the target :
Version 1.5 : enabled
Version 2.0 : enabled
Non-Null Usernames : enabled
Null Usernames : disabled
Anonymous Login : disabled
OEM Authentication : disabled
Password Authentication : enabled
MD5 Authentication : enabled
MD2 Authentication : enabled
None Authentication : disabled
</plugin_output>
</ReportItem>
<ReportItem port="623" svc_name="asf-rmcp" protocol="udp" severity="0" pluginID="68932" pluginName="IPMI Cipher Suites Supported" pluginFamily="General">
<description>This script detects which IPMI cipher suites are supported by the remote service for the authentication, integrity, and confidentiality of communications.</description>
<fname>ipmi_supported_cipher_suites.nbin</fname>
<plugin_modification_date>2021/07/12</plugin_modification_date>
<plugin_name>IPMI Cipher Suites Supported</plugin_name>
<plugin_publication_date>2013/07/17</plugin_publication_date>
<plugin_type>remote</plugin_type>
<risk_factor>None</risk_factor>
<script_version>1.51</script_version>
<solution>n/a</solution>
<synopsis>The remote service provides cryptographic means of protecting communications.</synopsis>
<plugin_output>
Nessus was able to confirm that the following cipher suites are
supported by the target :
ID Auth Alg Integrity Alg Confidentiality Alg
1 HMAC-SHA1 None None
2 HMAC-SHA1 HMAC-SHA1-96 None
3 HMAC-SHA1 HMAC-SHA1-96 AES-CBC-128
6 HMAC-MD5 None None
7 HMAC-MD5 HMAC-MD5-128 None
8 HMAC-MD5 HMAC-MD5-128 AES-CBC-128
11 HMAC-MD5 MD5-128 None
12 HMAC-MD5 MD5-128 AES-CBC-128
</plugin_output>
</ReportItem>
<ReportItem port="623" svc_name="asf-rmcp" protocol="udp" severity="0" pluginID="45555" pluginName="Alert Standard Format / Remote Management and Control Protocol Detection" pluginFamily="Service detection">
<asset_inventory>True</asset_inventory>
<description>The remote host is an Alert Standard Format (ASF) aware device that can be controlled remotely using Remote Management and Control Protocol (RMCP).
ASF is a DMTF standard that provides a remote control and alerting interface between management consoles and ASF-aware hosts.
RMCP is a network protocol used by a management console to remotely control an ASF-aware host. RMCP Security-Extensions Protocol (RSP), a security-enhanced version of RMCP, provides authentication and integrity when sending RMCP messages.</description>
<fname>asf_rmcp_detect.nbin</fname>
<plugin_modification_date>2021/07/12</plugin_modification_date>
<plugin_name>Alert Standard Format / Remote Management and Control Protocol Detection</plugin_name>
<plugin_publication_date>2010/04/16</plugin_publication_date>
<plugin_type>remote</plugin_type>
<risk_factor>None</risk_factor>
<script_version>1.54</script_version>
<see_also>https://www.dmtf.org/standards/asf
http://www.nessus.org/u?e110dee7</see_also>
<solution>Disable this service if you do not use it, or filter incoming traffic to this port.</solution>
<synopsis>A remote management service is running on the remote host.</synopsis>
<plugin_output>
RMCP security extensions are NOT supported.
</plugin_output>
</ReportItem>
</Report>
</NessusClientData_v2>
This is the ruby debug:
{
"@timestamp" => 2021-11-30T19:07:37.961Z,
"@version" => "1",
"message" => "</ReportItem>\n<ReportItem port=\"0\" svc_name=\"general\" protocol=\"tcp\" severity=\"0\" pluginID=\"11936\" pluginName=\"OS Identification\" pluginFamily=\"General\">\n<plugin_output>\nRemote operating system : Super Micro\nConfidence level : 75\nMethod : SSLcert\nNot all fingerprints could give a match. If you think some or all of\nthe following could be used to identify the host's operating system,\nplease email them to os-signatures@nessus.org. Be sure to include a\nbrief description of the host itself, such as the actual operating\nsystem or product / model names.\nSinFP:!:\n P1:B10113:F0x12:W5840:O0204ffff:M1460:\n P2:B10113:F0x12:W5840:O0204ffff0101040201030301:M1460:\n P3:B00000:F0x00:W0:O0:M0\n P4:181310_7_p=5900R\n ",
"path" => "/opt/nessus/server.nessus",
"tags" => [
[0] "multiline",
[1] "nessus",
[2] "_xmlparsefailure"
],
"type" => "nessus",
"report_name" => "%{report_name}",
"report_host" => "ELASTICSERVER",
"host" => "ELASTICSERVER"
}
{
"path" => "/opt/nessus/server.nessus",
"@timestamp" => 2021-11-30T19:07:37.961Z,
"@version" => "1",
"message" => "The remote host is running Super Micro</plugin_output>",
"type" => "nessus",
"tags" => [
[0] "nessus",
[1] "_xmlparsefailure"
],
"report_name" => "%{report_name}",
"report_host" => "ELASTICSERVER",
"host" => "ELASTICSERVER"
}
The CSV file is Thousands of lines of just commas, eventually, I will put it into Elasticsearch, but for now, I can't get anything to even output to a csv. What am I doing wrong?