API - Nessus Vulnerability Scanner
Nessus is one of the most popular vulnerability scanners in the world and is used by numerous organizations to scan their networks for security vulnerabilities and compliance issues. The System Monitor Agent can import Nessus scan reports and convert them into LogRhythm logs.
LogRhythm supports only the Pro versions of Nessus, up to and including Nessus 8.15. Nessus community versions are not supported.
Prerequisites
The HTTPS collection mechanism used by the agent will reference a Nessus configuration file (typically nessus.ini) and retain the last report read from Nessus with state tracking. The following information is required for this process to function properly and should be gathered prior to configuring collection:
- The LogRhythm System Monitor Agent used to collect Nessus scan report data.
- The name of the Nessus log source configuration file (default: nessus.ini).
Configure the nessus.ini File
The Nessus interface is configured using an .ini file in the config folder of the Agent (typically C:\Program Files\LogRhythm\LogRhythm System Monitor\config\nessus.ini). The following settings are available in that file:
| Setting | Default Value | Description |
|---|---|---|
| NessusHosts | CHANGE_THIS | IP address or DNS name of the Nessus host. |
| NessusXMLRCPort | 8834 | The TCP port on the Nessus server for the XMLRPC. |
| UserName | CHANGE_THIS | The Nessus user name. Nessus only pulls reports run or scheduled by this user. However, you can create multiple Nessus log sources, one for each Nessus user, and have multiple Nessus configuration files (for instance, Nessus1.ini, Nessus2.ini). |
| Password | CHANGE_THIS | The Nessus user password. The password must be encrypted using the lrcrypt command line utility, which is located in the LogRhythm System Monitor installation directory binaries. Usage: lrcrypt [-e passwordtoencrypt] [path\inifile] See LogRhythm Password Encryption for more information on how to use the LogRhythm Encryption Utility. |
| Monday...Sunday | Monday=true | Days of the week to query the API. Set each day to true or false. If all days are set to true, the API is queried every 24 hours. If only one is set to true, the API is queried once per week. |
| Time | 13:00 | The local time of day the System Monitor Agent will query the API. Both 12-hour and 24-hour time formats are recognized. The reports can only be pulled once per day. |
| StartupDelayInSeconds | 60 | The amount of time after starting, in seconds, that the System Monitor Agent will wait before running the queries against the API. |
| Timeout | 100 | The timeout, in seconds, to use when requesting data from the Nessus server. The valid range for this value is 0-300 (0 = infinite). |
| ErrorReportRetryTimeSpan | 60 | The time, in minutes, after which the Agent will retry to fetch data. |
| ErrorReportRetryCount | 3 | The number of times an Agent tries to fetch data for reports that are throwing errors during a read attempt. |
| Version | V6 | The version of Nessus scanner. Only one version of Nessus can be supported in a nessus.ini file. Use the following nomenclature: V4 for version 4.x The default value is V6. |
After the Nessus instance is configured, the Agent pulls Nessus scan data via HTTPS over the configured TCP port. The Agent can pull the oldest Nessus reports available so long as the specified user has access to the reports. Based on the Agent state information, the Agent pulls all reports available to that user. The settings in the config file determine how often the reports are pulled (up to once per day).
After you configure the device, you must also configure LogRhythm according to the instructions provided on the overview page of this guide. Only Global Admins or Restricted Admins with elevated View and Manage privileges can take this action.
The name of the log message source is API - Nessus Vulnerability Scanner. In addition, when configuring this log source:
- For Log Message Processing Mode, select MPE Processing Enabled, Event Forwarding Enabled.
- For Log Message Processing Engine (MPE) Policy, select LogRhythm Default.
- On the Flat File Settings tab, enter the following:
- File Path. <path to nessus.ini file, including the file name and extension>
The file path is typically C:\Program Files\LogRhythm\LogRhythm System Monitor\config\nessus.ini
- File Path. <path to nessus.ini file, including the file name and extension>