API - Tenable.io Scanner
Tenable.io is a comprehensive vulnerability scanner from Tenable that is hosted in the cloud. The LogRhythm System Monitor can import Tenable.io scan reports for monitoring and analysis. System Monitor Agents for this version of LogRhythm are compatible with the latest version of Tenable, 5.9. This document provides information about how to collect Tenable.io data with the LogRhythm System Monitor.
Previously configured NessusCloud log source(s) are required to be reconfigured using the tenable_io configuration and log source type. Only the new log source type is available with Knowledge Base updates.
- Log Source Format = Tenable.io Data
- Log Source Type = API - Tenable.io Scanner
Upgraded deployments may still see the .ini file called nessuscloud.ini.
Configure the tenable_io.ini File
A LogRhythm System Monitor is used to collect scan data from Tenable.io. To configure the System Monitor, modify the Tenable.io configuration file (tenable_io.ini) on the System Monitor host. A default configuration file is available in the System Monitor's config directory.
The tenable_io.ini file can be found in the C:\Program Files\LogRhythm\LogRhythm System Monitor\config\ directory. The following configuration settings are available in the file:
| Setting | Default Value | Description |
|---|---|---|
| Tenable_IoHost | CHANGE_THIS | The host name or IP address of the Tenable.io host. |
| Tenable.ioPort | 0 | Not currently used. |
| AccessKey | CHANGE_THIS | The Access Key for the API - Tenable.io Scanner, obtained from Tenable. The Access Key must be encrypted using the lrcrypt command line utility. See LogRhythm Password Encryption for more information on how to use the LogRhythm Encryption Utility. Usage: lrcrypt [-e passwordtoencrypt] You must manually paste the encrypted value into the configuration file. |
| SecretKey | CHANGE_THIS | The Secret Key for the API - Tenable.io Scanner, obtained from Tenable. The Secret Key must be encrypted using the lrcrypt command line utility. See LogRhythm Password Encryption for more information on how to use the LogRhythm Encryption Utility. Usage: lrcrypt [-e passwordtoencrypt] You must manually paste the encrypted value into the configuration file. |
| Monday...Sunday | Monday=true | Flags indicating the day of the week to query the Security Center API. For each day that you want to collect, set the corresponding day to true. |
| Time | 13:00 | The time of day when logs are downloaded. Both 12-hour and 24-hour time formats are recognized. For example, 01:00 or 11:00 PM. Scan data can be pulled only once per day. |
| StartupDelayInSeconds | 60 | If the API needs to be queried when the System Monitor is started, it will wait this long before running. |
| Timeout | 100 | The timeout (in seconds) to use when requesting data from the API. The range is 0-300 seconds (0=infinite). |
| ErrorReportRetryTimeSpan | 60 | The amount of time (in minutes) that the System Monitor should wait to retry the connection following an error. |
| ErrorReportRetryCount | 3 | The number of times the agent tries to fetch data for reports that throw an error during read. |
| Version | V6 | Not currently used. |
| LogApiRequests | false | Enables (true) or disables (false) diagnostic logging of HTTP and HTTPS requests to the API. API request logging should only be used with assistance from LogRhythm Customer Support. You should leave this field unchanged (false). |
After you configure the device, you must also configure LogRhythm according to the instructions provided on the overview page of this guide.
Only Global Admins or Restricted Admins with elevated View and Manage privileges can take this action.
The name of the log message source is API - Tenable.io Scanner. In addition, when configuring this log source:
- For Log Message Processing Mode, select MPE Processing Enabled, Event Forwarding Enabled.
- For Log Message Processing Engine (MPE) Policy, select LogRhythm Default.
- On the Flat File Settings tab, enter the following:
File Path. <path to log file, including the file name and extension>
For multiple users, you can create multiple tenable_io.ini files and multiple Tenable.io log sources.