Setup [Deprecated] - nicpenning/Nessus-ES GitHub Wiki

This is a guide to get everything setup. All examples can be used in Kibana Dev Tools

1. Import Ingest Pipeline

   Copy the entire contents of the logs-nessus.vulnerability.json and execute it in Kibana Dev Tools

   • logs-nessus.vulnerability.json

2. Import Index Template Copy the entire contents of the logs-nessus.vulnerability-index-template.json and execute it in Kibana Dev Tools

   • logs-nessus.vulnerability-index-template.json

3. Import Data Views, Visualizations, Dashboards (Saved Objects)

   Download both of the .ndjson files (links below)

   Then Open Kibana and navigate to Stack Management -> Saved Objects -> Import -> Select the nessus_saved_objects.ndjson file -> Import

   • primary_nessus_dashboard_saved_objects.ndjson
   • cisa_2022_dashboard.ndjson

4. Create Nessus API Key

   • Assign Write to logs-nessus.vulnerability index

PUT /_security/api_key
{
  "name": "logs-nessus.vulnerability",
  "role_descriptors": {
    "nessus_import": {
      "index": [
        {
          "names": [
            "logs-nessus.vulnerability"
          ],
          "privileges": [
            "write",
            "create",
            "read",
            "index",
            "create_index"
          ]
        }
      ]
    }
  }
}

Copy the encoded text from the output and use that as the "key". If you do not get the encoded text in the response, then take the id and api_key and form this string {id}:{api_key} and then encode the text in base64 and that will be the key used during the next step.

Details on how to do this here towards the bottom of the page: https://www.elastic.co/guide/en/elasticsearch/reference/current/security-api-create-api-key.html#security-api-create-api-key-example

5. Run ImportTo-Elasticsearch-Nessus.ps1 with valid parameters

   • Path to Nessus File (.nessus)
   • Elasticsearch URL
   • API Key (Generated from step 3)

6. If everything works, then you should have ingested data and should be able to view the [Vulnerability] Dashboard

⚠️ Notice: The script does not work (with PowerShell 5.1) when the ssl_cipher_list value is set to modern. This may occur on versions of Nessus beyond 10.0.2. 🩹

It is required to use PowerShell 7, as PowerShell 5.1 usage for this script will not work. However, I am leaving this note here for troubleshooting purposes.

If you see an error that reads "Authentication failed because the remote party sent a TLS alert: 'HandshakeFailure'.", you need to the ssl_cipher_list to legacy (not recommended).

To adjust this, do the following:

1. Login to Nessus
2. Go to Settings
3. Click on Advanced
4. Click the Security Tab
5. Change the ssl_cipher_list setting to legacy.