Nessus Vulnerability Scanners in Graylog

The following article exclusively pertains to a Graylog Security feature or functionality. Graylog Security is a part of the Graylog centralized log management platform and requires a separate license. Contact the Graylog Sales team for more information on this product.

Tenable Nessus is a security scanner that can identify vulnerabilities in devices, applications, operating systems, and other network or cloud resources. Nessus uses a combination of algorithms to assess threats then assigns a vulnerability risk score based on the Common Vulnerability Scoring System (CVSS).

You can connect Graylog to your existing Nessus scanner. Graylog imports scan data from Nessus and attaches any vulnerabilities to your related machine assets.

Hint: To configure a connection between Graylog and Nessus, you need to ensure you have established a trusted relationship. Be certain you understand the certificate requirements. See Certificates and Certificate Authorities in the Nessus documentation for details.

You can create a Nessus scanner in Graylog with either a paid or free version of Nessus. When you add a scanner following the directions below, you need the API URL for your Nessus instance as well as your access key and secret key to create a connection in Graylog. See the Tenable Nessus documentation for information about creating your API keys.

Add a Nessus Scanner

To add a Nessus scanner:

  1. On the Assets page in the Security user interface, select the Vulnerability Scanners tab.

  2. Click Add Scanner, then choose Nessus from the menu.

  3. Fill in the connection details and other information for the scanner:

    Form for adding a Nessus Vulnerability Sscanner in Graylog

    • Title: Give the scanner a unique, meaningful name.

    • Description (optional): Provide detail about the purpose of this scanner. Although this field is optional, consider adding information here, particularly if you create multiple Nessus scanners.

    • Enabled/Disabled Sync (optional): Toggle this setting to Enabled to automatically import scan data on a specified interval.

    • Sync Interval in Hours (optional): If you enable sync, you can set how frequently to run a new import of scan data to update vulnerability information on your Graylog assets. The default setting is 24 hours (once per day).

    Hint: The fields below require information from your Nessus environment. See the Nessus documentation for complete information.

    • API URL: Enter the URL to connect to your Nessus instance.

    • Access Key: Enter the access key to authenticate with the Nessus API.

    • Secret Key: Enter the secret key to authenticate with the Nessus API.

    After you provide the connection information, Graylog tests the connection. The result of the test displays at the bottom of the dialog. When you connect successfully, the Folders field becomes available.

  4. (Optional) Use the Folders field if you want to limit or filter the data for this scanner instance. Folders available here are based on any folder structure you have created in your Nessus environment.

  5. Click Add Scanner to add the scanner.

New scanners are added to the list on the Vulnerability Scanners tab of the Assets page.

Import Vulnerability Scans

You have two methods for importing new vulnerability scan data: automatic sync and manual import. With either method, new imports completely replace previous information so all existing vulnerabilities are updated, as appropriate, and any new information is added.

Import Sync

You enable the automatic sync option with the Enabled Sync setting when you define the scanner. You can also use the toggle on the table view under Enable Periodical Imports.

When the sync option is enabled, new vulnerability data is imported according to the sync interval you set.

Manual Import

To manually import scan data:

  1. Click a scanner to view its detail page.

  2. Click Import Vulnerabilities.

  3. Click Import on the dialog box to confirm.