cancel
Showing results for 
Search instead for 
Did you mean: 

Custom ASP for Tenable PVS (Passive Vulnerability Scanner)

Dear Community,

I have created a custom parsing rule to handle SYSLOG events sent by Tenable PVS sensors.

This is a very basic parsing rule, as only the first CEF fields are mapped to the SIEM fields - but it should be enough to catch the interesting stuff (see PVS Syslog format | Tenable Discussions Forum for details).

As this is not a support data source, you first need to configure it as:

  • Data source: GENERIC
  • Data source model: Advanced Syslog Parser
  • Data format: Default
  • Data retrieval: Syslog

Then, create custom types (you could use some default one instead, but then you'll need to change the mapping accordingly):

  1. PVS_PluginID, interger, #1
  2. PVS_PluginName, string, #2
  3. PVS_EventDetails, random string, #3

Then import and apply the attached parsing rule to the data source (I removed the aggregation to prevent information loss on my side).

I also attached a sample dashboard with the main Plugin Names.

Have a great day!

Julien

2 Replies
McAfee Employee spamidi
McAfee Employee
Report Inappropriate Content
Message 2 of 3

Re: Custom ASP for Tenable PVS (Passive Vulnerability Scanner)

Hi Julienb,

Thank you for sharing these details. To help add support for the product, please log a ticket with sample logs and any field mapping details that you can share. This will help our rules team to come up with the appropriate rules to get the data parsed. The more the number and variety of sample events, the better the accuracy of the parsed events.

Thank you.

Re: Custom ASP for Tenable PVS (Passive Vulnerability Scanner)

Dear Sailendra,

Due to the nature of these logs, it would take too much time to anonymize them correctly before I can send you a snapshot. If you want to start supporting the PVS product, I suggest to get in touch with tenable directly so they can provide you fully documented materials.

Have a great day,

Julien

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community