cancel
Showing results for 
Search instead for 
Did you mean: 

Custom ASP for Tenable PVS (Passive Vulnerability Scanner)

Dear Community,

I have created a custom parsing rule to handle SYSLOG events sent by Tenable PVS sensors.

This is a very basic parsing rule, as only the first CEF fields are mapped to the SIEM fields - but it should be enough to catch the interesting stuff (see PVS Syslog format | Tenable Discussions Forum for details).

As this is not a support data source, you first need to configure it as:

  • Data source: GENERIC
  • Data source model: Advanced Syslog Parser
  • Data format: Default
  • Data retrieval: Syslog

Then, create custom types (you could use some default one instead, but then you'll need to change the mapping accordingly):

  1. PVS_PluginID, interger, #1
  2. PVS_PluginName, string, #2
  3. PVS_EventDetails, random string, #3

Then import and apply the attached parsing rule to the data source (I removed the aggregation to prevent information loss on my side).

I also attached a sample dashboard with the main Plugin Names.

Have a great day!

Julien

2 Replies
McAfee Employee spamidi
McAfee Employee
Report Inappropriate Content
Message 2 of 3

Re: Custom ASP for Tenable PVS (Passive Vulnerability Scanner)

Hi Julienb,

Thank you for sharing these details. To help add support for the product, please log a ticket with sample logs and any field mapping details that you can share. This will help our rules team to come up with the appropriate rules to get the data parsed. The more the number and variety of sample events, the better the accuracy of the parsed events.

Thank you.

Re: Custom ASP for Tenable PVS (Passive Vulnerability Scanner)

Dear Sailendra,

Due to the nature of these logs, it would take too much time to anonymize them correctly before I can send you a snapshot. If you want to start supporting the PVS product, I suggest to get in touch with tenable directly so they can provide you fully documented materials.

Have a great day,

Julien

More McAfee Tools to Help You
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • Visit: Business Service Portal
  • More: Search Knowledge Articles
  • ePolicy Orchestrator Support

    • Download the new ePolicy Orchestrator (ePO) Support Center Extension which simplifies ePO management and provides support resources directly in the console. Learn more about ePO Support Center