Troubleshooting
Problem
This technote describes an error that can occur when attempting to perform a Nessus scheduled results import.
Symptom
The import may fail with the following error in the qradar.error log:
Mar 14 19:02:45 IP Address [vis0.vis] [Nessus Scanner-53-worker] com.q1labs.vis.scanners.nessus.NessusTaskModule: [ERROR] [NOT:0000003000][5.4.3.2/- -] [-/- -]Failed to parse Nessus results file: 43e96e28-bf04-1a34-51cb-359e6b741832aad6b009e30d8d6d.nessus
Mar 14 19:02:45 5.4.3.2 [vis0.vis] [Nessus Scanner-53-worker] com.ctc.wstx.exc.WstxIOException: Invalid UTF-8 start byte 0x89 (at char #3, byte #-1)
Environment
QRadar 7.2. Nessus v4 or v5
Resolving The Problem
There are several possible resolutions to this issue.
-
- The .nessus scan report might be incorrectly formatted for QRadar and the system cannot properly import the file from a scheduled import.
QRadar supports imports of Nessus scan reports in .nessus format or scan reports exported to a Nessus output format, such as XML2.
- The wrong .nessus file might be imported by QRadar in the VA scanner configuration.
For example, if the path to the .nessus file to import has been specified as /opt/nessus/var/nessus/users/nessus/reports/ the .nessus files in that directory are binary and cannot be parsed correctly.
- Administrators should review the version of the Nessus scanner installed on their system to ensure they are at the latest version recommended by IBM Fix Central. If automatic updates are enabled on the system, administrators can review the auto update log to see if any Nessus updates failed to install on their appliance.
- The .nessus scan report might be incorrectly formatted for QRadar and the system cannot properly import the file from a scheduled import.
Related Information
Was this topic helpful?
Document Information
Modified date:
31 August 2018
UID
swg21667823