IBM Support

QRadar Nessus Scan - Import Error Message: Invalid UTF-8 Start Byte 0x89

Troubleshooting


Problem

This technote describes an error that can occur when attempting to perform a Nessus scheduled results import.

Symptom

The import may fail with the following error in the qradar.error log:

Mar 14 19:02:45 IP Address [vis0.vis] [Nessus Scanner-53-worker] com.q1labs.vis.scanners.nessus.NessusTaskModule: [ERROR] [NOT:0000003000][5.4.3.2/- -] [-/- -]Failed to parse Nessus results file: 43e96e28-bf04-1a34-51cb-359e6b741832aad6b009e30d8d6d.nessus
Mar 14 19:02:45 5.4.3.2 [vis0.vis] [Nessus Scanner-53-worker] com.ctc.wstx.exc.WstxIOException: Invalid UTF-8 start byte 0x89 (at char #3, byte #-1)

Environment

QRadar  7.2. Nessus v4 or v5

Resolving The Problem

There are several possible resolutions to this issue.

    1. The .nessus scan report might be incorrectly formatted for QRadar and the system cannot properly import the file from a scheduled import.

      QRadar supports imports of Nessus scan reports in .nessus format or scan reports exported to a Nessus output format, such as XML2.
       
    2. The wrong .nessus file might be imported by QRadar in the VA scanner configuration.

      For example, if the path to the .nessus file to import has been specified as /opt/nessus/var/nessus/users/nessus/reports/ the .nessus files in that directory are binary and cannot be parsed correctly.
       
    3. Administrators should review the version of the Nessus scanner installed on their system to ensure they are at the latest version recommended by IBM Fix Central. If automatic updates are enabled on the system, administrators can review the auto update log to see if any Nessus updates failed to install on their appliance.

Related Information

[{"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"VA Scanners","Platform":[{"code":"PF016","label":"Linux"}],"Version":"7.1;7.2","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
31 August 2018

UID

swg21667823