Deploy Tenable Nessus Agent Using JSON

When you first launch the agent after installation, the agent first checks for the presence of environment variables, then checks for the config.json file. When the agent launches for the first time, the agent uses that information to link to a manager and set preferences.

To deploy Nessus Agent with the config.json file:

  1. Configure the config.json file.

    Note:config.json must be in ASCII format. Some tools, such as PowerShell, create test files in other formats by default.

    Example Agent config.json file format:

    { "link": { "name": "sensor name", "host": "hostname or IP address", "port": 443, "key": "abcdefghijklmnopqrstuvwxyz", "ms_cert": "CA certificate for linking", "retry": 1, "proxy": { "proxy": "proxyhostname", "proxy_port": 443, "proxy_username": "proxyusername", "proxy_password": "proxypassword", "user_agent": "proxyagent", "proxy_auth": "NONE" } }, "preferences": { "global.max_hosts": "500" } }

    Example Agent config.json file format (when using auto_proxy):

    { "link": { "name": "sensor name", "host": "hostname or IP address", "port": 443, "key": "abcdefghijklmnopqrstuvwxyz", "ms_cert": "CA certificate for linking", "retry": 1, "proxy": { "proxy": "proxyhostname", "proxy_port": 443, "auto_proxy": "true" } } }

    config.json Details

    The following describes the format of the different settings in each section of config.json.

    Note: All sections are optional; if you do not include a section, it is not configured when you first launch the agent. You can manually configure the settings later.


    The link section sets preferences to link the agent to a manager.

    Setting Description


    A name for the scanner.

     A name for your agent. If you do not specify a name for your agent, the name defaults to the name of the computer where you are installing the agent.


    The hostname or IP address of the manager you want to link to.

    To link to, use


    The port for the manager you want to link to.

    For Tenable Nessus Manager: 8834 or your custom port.

    For Tenable Vulnerability Management: 443

    key The linking key that you retrieved from the manager.

    (Optional, Tenable Vulnerability Management-linked agents only)

    The custom network you want to link to. If you do not specify a network, the agent belongs to the default network.



    A custom CA certificate to use to validate the manager's server certificate.



    One or more existing scanner groups where you want to add the scanner. List multiple groups in a comma-separated list. If any group names have spaces, use quotes around the whole list.

    For example: "Atlanta,Global Headquarters"

    One or more existing agent groups where you want to add the agent. If you do not specify an agent group during the install process, you can add your linked agent to an agent group later in Tenable Nessus Manager or Tenable Vulnerability Management.

    List multiple groups in a comma-separated list. If any group names have spaces, use quotes around the whole list.

    For example: "Atlanta,Global Headquarters"

    Note: The agent group name is case-sensitive and must match exactly.



    The number of times the agent attempts to link to the manager if it fails the first attempt.

    If you do not include the retry preference, the agent does not attempt to link after the first failure. The maximum accepted value is 10.

    Note: If you set retry to 1, the agent tries to link to the manager 30 seconds after the initial failure. Every proceeding retry occurs twice as long after the prior retry. For example, if you set retry to 5, the agent attempts to link 30 seconds after the first failure, 60 seconds after the second failure, 120 seconds after the third failure, 240 seconds after the fourth failure, and 480 seconds after the fifth failure.



    If you are using a proxy server, include the following:

    • proxy: The hostname or IP address of your proxy server.

    • proxy_port:The port number of the proxy server.

    • auto_proxy (Windows only): If enabled, the agent uses Web Proxy Auto Discovery (WPAD) to obtain a Proxy Auto Config (PAC) file for proxy settings. This setting overrides all other proxy configuration preferences. If disabled, the agent defaults to the remaining proxy settings.

      Note: If you include auto_proxy in your configuration file, you must also provide the proxy and proxy_port parameters.

    • proxy_username: The name of a user account that has permissions to access and use the proxy server.

    • proxy_password: The password of the user account that you specified as the username.

    • user_agent: The user agent name, if your proxy requires a preset user agent.

    • proxy_auth: The authentication method to use for the proxy.



    Set aws_scanner to true to link the Tenable Nessus scanner as an AWS scanner.

    Note: The Tenable Nessus scanner must already be running on an AWS instance for the flag to take effect.


    The preferences section configures any advanced settings. For more information, see Advanced Settings.

  2. Download the Tenable Nessus Agent package.

  3. (Windows only) Before you install the package, you must modify the package so that Nessus Agent does not start automatically after installation. This is because Nessus Agent must read the config.json file when you start the Nessus Agent service for the first time.

    To modify the package, run the following command:

    msiexec /i <Nessus Agent package>.msi NESSUS_SERVICE_AUTOSTART=false /qn

  4. Install Tenable Nessus Agent.

  5. (macOS only) Unlike Windows, there is no way to turn off autostart before installing Nessus Agent. Therefore, you need to reset the Nessus Agent to a fresh state before adding config.json and starting the Nessus Agent service.

    To return Nessus Agent to a fresh state on macOS, validate config.json, and place config.json in the correct directory, run the following command:

    /Library/NessusAgent/run/sbin/nessuscli prepare-image --json=<path to json file>

    Note: Nessus Agent autostart is disabled by default in Linux packages. Therefore, if you are using Linux, you can ignore steps 3 and 5.
  6. Place config.json in the Nessus Agent directory if it is not already there:

    • Linux — /opt/nessus_agent/var/nessus/config.json
    • Windows — C:\ProgramData\Tenable\Nessus Agent\nessus\config.json
    • macOS — /Library/NessusAgent/run/var/nessus/config.json
  7. Start the Nessus Agent service.

  8. Depending on your operating system, run the following command to verify the config.json preferences:

    • Linux — /opt/nessus_agent/sbin/nessuscli fix --secure --list

    • Windows — "C:\Program Files\Tenable\Nessus Agent\nessuscli.exe" fix --secure --list

    • macOS — /Library/NessusAgent/run/sbin/nessuscli fix --secure --list

    Once you verify that the preferences were successfully applied, the linking process is complete.