Advanced Settings

You can manually configure agents by setting advanced settings from the agent command line interface. You can modify some system-wide agent settings from Tenable Nessus Manager advanced settings or the Linked Agents tab in Tenable Vulnerability Management (see Agent Settings in the Tenable Vulnerability Management User Guide for more information). Nessus Agent validates your input values to ensure only valid configurations are allowed.

Tenable Nessus Agent Advanced Settings

You can configure the following agent settings in the command line interface using the nessuscli utility.

Use the command # nessuscli fix --set setting=value. For more information, see Tenable Nessus Agent CLI Commands .

Tip: Customers with many agents (10,000+) may want to configure the agent_merge_audit_trail, agent_merge_kb, agent_merge_journal_mode, and agent_merge_synchronous_setting settings. Modifying these settings can dramatically lower the amount of time it takes to merge agent scan results. Review the descriptions in the following table for suggested configurations.

Name	Setting	Description	Default	Valid Values
Agent Update Plan	agent_update_channel	(Tenable Vulnerability Management-linked agents only) Sets the agent update plan to determine what version the agent automatically updates to. Note: For agents linked to Tenable Vulnerability Management, you need to run the agent_update_channel command from the agent nessuscli utility. For agents linked to Tenable Nessus Manager, you need to run the agent_update_channel command from the Tenable Nessus Managernessuscli utility.	ga	ga: Automatically updates to the latest Agent version when it is made generally available (GA). Note: This date is usually one week after the version is made generally available. For versions that address critical security issues, Tenable may make the version available immediately. ea: Automatically updates to the latest Agent version as soon as it is released for Early Access (EA), typically a few weeks before general availability. stable: Does not automatically update to the latest Tenable Nessus Agent version. Remains on an earlier version of Tenable Nessus Agent set by Tenable, usually one release older than the current generally available version, but no earlier than 7.7.0. When Tenable Nessus Agent releases a new version, your agent updates software versions, but stays on a version prior to the latest release.
Always Validate SSL Server Certificates	strict_certificate_validation	When enabled, always validate SSL server certificates, even during initial remote link (requires manager to use a trusted root CA).	no	yes or no
Automatic Hostname Update	update_hostname	When enabled, when someone modifies the endpoint hostname, the new hostname is updated in the agent's manager. This feature is disabled by default to prevent custom agent names from being overridden.	no	yes or no
Connection Status Check Time	connection_status_check_time	(Tenable Vulnerability Management-linked agents only) Determines how often the agent checks its connection status when offline in seconds.	900	Integers >299
Days To Keep Unused Plugins	days_to_keep_unused_plugins	(Tenable Vulnerability Management-linked agents only) Determines the duration of time (in days) after which an agent deletes an unused plugin set. For example, if you set this setting to 14 and the agent has not used one of its plugin set for scanning in over 14 days, the agent deletes that plugin set.	14	Integers >7
Detect Duplicate Agents	detect_duplicates	Regardless of this setting, the agent automatically checks if it is a duplicate agent by comparing its current list of MAC addresses to the MAC addresses the agent had at link time. For agents linked to Tenable Vulnerability Management or Tenable Nessus Manager 8.11.1 and later, the manager performs the same check to identify duplicate agents. When disabled, the agent automatically logs duplicates in backend.log, but no action is taken. When enabled, if either the agent or the manager detects a duplicate agent, the agent automatically unlinks and regenerates its identifying information (for example, the UUID) so that it can be linked again. This event is logged in backend.log. You must manually relink the agent.	no	yes or no
Disable Core Updates	disable_core_updates	When set to yes, the agent does not request automatic core updates. You can still upgrade software versions manually. The agent can still receive plugin updates.	no	yes or no
Log File Maximum Files	logfile_max_files	Determines the maximum number of nessusd.messages files that Tenable Nessus Agent keeps on the disk. If the number of nessusd.messages log files exceeds the specified value, Tenable Nessus Agent deletes the oldest log files.	Tenable Nessus — 100 Tenable Nessus Agent — 2	Integers 1-1000
Log File Maximum Size	logfile_max_size	Determines the maximum size of the nessusd.messages file in MB. If the file size exceeds the maximum size, Tenable Nessus Agent creates a new messages log file.	Tenable Nessus —512 Tenable Nessus Agent — 10	Integers 1-2048
Log File Rotation	logfile_rot	Determines whether Tenable Nessus Agent rotates messages log files based on maximum rotation size or rotation time.	size	size — Tenable Nessus Agent rotates log files based on size, as specified in logfile_max_size. time — Tenable Nessus Agent rotates log files based on time, as specified in logfile_rotation_time.
Log File Rotation Time	logfile_rotation_time	Determines how often Tenable Nessus Agent messages log files are rotated in days.	1	Integers 1-365
Long Term Upload Interval Seconds	long_term_upload_interval_seconds	(Tenable Vulnerability Management-linked agents only) Determines the number of seconds the agent waits between attempting to upload smart scan results.	180	Integers >59
Maximum Ports in Scan Reports	report.max_ports	The maximum number of allowable ports. If there are more ports in the scan results than this value, Tenable Nessus discards the port scan results. This limit helps guard against fake targets that may have thousands of reported ports, but can also result in the deletion of valid results from the scan results database, so you may want to increase the default if this is a problem.	1024	Integers
Maximum Ports Reported by Portscanner Plugins	portscanner.max_ports	The maximum number of ports that the Tenable Nessus port-scanning plugins can mark as open. This includes the port scanners proper and any plugin that calls NASL function scanner_add_port().	1024	Integers 0-65535
Maximum Scans Per Day	maximum_scans_per_day	Determines the maximum number of scans an agent can run per day.	10	Integers 1-48
Minimum Metadata Update Interval	min_metadata_update_interval	(Tenable Vulnerability Management-linked agents only) Determines the minimum number of minutes between the agent's attempts to push metadata to Tenable Vulnerability Management. Note: The agent only attempts to push metadata to Tenable Vulnerability Management if the metadata changes.	10	Integers >4
Nessus Dump File Max Files	dumpfile_max_files	Sets the maximum number of the nessusd.dump files kept on disk. If the number exceeds the specified value, the setting deletes the oldest dump file.	100	Integers 1-1000
Nessus Dump File Max Size	dumpfile_max_size	Sets the maximum size of the nessusd.dump files in MB. If file size exceeds the maximum size, the setting creates a new dump file.	512	Integers 1-2048
Offline Agent Scan Trigger Execution Threshold	offline_agent_scan_trigger_execution_threshold_days	(Tenable Vulnerability Management-linked agents only) Determines the number of days of being offline after which rule-based scans no longer launch.	14	Integers >0
Plugin Compilation Performance	plugin_load_performance_mode	Sets plugin compilation performance, which affects CPU usage. Low performance slows down plugin compilation, but reduces the agent's CPU consumption. Setting the performance to medium or high means that plugin compilation completes more quickly, but the agent consumes more CPU. low: Uses exactly one thread. Deliberately consumes less time than available, approximating 50% usage of one core. medium: Uses up to half as many threads as cores available, up to a maximum of four cores on a system with eight or more cores. Always uses at least one thread. high: Uses as many threads as cores available, up to a maximum of eight threads. For more information, see Agent CPU Resource Control. Note: Tenable recommends setting Plugin Compilation Performance to medium or low for shared resource environments, such as VDI or ESXi.	Tenable Nessus Agent 10.8.3 and later — medium Tenable Nessus Agent 10.8.2 and earlier — high	low, medium, or high
Scan Performance	scan_performance_mode	Sets scan performance, which affects CPU usage. Low performance slows down scans, but reduces the agent's CPU consumption. Setting the performance to medium or high means that scans complete more quickly, but the agent consumes more CPU. For more information, see Agent CPU Resource Control.	high	low, medium, or high
Skip Asset Observation On Update	skip_asset_observation_on_update	Determines whether the agent only updates the asset metadata when linking to Tenable Vulnerability Management. When you set this setting to no, the agent updates Tenable Vulnerability Management with new asset metadata based on the Minimum Metadata Update Interval.	no	yes or no
SSL Cipher List	ssl_cipher_list	Sets the cipher list to use for Agent outbound connections.	compatible	legacy — A list of ciphers that can integrate with older APIs. compatible — A list of secure ciphers. May not include all the latest ciphers. modern — A list of the latest and most secure ciphers. custom — A custom OpenSSL cipher list. For more information on valid cipher list formats, see the OpenSSL documentation. Tip: For a list of Tenable-supported ciphers, see System Requirements in the Tenable Vulnerability Management User Guide.
SSL Mode	ssl_mode	Minimum supported version of TLS.	tls_1_2	ssl_3_0 — SSL v3+. tls_1_2 — TLS v1.2+.

Tenable Nessus Agent Secure Settings

You can configure the following secure settings in the command line interface, using the nessuscli utility.

Use the command # nessuscli fix --secure --set setting=value. For more information, see Tenable Nessus Agent CLI Commands .

Caution: Tenable does not recommend changing undocumented --secure settings as it may result in an unsupported configuration.

Setting	Description	Valid Values
auto_proxy	(Windows-only) If enabled, the agent uses Web Proxy Auto Discovery (WPAD) to obtain a Proxy Auto Config (PAC) file for proxy settings. This setting overrides all other proxy configuration preferences. If disabled, the agent defaults to the remaining proxy settings.	true or false
ignore_proxy	If enabled, the agent attempts a direct connection to the manager instead of using the set proxy, until it fails 10 times. If disabled, the agent attempts to connect using the set proxy, until it fails three times. This setting changes automatically, as described in Proxy Connection Fallback. You can also set this setting manually; however, if at any point the agent meets one of the conditions described in Proxy Connection Fallback, the agent automatically changes the setting.	yes or no
ms_proxy	When enabled, the agent uses a proxy to connect to its manager.	true or false
proxy	The hostname or IP address of your proxy server.	String
proxy_port	The port number of the proxy server.	String
proxy_auth	(Optional) If you want to use authentication to connect to the proxy, specify the authentication scheme.	basic, digest, ntlm, or auto
proxy_username	If using authentication to connect to the proxy, the name of a user account that has permissions to access and use the proxy server.	String. If there are spaces, use quotes (").
proxy_password	If authenticating with the proxy, password associated with the username.	String

Tenable Nessus Manager advanced settings

You can configure the following system-wide agent settings in Tenable Nessus Manager, under the Agents & Scanners section. For more information, see Advanced Settings in the Tenable Nessus User Guide.

Name	Setting	Description	Default	Valid Values	Restart Required?
Agent Auto Delete	agent_auto_delete	Controls whether agents are automatically deleted after they have been inactive for the duration of time set for agent_auto_delete_threshold.	no	yes or no	no
Agent Auto Delete Threshold	agent_auto_delete_threshold	The number of days after which inactive agents are automatically deleted if agent_auto_delete is set to yes.	60	Integers 1-365	no
Agent Auto Unlink	agent_auto_unlink	Controls whether agents are automatically unlinked after they have been inactive for the duration of time set for agent_auto_unlink_threshold.	no	yes or no	no
Agent Auto Unlink Threshold	agent_auto_unlink_threshold	The number of days after which inactive agents are automatically unlinked if agent_auto_unlink is set to yes. Note: This value must be less than the agent_auto_delete_threshold.	30	Integers 30-90	no
Agents Progress	agents_progress_viewable	When a scan gathers information from agents, Tenable Nessus Manager does not show detailed agents information if the number of agents exceeds this setting. Instead, a message indicates that results are being gathered and will be viewable when the scan is complete.	100	Integers. If set to 0, this defaults to 100.	no
Automatically Download Agent Updates	agent_updates_from_feed	When enabled, new Tenable Nessus Agent software updates are automatically downloaded.	yes	yes or no	yes
Concurrent Agent Software Updates	cloud.manage.download_max	The maximum concurrent agent update downloads.	10	Integers	no
Include Audit Trail Data	agent_merge_audit_trail	Controls whether or not agent scan result audit trail data is included in the main agent database. Excluding audit trail data can significantly improve agent result processing performance. If this setting is set to false, the Audit Trail Verbosity setting in an individual scan or policy defaults to No audit trail. Available in Nessus 8.3 and later.	false	true or false	no
Include KB Data	agent_merge_kb	Includes the agent scan result KB data in the main agent database. Excluding KB data can significantly improve agent result processing performance. If this setting is set to false, the Include the KB setting in an individual scan or policy defaults to Exclude KB. Available in Nessus 8.3 and later.	false	true or false	no
Result Processing Journal Mode	agent_merge_journal_mode	Sets the journaling mode to use when processing agent results. Depending on the environment, this can somewhat improve processing performance, but also introduces a small risk of a corrupted scan result in the event of a crash. For more details, refer to the sqlite3 documentation. Available in Nessus 8.3 and later.	DELETE	MEMORY TRUNCATE DELETE	no
Result Processing Sync Mode	agent_merge_synchronous_setting	Sets the filesystem sync mode to use when processing agent results. Turning this off will significantly improve processing performance, but also introduces a small risk of a corrupted scan result in the event of a crash. For more details, refer to the sqlite3 documentation. Available in Nessus 8.3 and later.	FULL	OFF NORMAL FULL	no
Track Unique Agents	track_unique_agents	When enabled, Tenable Nessus Manager checks if MAC addresses of agents trying to link match MAC addresses of currently linked agents with the same hostname, platform, and distro. Tenable Nessus Manager deletes duplicates that it finds.	no	yes or no	no