Nessuscli Agent

Use the Agent nessuscli utility to perform some Nessus Agent functions through a command line interface.

Note: You must run all Agent nessuscli commands as a user with administrative privileges.

Nessuscli Syntax

Operating System



# /opt/nessus_agent/sbin/nessuscli <cmd> <arg1> <arg2>


# sudo /Library/NessusAgent/run/sbin/nessuscli <cmd> <arg1> <arg2>


C:\Program Files\Tenable\Nessus Agent\nessuscli.exe <cmd> <arg1> <arg2>

Nessuscli Commands

Command Description
Informational Commands

# nessuscli help

Displays a list of nessuscli commands.

# nessuscli -v Displays your current version of Nessus Agent.
Bug Reporting Commands

# nessuscli bug-report-generator

Generates an archive of system diagnostics.

If you run this command without arguments, the utility prompts you for values.

Optional arguments:

  • --quiet — Run the bug report generator without prompting user for feedback.

  • --scrub — The bug report generator sanitizes the last two octets of the IPv4 address.

  • --full — The bug report generator collects extra data.

Image Preparation Commands
# nessuscli prepare-image

Performs pre-imaging cleanup, including the following:

  • Unlinks the agent, if linked.

  • Deletes any host tag on the agent. For example, the registry key on Windows or tenable_tag on Unix.

  • Deletes any UUID file on the agent. For example, /opt/nessus/var/nessus/uuid (or equivalent on MacOS/Windows).

  • Deletes plugin dbs.

  • Deletes global db.

  • Deletes master.key.

  • Deletes the backups directory.

Optional arguments:

  • --json=<file> — Validates an auto-configuration .json file and places it in the appropriate directory.

Local Agent Commands

Used to link, unlink, and display agent status

# nessuscli agent link --key=<key> --host=<host> --port=<port>

Using the Nessus Agent Linking Key, this command links the agent to the Nessus Manager or

Required arguments:

  • --key — The linking key that you retrieved from the manager.
  • --hostThe static IP address or hostname you set during the Nessus Manager installation.

    Note: Starting with Nessus Agent 8.1.0, agents communicate with using If agents are unable to connect to, they use instead. Agents with earlier versions continue to use the domain.
  • --port — 8834 or your custom port.

Optional arguments:

  • --auto-proxy — (Windows-only) When set, the agent uses Web Proxy Auto Discovery (WPAD) to obtain a Proxy Auto Config (PAC) file for proxy settings. This setting overrides all other proxy configuration preferences.
  • --name —  A name for your agent. If you do not specify a name for your agent, the name defaults to the name of the computer where you are installing the agent.
  • --groups — One or more existing agent groups where you want to add the agent. If you do not specify an agent group during the install process, you can add your linked agent to an agent group later in Nessus Manager. List multiple groups in a comma-separated list. If any group names have spaces, use quotes around the whole list. For example: "Atlanta,Global Headquarters"

    Note: The agent group name is case-sensitive and must match exactly.

  • --ca-path — A custom CA certificate to use to validate the manager's server certificate.
  • --offline-install — When enabled (set to "yes"), installs Nessus Agent on the system, even if it is offline. Nessus Agent periodically attempts to link itself to its manager.

    If the agent cannot connect to the controller, it retries every hour. If the agent can connect to the controller but the link fails, it retries every 24 hours.

  • --network — For agents, adds the agent to a custom network. If you do not specify a network, the agent belongs to the default network.

  • --proxy-host — The hostname or IP address of your proxy server.
  • --proxy-port — The port number of the proxy server.
  • --proxy-password — The password of the user account that you specified as the username.
  • --proxy-username — The name of a user account that has permissions to access and use the proxy server.
  • --proxy-agent — The user agent name, if your proxy requires a preset user agent.

# nessuscli agent unlink

Unlinks agent from the Nessus Manager or

nessuscli scan-triggers --list

Lists details about the agent's rule-based scans:

  • Scan name

  • Status (for example, uploaded)

  • Time of last activity (shown next to the status)

  • Scan description

  • Time of last policy modification

  • Time of last run

  • Scan triggers

  • Scan configuration template

  • Command to launch the scan (nessuscli scan-triggers --start --UUID=<scan-uuid>)

nessuscli scan-triggers --start --UUID=<scan-uuid>

( agents only)

Manually executes a rule-based scan based on UUID.

# nessuscli agent status

Displays the status of the agent, rule-based scanning information, jobs pending, and whether the agent is linked to the server.

Optional arguments:

  • --local — (Default behavior) Provides the status, current jobs count, and jobs pending. This option prevents the agent from contacting its management software to fetch the status. Instead, it shows the last known information from its most recent sync.

  • --remote — (Default behavior) Fetches the job count from the manager and displays the status.

    Note: Tenable does not recommend running frequent status checks with the --remote option (for example, when using automation).

  • --offline — Provides the most recently cached agent status when it cannot connect to Nessus Manager or

  • --show-token — Displays the agent's token that is used to identify and authenticate with its manager.

  • --show-uuid — Displays the agent's Tenable UUID.

nessuscli plugins --info

Lists details about the agent's full and inventory plugin sets:

  • Installed version

  • Last downloaded

  • Last needed

  • Expires in — The plugin set's expiration time and date (that is, when the plugin set is no longer needed).

  • Plugins — The total number of plugins in the plugin set.

  • Uncompressed source size

Lists details and statistics about the agent's plugins, such as:

  • Last plugin update time

  • Last plugin update check time

  • Total compressed plugins source size

  • Total compiled plugins size

  • Total plugins attributes data

  • Total plugin size on disk

nessuscli plugins --reset

Deletes all plugins and plugin-related data off the disk. The agent is able to download plugins immediately after the deletion completes.

Note: This command only triggers if the agent has plugin data on its disk.

Update Commands
# nessuscli agent update --file=<plugins_set.tgz>

Manually installs a plugin set.

nessuscli fix --set agent_update_channel=<value>

( agents only)

Sets the agent update plan to determine what version the agent automatically updates to.


  • ga — Automatically updates to the latest Nessus version when it is made generally available (GA). Note: This date is the same day the version is made generally available.

  • ea — Automatically updates to the latest Nessus version as soon as it is released for Early Access (EA), typically a few weeks before general availability.

  • stable — Does not automatically update to the latest Nessus version. Remains on an earlier version of Nessus set by Tenable, usually one release older than the current generally available version, but no earlier than 8.10.0. When Nessus releases a new version, your Nessus instance updates software versions, but stays on a version prior to the latest release.

Note: For agents linked to, you need to run the agent_update_channel command from the agent nessuscli utility. For agents linked to Nessus Manager, you need to run the agent_update_channel command from the Nessus Manager nessuscli utility.

nessuscli fix --set maximum_scans_per_day=<value>

( agents only)

Sets the maximum number of scans an agent can run per day. The minimum amount is 1, the maximum amount is 48, and the default amount is 10.

Fix Commands
nessuscli fix --list Displays a list of agent settings and their values.
nessuscli fix --set <setting>=<value> Set an agent setting to the specified value.

For a list of agent settings, see Advanced Settings in the Nessus Agent User Guide.

# nessuscli fix --set update_hostname="<value>"

Updates agent hostnames automatically in or Nessus Manager 7.1.1 or later.

You can set the update_hostname parameter to yes or no. By default, this preference is disabled.

Note: Restart the agent service for the change to take effect in Nessus Manager.

# nessuscli fix --set max_retries="<value>"

Sets the maximum number of times an agent should retry in the event of a failure when executing the agent link, agent status, or agent unlink commands. The commands retry, the specified number of times, consecutively, sleeping increasing increments of time set by retry_sleep_milliseconds between attempts. The default value for max_retries is 0.

For example, if you set max_retries to 4 and set retry_sleep_milliseconds to the default of 1500, then the agent will sleep for 1.5 seconds after the first try, 3 seconds after the second try, and 4.5 seconds after the third try.

Note: This setting does not affect offline updates or the agent's normal 24 hour check-in after it is linked.
# nessuscli fix --set retry_sleep_milliseconds="<value>"

Sets the number of milliseconds that an agent sleeps for between retries in event of a failure when executing the agent link, agent status, or agent unlink commands. The default is 1500 milliseconds (1.5 seconds).

nessuscli fix --set niap_mode=enforcing

Enforces NIAP mode for Nessus Agent. For more information about NIAP mode, see Configure Nessus Agent for NIAP Compliance.

nessuscli fix --set niap_mode=non-enforcing

Disables NIAP mode for Nessus Agent. For more information about NIAP mode, see Configure Nessus Agent for NIAP Compliance.

nessuscli fix --set fips_mode=enforcing

Enforces the current validated FIPS module for Nessus Agent communication and database encryption. The FIPS module does not affect scanning encryption.

Note: Nessus Agent also enforces the FIPS module when you enforce NIAP mode. For more information, see Configure Nessus Agent for NIAP Compliance.

nessuscli fix --set fips_mode=non-enforcing

Disables the FIPS module for Nessus Agent communication and database encryption.

Note: Nessus Agent also disables the FIPS module when you disable NIAP mode. For more information, see Configure Nessus Agent for NIAP Compliance.

Fix Secure Settings
# nessuscli fix --secure --set <setting>=<value>

Set secure settings on the agent.

Caution: Tenable does not recommend changing undocumented --secure settings as it may result in an unsupported configuration.

For a list of supported secure settings, see Advanced Settings in the Nessus Agent User Guide.

nessuscli fix --secure --get agent_linking_key

(Nessus versions 10.4.0 and later only) Retrieve your unique agent linking key.

Note: You can only use this linking key to link an agent. You cannot use it to link a scanner or a child node.
Resource Control Commands  

# nessuscli fix --set process_priority="<value>"

# nessuscli fix --get process_priority

# nessuscli fix --delete process_priority


Set, get, or delete the process_priority setting.

You can control the priority of the Nessus Agent relative to the priority of other tasks running on the system by using the process_priority preference.

For valid values and more information on how the setting works, see Agent CPU Resource Control in the Nessus Agent Deployment and User Guide for <value> preference options