Solved: rapid7nexpose.py KeyError: 'session-id'

smitra_splunk · ‎12-05-2017

Hi,

I'm unable to get the modular input for downloading assets and vulnerabilities to connect to the Rapid7Nexpose instance.

Here are the errors I see in the _internal Execprocessor logs in Splunk.

12-06-2017 01:00:00.411 +0000 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/TA-rapid7_nexpose/bin/rapid7nexpose.py" KeyError: 'session-id'
12-06-2017 01:00:00.411 +0000 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/TA-rapid7_nexpose/bin/rapid7nexpose.py"   File "lxml.etree.pyx", line 2295, in lxml.etree._Attrib.__getitem__ (src/lxml/lxml.etree.c:59806)
12-06-2017 01:00:00.411 +0000 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/TA-rapid7_nexpose/bin/rapid7nexpose.py"     self.authtoken = response.attrib['session-id']
12-06-2017 01:00:00.411 +0000 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/TA-rapid7_nexpose/bin/rapid7nexpose.py"   File "/opt/splunk/etc/apps/TA-rapid7_nexpose/bin/api/pnexpose.py", line 39, in login
12-06-2017 01:00:00.411 +0000 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/TA-rapid7_nexpose/bin/rapid7nexpose.py"     self.login()
12-06-2017 01:00:00.411 +0000 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/TA-rapid7_nexpose/bin/rapid7nexpose.py"   File "/opt/splunk/etc/apps/TA-rapid7_nexpose/bin/api/pnexpose.py", line 33, in __init__

Could this be a login issue on the Nexpose server or is it something in Splunk ? I've checked the password.

Any hint/direction is highly appreciated.

Best Regards,
Shreedeep.

damien_chillet · ‎12-06-2017

These error messages suggest that authentication against the Nexpose server was unsuccessful.

Unfortunately, there is not enough to say why.
If you are confident about your credentials/port/hostname, try to make sure there is no firewall blocking the connection.

View solution in original post

MikeElliott · ‎08-14-2020

Posted 2020

I recently deployed this TA and experienced the same issue as in the OP's post. There is a similarly related issue on Answers that states the error message changed when the OP pointed the TA at a scan engine instead of the management console - This was also true for me (changed to a timeout error).

We identified that the user account that was created for us on the Rapid7 asset was configured to force a password reset upon first login. The repeated attempts were also causing account lockouts in the Rapid7 audit logs and was very telling as to the issue.

We disabled the inputs in the Rapid7 TA, reconfigured the user, updated the TA's account configuration and then re-enabled the inputs. We were able to confirm successful configuration almost instantly.

I hope this is helpful for others experiencing the same/similar issues.

damien_chillet · ‎12-06-2017

These error messages suggest that authentication against the Nexpose server was unsuccessful.

Unfortunately, there is not enough to say why.
If you are confident about your credentials/port/hostname, try to make sure there is no firewall blocking the connection.

smitra_splunk · ‎12-08-2017

We pointed to a different Nexpose server/instance/hostname and it worked using the same AD userid/password. There was something wrong within the original Nexpose server as it wouldn't allow us to log in on it's web UI too.

I'm marking your answer as accepted.

rapid7nexpose.py KeyError: 'session-id'

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life