Hi,
We recently configured Rapid7 App on a Search Head. Configuration is pointed to the Nexpose console IP on the default port of 3780. A non-admin user is used for connection to Nexpose. This user has access to all sites/groups.
After letting the nexpose_setup script run for some time, the only two items getting updated slowly in the dashboard are Total Assets & Total Vulnerabilities. Rest of the dashboard is blank. Noticed that under nexpose_setup.conf, hostname field was still left to “localhost”, but changing that to console IP did not make any difference.
Following is repeated in rapid7.log
2016-05-25 10:00:00,675 INFO nexpose_reports:65 - Platform is Linux or Mac
2016-05-25 10:00:00,675 INFO nexpose_reports:70 - Splunk home is </opt/splunk>. Save directories are: </opt/splunk/etc/apps/rapid7/lookups/>, </opt/splunk/etc/apps/rapid7/lookups/vuln_cim_lookups/>, </opt/splunk/etc/apps/rapid7/lookups/asset_cim_lookups/>
2016-05-25 10:00:00,675 INFO nexpose_reports:74 - Created save directory successfully!
2016-05-25 10:00:00,676 INFO nexpose_reports:84 - Created vulnerability save directory successfully!
2016-05-25 10:00:00,676 INFO nexpose_reports:94 - Created asset save directory successfully!
2016-05-25 10:00:01,379 INFO nexpose_setup:34 - Executing nexpose_setup.py
2016-05-25 10:00:01,725 INFO nexpose_setup:34 - Executing nexpose_setup.py
2016-05-25 10:00:02,188 INFO nexpose_setup:34 - Executing nexpose_setup.py
2016-05-25 10:00:02,226 INFO nexpose_reports:163 - Nexpose application enabled. Continuing...
2016-05-25 10:19:44,705 INFO __init__:168 - Using default logging config file: /opt/splunk/etc/log.cfg
2016-05-25 10:19:44,709 INFO __init__:206 - Setting logger=splunk level=INFO
2016-05-25 10:19:44,709 INFO __init__:206 - Setting logger=splunk.appserver level=INFO
2016-05-25 10:19:44,709 INFO __init__:206 - Setting logger=splunk.appserver.controllers level=INFO
2016-05-25 10:19:44,710 INFO __init__:206 - Setting logger=splunk.appserver.controllers.proxy level=INFO
2016-05-25 10:19:44,710 INFO __init__:206 - Setting logger=splunk.appserver.lib level=WARN
2016-05-25 10:19:44,711 INFO __init__:206 - Setting logger=splunk.pdfgen level=INFO
2016-05-25 10:19:44,711 INFO setup:29 - Executing setup.py
2016-05-25 10:38:36,068 INFO nexpose_setup:34 - Executing nexpose_setup.py
2016-05-25 10:38:36,368 INFO nexpose_setup:34 - Executing nexpose_setup.py
2016-05-25 10:38:36,704 INFO nexpose_setup:34 - Executing nexpose_setup.py
2016-05-25 10:38:37,013 INFO nexpose_setup:34 - Executing nexpose_setup.py
2016-05-25 10:38:37,412 INFO nexpose_setup:34 - Executing nexpose_setup.py
2016-05-25 10:38:37,865 INFO nexpose_setup:34 - Executing nexpose_setup.py
Any ideas on what I could have missed? Does this need an admin account on Nexpose?
Thanks,
~ Abhi
While I run Splunk on Windows the output should be the same. Is there data in $SPLUNKHOME/etc/apps/rapid7/lookups?
Hi windbishn,
Thanks for the response. It is working now.. it seems that Admin credentials are needed for it to be able to query database correctly.
We changed the credentials to one with admin privileges and now we could see queries being (rapid7.log) and data is also getting populated. We try to keep admin accounts in the console to the bare minimum required.. but looks like there is no other option here. and i dont think there is any option to create a non-interactive admin account, which cannot be used to login to UI but can still query DB if needed.
Thanks,
~Abhi