All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Why is the Splunk ExecProcessor Rescheduling a specific cronjob every interval?

mitchfultz
Engager
‎05-07-2018 10:01 AM

Hello,

Splunk ExecProcessor is rescheduling a specific cronjob for the Rapid7 Nexpose add-on; rapid7nexpose.py is being rescheduled at nearly every interval, even if I set it to run every minute. From splunkd.log:

ExecProcessor - setting reschedule_ms=3599999, for command=python /opt/splunk/etc/apps/TA-rapid7_nexpose/bin/rapid7nexpose.py

I have checked and all files are splunk:splunk with the following permissions: -rwxr-xr-x
Authentication with the Nexpose device is successful since we do occassionally get a job to run and fetch the logs. Any help would be greatly appreciated as Splunk support will not assist.

Reply

shartwell
Explorer
‎10-18-2018 06:44 AM

Hi mitchfultz -

I've looked into this extensively as I'm having the same issue - it appears the rapid7nexpose.py process doesn't exit at the end of its run against the sites eligible for query. The process below started at 5:00am and is still running despite reaching the end of the list of sites to process:

$ ps -ef | grep -v grep | grep nexpose
splunk 58152 29727 0 05:00 ? 00:00:18 python /opt/splunk/etc/apps/TA-rapid7_nexpose/bin/rapid7nexpose.py

Sadly, I've resorted to issuing a kill to take it down after several hours. The splunk daemon restarts it automatically and it begins another run without any further intervention. I've setup a cron job to run once an hour and kill this process if its older than 4 .5 hours - you may need to adjust the time based on number of sites and typical duration:

$ crontab -l
0 */1 * * * kill $(find /proc -maxdepth 1 -user splunk -type d -mmin +270 -exec basename {} \; | xargs ps | grep nexpose | awk '{ print $1 }')

Not a permanent fix, but it will keep me from restarting it manually constantly until I find out why it continues to be rescheduled into the future.

0 Karma
Reply
Get Updates on the Splunk Community!

Devesh Logendran, Splunk, and the Singapore Cyber Conquest

At this year’s Splunk University, I had the privilege of chatting with Devesh Logendran, one of the winners in ...

There's No Place Like Chrome and the Splunk Platform

WATCH NOW!Malware. Risky Extensions. Data Exfiltration. End-users are increasingly reliant on browsers to ...

Customer Experience | Join the Customer Advisory Board!

Are you ready to take your Splunk journey to the next level? 🚀 We invite you to join our elite squad ...