All Apps and Add-ons

rapid7nexpose.py KeyError: 'session-id'

Splunk Employee
Splunk Employee

Hi,

I'm unable to get the modular input for downloading assets and vulnerabilities to connect to the Rapid7Nexpose instance.

Here are the errors I see in the _internal Execprocessor logs in Splunk.

12-06-2017 01:00:00.411 +0000 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/TA-rapid7_nexpose/bin/rapid7nexpose.py" KeyError: 'session-id'
12-06-2017 01:00:00.411 +0000 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/TA-rapid7_nexpose/bin/rapid7nexpose.py"   File "lxml.etree.pyx", line 2295, in lxml.etree._Attrib.__getitem__ (src/lxml/lxml.etree.c:59806)
12-06-2017 01:00:00.411 +0000 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/TA-rapid7_nexpose/bin/rapid7nexpose.py"     self.authtoken = response.attrib['session-id']
12-06-2017 01:00:00.411 +0000 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/TA-rapid7_nexpose/bin/rapid7nexpose.py"   File "/opt/splunk/etc/apps/TA-rapid7_nexpose/bin/api/pnexpose.py", line 39, in login
12-06-2017 01:00:00.411 +0000 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/TA-rapid7_nexpose/bin/rapid7nexpose.py"     self.login()
12-06-2017 01:00:00.411 +0000 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/TA-rapid7_nexpose/bin/rapid7nexpose.py"   File "/opt/splunk/etc/apps/TA-rapid7_nexpose/bin/api/pnexpose.py", line 33, in __init__

Could this be a login issue on the Nexpose server or is it something in Splunk ? I've checked the password.

Any hint/direction is highly appreciated.

Best Regards,
Shreedeep.

0 Karma
1 Solution

These error messages suggest that authentication against the Nexpose server was unsuccessful.

Unfortunately, there is not enough to say why.
If you are confident about your credentials/port/hostname, try to make sure there is no firewall blocking the connection.

View solution in original post

0 Karma

Communicator

Posted 2020

I recently deployed this TA and experienced the same issue as in the OP's post.  There is a similarly related issue on Answers that states the error message changed when the OP pointed the TA at a scan engine instead of the management console - This was also true for me (changed to a timeout error).

We identified that the user account that was created for us on the Rapid7 asset was configured to force a password reset upon first login.  The repeated attempts were also causing account lockouts in the Rapid7 audit logs and was very telling as to the issue.

We disabled the inputs in the Rapid7 TA, reconfigured the user, updated the TA's account configuration and then re-enabled the inputs.  We were able to confirm successful configuration almost instantly.

I hope this is helpful for others experiencing the same/similar issues.

0 Karma

These error messages suggest that authentication against the Nexpose server was unsuccessful.

Unfortunately, there is not enough to say why.
If you are confident about your credentials/port/hostname, try to make sure there is no firewall blocking the connection.

View solution in original post

0 Karma

Splunk Employee
Splunk Employee

We pointed to a different Nexpose server/instance/hostname and it worked using the same AD userid/password. There was something wrong within the original Nexpose server as it wouldn't allow us to log in on it's web UI too.

I'm marking your answer as accepted.

0 Karma