All Apps and Add-ons

Unable to see vulnerability and asset data in Rapid7 App for Splunk Enterprise

att35
Builder

Hi,

We recently configured Rapid7 App on a Search Head. Configuration is pointed to the Nexpose console IP on the default port of 3780. A non-admin user is used for connection to Nexpose. This user has access to all sites/groups.

After letting the nexpose_setup script run for some time, the only two items getting updated slowly in the dashboard are Total Assets & Total Vulnerabilities. Rest of the dashboard is blank. Noticed that under nexpose_setup.conf, hostname field was still left to “localhost”, but changing that to console IP did not make any difference.

Following is repeated in rapid7.log

2016-05-25 10:00:00,675 INFO    nexpose_reports:65 - Platform is Linux or Mac
2016-05-25 10:00:00,675 INFO    nexpose_reports:70 - Splunk home is </opt/splunk>. Save directories are: </opt/splunk/etc/apps/rapid7/lookups/>, </opt/splunk/etc/apps/rapid7/lookups/vuln_cim_lookups/>, </opt/splunk/etc/apps/rapid7/lookups/asset_cim_lookups/>
2016-05-25 10:00:00,675 INFO    nexpose_reports:74 - Created save directory successfully!
2016-05-25 10:00:00,676 INFO    nexpose_reports:84 - Created vulnerability save directory successfully!
2016-05-25 10:00:00,676 INFO    nexpose_reports:94 - Created asset save directory successfully!
2016-05-25 10:00:01,379 INFO    nexpose_setup:34 - Executing nexpose_setup.py
2016-05-25 10:00:01,725 INFO    nexpose_setup:34 - Executing nexpose_setup.py
2016-05-25 10:00:02,188 INFO    nexpose_setup:34 - Executing nexpose_setup.py
2016-05-25 10:00:02,226 INFO    nexpose_reports:163 - Nexpose application enabled. Continuing...
2016-05-25 10:19:44,705 INFO    __init__:168 - Using default logging config file: /opt/splunk/etc/log.cfg
2016-05-25 10:19:44,709 INFO    __init__:206 - Setting logger=splunk level=INFO
2016-05-25 10:19:44,709 INFO    __init__:206 - Setting logger=splunk.appserver level=INFO
2016-05-25 10:19:44,709 INFO    __init__:206 - Setting logger=splunk.appserver.controllers level=INFO
2016-05-25 10:19:44,710 INFO    __init__:206 - Setting logger=splunk.appserver.controllers.proxy level=INFO
2016-05-25 10:19:44,710 INFO    __init__:206 - Setting logger=splunk.appserver.lib level=WARN
2016-05-25 10:19:44,711 INFO    __init__:206 - Setting logger=splunk.pdfgen level=INFO
2016-05-25 10:19:44,711 INFO    setup:29 - Executing setup.py
2016-05-25 10:38:36,068 INFO    nexpose_setup:34 - Executing nexpose_setup.py
2016-05-25 10:38:36,368 INFO    nexpose_setup:34 - Executing nexpose_setup.py
2016-05-25 10:38:36,704 INFO    nexpose_setup:34 - Executing nexpose_setup.py
2016-05-25 10:38:37,013 INFO    nexpose_setup:34 - Executing nexpose_setup.py
2016-05-25 10:38:37,412 INFO    nexpose_setup:34 - Executing nexpose_setup.py
2016-05-25 10:38:37,865 INFO    nexpose_setup:34 - Executing nexpose_setup.py

Any ideas on what I could have missed? Does this need an admin account on Nexpose?

Thanks,

~ Abhi

0 Karma

windbishn
Explorer

While I run Splunk on Windows the output should be the same. Is there data in $SPLUNKHOME/etc/apps/rapid7/lookups?

0 Karma

att35
Builder

Hi windbishn,

Thanks for the response. It is working now.. it seems that Admin credentials are needed for it to be able to query database correctly.

We changed the credentials to one with admin privileges and now we could see queries being (rapid7.log) and data is also getting populated. We try to keep admin accounts in the console to the bare minimum required.. but looks like there is no other option here. and i dont think there is any option to create a non-interactive admin account, which cannot be used to login to UI but can still query DB if needed.

Thanks,

~Abhi

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...