Archive
Highlighted

Unable to see vulnerability and asset data in Rapid7 App for Splunk Enterprise

Contributor

Hi,

We recently configured Rapid7 App on a Search Head. Configuration is pointed to the Nexpose console IP on the default port of 3780. A non-admin user is used for connection to Nexpose. This user has access to all sites/groups.

After letting the nexposesetup script run for some time, the only two items getting updated slowly in the dashboard are Total Assets & Total Vulnerabilities. Rest of the dashboard is blank. Noticed that under nexposesetup.conf, hostname field was still left to “localhost”, but changing that to console IP did not make any difference.

Following is repeated in rapid7.log

2016-05-25 10:00:00,675 INFO    nexpose_reports:65 - Platform is Linux or Mac
2016-05-25 10:00:00,675 INFO    nexpose_reports:70 - Splunk home is </opt/splunk>. Save directories are: </opt/splunk/etc/apps/rapid7/lookups/>, </opt/splunk/etc/apps/rapid7/lookups/vuln_cim_lookups/>, </opt/splunk/etc/apps/rapid7/lookups/asset_cim_lookups/>
2016-05-25 10:00:00,675 INFO    nexpose_reports:74 - Created save directory successfully!
2016-05-25 10:00:00,676 INFO    nexpose_reports:84 - Created vulnerability save directory successfully!
2016-05-25 10:00:00,676 INFO    nexpose_reports:94 - Created asset save directory successfully!
2016-05-25 10:00:01,379 INFO    nexpose_setup:34 - Executing nexpose_setup.py
2016-05-25 10:00:01,725 INFO    nexpose_setup:34 - Executing nexpose_setup.py
2016-05-25 10:00:02,188 INFO    nexpose_setup:34 - Executing nexpose_setup.py
2016-05-25 10:00:02,226 INFO    nexpose_reports:163 - Nexpose application enabled. Continuing...
2016-05-25 10:19:44,705 INFO    __init__:168 - Using default logging config file: /opt/splunk/etc/log.cfg
2016-05-25 10:19:44,709 INFO    __init__:206 - Setting logger=splunk level=INFO
2016-05-25 10:19:44,709 INFO    __init__:206 - Setting logger=splunk.appserver level=INFO
2016-05-25 10:19:44,709 INFO    __init__:206 - Setting logger=splunk.appserver.controllers level=INFO
2016-05-25 10:19:44,710 INFO    __init__:206 - Setting logger=splunk.appserver.controllers.proxy level=INFO
2016-05-25 10:19:44,710 INFO    __init__:206 - Setting logger=splunk.appserver.lib level=WARN
2016-05-25 10:19:44,711 INFO    __init__:206 - Setting logger=splunk.pdfgen level=INFO
2016-05-25 10:19:44,711 INFO    setup:29 - Executing setup.py
2016-05-25 10:38:36,068 INFO    nexpose_setup:34 - Executing nexpose_setup.py
2016-05-25 10:38:36,368 INFO    nexpose_setup:34 - Executing nexpose_setup.py
2016-05-25 10:38:36,704 INFO    nexpose_setup:34 - Executing nexpose_setup.py
2016-05-25 10:38:37,013 INFO    nexpose_setup:34 - Executing nexpose_setup.py
2016-05-25 10:38:37,412 INFO    nexpose_setup:34 - Executing nexpose_setup.py
2016-05-25 10:38:37,865 INFO    nexpose_setup:34 - Executing nexpose_setup.py

Any ideas on what I could have missed? Does this need an admin account on Nexpose?

Thanks,

~ Abhi

0 Karma
Highlighted

Re: Unable to see vulnerability and asset data in Rapid7 App for Splunk Enterprise

Explorer

While I run Splunk on Windows the output should be the same. Is there data in $SPLUNKHOME/etc/apps/rapid7/lookups?

0 Karma
Highlighted

Re: Unable to see vulnerability and asset data in Rapid7 App for Splunk Enterprise

Contributor

Hi windbishn,

Thanks for the response. It is working now.. it seems that Admin credentials are needed for it to be able to query database correctly.

We changed the credentials to one with admin privileges and now we could see queries being (rapid7.log) and data is also getting populated. We try to keep admin accounts in the console to the bare minimum required.. but looks like there is no other option here. and i dont think there is any option to create a non-interactive admin account, which cannot be used to login to UI but can still query DB if needed.

Thanks,

~Abhi

0 Karma