Troubleshooting with Nexpose Logs

Nexpose is the industry standard in Vulnerability Management, giving you the confidence you need to understand your ever-changing attack surface, focus on what matters, and create better security outcomes.

Trouble Shooting With Nexpose Logs

Table of contents


If you are a Nexpose user, then you know how imperative the operation of this tool is to your Information Security program. Nexpose is reliable, light to manage, and has a straightforward installation process. Unfortunately, there will always be issues requiring troubleshooting and investigation.

Where are the Nexpose logs located?

The location of the logs will vary when investigating a Nexpose Console or Nexpose Scan Engine, by operating system, and installation directory.

Console Scan Engine
Linux /opt/rapid7/nexpose/nsc/logs/ /opt/rapid7/nexpose/nse/logs/
Windows C:\Program Files\rapid7\nexpose\nsc\logs C:\Program Files\rapid7\nexpose\nse\logs

Within the logs directories you will see the following files:

  • Access.log
    • Accessed resources, i.e. the Web interface
    • API call, API version and the IP address of the API client
  • Mem.log
    • Problems with memory.
    • Mem.log shows scanning and reporting memory usage
  • Auth.log
    • Log in, log off
    • Account lockouts
  • nsc.log
    • System and application level event tracking
    • Updates, scheduling of operations, or communication issues with distributed Scan Engines
    • Good for tracking any Maintenance Mode activity
  • nse.log
    • Troubleshoot specific checks
    • If a check produces an unexpected result, you can look here to determine how the scan target was fingerprinted

Setting up the Logentries Agent

The best way to capture the logs from your console and scan engine is to use the Logentries agent. Our agent supports both Linux and Windows.

For Linux servers, including Nexpose virtual appliances, simply run the command below to install the agent:

wget https://raw.github.com/logentries/le/master/install/linux/logentries_install.sh && sudo bash logentries_install.sh

Once installed use the le follow command to follow each log file you are interested in. For example, to follow mem.log you would enter:

sudo le follow /opt/rapid7/nexpose/nsc/logs/mem.log

For Windows servers, download and install the latest agent from here.
After you have the agent installed, use AgentService.exe to follow each log file you are interested in. For example, to follow mem.log you would enter:

AgentService.exe follow C:\Program Files\rapid7\nexpose\nsc\logs\mem.log

Always remember to restart the Logentries service after making changes to its configuration.

Analyzing the logs

For the purposes of this post, we will be exploring the following log files:

  1. mem.log
  2. nsc.log
  3. auth.log

mem.log

mem.log is the first place to start your investigation when you are experiencing performance issues with your console or scan engine(s). Executing scans and performing reporting tasks in your console can be very memory intensive. If your system is utilizing 90% of available memory a Warning level message will be written to the log. If the system continues up to 97.5% utilization a critical Error level message will be written.

When troubleshooting an issue with your Nexpose systems, you will want to correlate the timestamps from mem.log to the timeframe for when the unexpected behavior occurred.   Logentries makes it easy to aggregate your mem.log from your console and all of your Nexpose Scan Engines into a single pane of glass. This way you can quickly check all the appropriate logs for the timeframe you are investigating.

Ideally, you can act proactively to correct memory issues before they cause errors in your Nexpose environment. The best way to do this is to set up alerts so that you can be notified when memory usage is starting to get high before it becomes critical.

Below is an example basic alert configuration.  This will cause an alert to trigger when mem.log indicates a 97.5% utilization.

Nexpose Memory Alert

If you would like to be notified even sooner of a potential issue, change the pattern to [WARN] to be notified when the 90% utilization threshold is crossed.

nsc.log

The Nexpose Security Console (nsc) log contains information vital to the operation of your Nexpose system. The messages seen in this log can vary in content and severity. While exploring this log you will see many INFO level events recording actions being taken in the console, as well any recent update attempts, and communication issues. This log data is imperative for performing activity audits and also to determine “What the heck changed” when troubleshooting a new issue.

Although the INFO level events should be collected and securely stored for compliance and troubleshooting reasons some of the most interesting logs in nsc.log will be of the WARN or ERROR level.

The example RegEx query below will return the most commonly occurring ERROR level messages, allowing you to define a direction for your investigation.

where(/\d{2} \[ERROR\] (?P<errormsg>.*)/) groupby(errormsg) sort(desc)

Nexpose NSC top errors

auth.log

auth.log is going to show you all of your log in and log off events. Most importantly, it is going to show you all of your failed log in attempts.

Performing a simple search for Authentication failed will return all of the failed log in events so that you can review them.

You can add in a calculate(count) and see all of your failed attempts over time to see if there has been a spike.
where(Authentication failed) calculate(count)
Nexpose Failed Login Attempts Over Time

This is an excellent use case for Logentries’ Anomaly Alerts, allowing you to be alerted when the number of failed log in attempts spikes above a baseline you have established.

And finally, you could also use RegEx and groupby(), like demonstrated previously, to get a list of the users who are incorrectly entering their password most frequently;  Might be time to request a new keyboard for them, or change their password. Try out this query in your account:
where(/authenticate user (?P<user>\w+) from/) groupby(user)

Get started

To meet your compliance requirements and ease in your troubleshooting efforts it is crucial to send your Nexpose logs to a secure central location in real-time, ensuring that they remain unaltered and easy to review.

You can create a free Logentries account today, in less than 5 minutes, and start capturing your Nexpose log data immediately. Sign up here!

Tagged with: , , , ,
Posted in How To, Log Analysis

Leave a Reply