Metasploit is a vulnerability/penetration scanner made by Rapid7. Metasploit has a large set of high-quality vulnerability and exploit-detecting plug-ins. The System Monitor Agent can import Metasploit scan reports and convert them into LogRhythm logs.
- Each time a Metasploit report is run by the Agent, it will note the same vulnerabilities, services, and compromises as the previous report, assuming no changes have been made to the scanned hosts. For example, if a host is scanned on Monday and 10 vulnerabilities are found, the Agent will log those 10 vulnerabilities. If the same host is scanned on Tuesday and no changes have been performed on the host, then the same 10 vulnerabilities will be logged again. This is acceptable, as the scan represents the current state of the host.
- The Agent will support one Metasploit server per message source and configuration file.
- The Agent will download reports for all projects within the Metasploit server.
This document instructs you how to configure collection of Metasploit vulnerability data via the LogRhythm System Monitor Agent.
LogRhythm only supports the Pro version of Metasploit, up to and including 4.13.0. Community versions are not supported.
The collection mechanism used by the agent will reference a local configuration file and retain the last log read from the scanner by state tracking. The following information is required for this process to function properly and should be gathered prior to configuring collection:
- The Metasploit server connection information that will be accessed and collected by the Agent.
- The LogRhythm System Monitor Agent used to collect the audit data from the Metasploit server.
Configure the metasploit.ini File
The Metasploit interface is configured using an .ini file in the config folder of the Agent (typically C:\Program Files\LogRhythm\LogRhythm System Monitor\config\metasploit.ini). The following settings are specified in that file:
|Host name or IP address of Metasploit server.
|TCP port on the Metasploit XML server.
|API user name for Metasploit server.
Password for Metasploit server. The password must be encrypted using the lrcrypt command line utility.
Usage: lrcrypt [-e passwordtoencrypt] [path\inifile]
See LogRhythm Password Encryption for more information on how to use the LogRhythm Encryption Utility.
Days of the week to query the Metasploit server. Set each day to true/false.
If all days are set to true, the server is queried every day.
If only one day is set to true, the server is queried once per week.
|The local time of the day to query the server. Both 12-hour and 24-hour time formats are recognized. For 12-hour format, there are no spaces before AM/PM.
|If the API needs to be queried when the System Monitor is started, it will wait for this amount of time (in seconds) before running. The valid range for this value is 0-300.
|If true, the System Monitor will log the services it discovers to be running on a host.
|The timeout (in seconds) to use when requesting data from the Metasploit server. The valid range for this value is 0-300 (0=infinite).
After you configure the device, you must also configure LogRhythm according to the instructions provided on the overview page of this guide. A LogRhythm System Monitor Pro Agent must be used to collect Metasploit logs. The Metasploit server whose data is being collected must be accessible from the host running the Agent.
Only Global Admins or Restricted Admins with elevated View and Manage privileges can take this action.
The name of the log message source is API - Metasploit Penetration Scanner. In addition, when configuring this log source:
- For Log Message Processing Engine (MPE) Policy, select LogRhythm Default.
- On the Flat File Settings tab, enter the following:
- File Path. <path to log file, including the file name and extension>