API - NeXpose Vulnerability Scanner
Nexpose is a vulnerability scanner made by Rapid7 which has large set of high-quality vulnerability and exploit-detecting plug-ins. The System Monitor can import Nexpose scan reports and convert them into LogRhythm logs.
Please note the following details about collecting Nexpose data:
- Each time a Nexpose report is run by the System Monitor, it will get the same vulnerabilities and service vulnerabilities as the previous report, assuming no changes have been made to the scanned hosts. For example, if a host is scanned on Monday and 10 vulnerabilities are found, the System Monitor will log those 10 vulnerabilities. If the same host is scanned on Tuesday and no changes have been performed on the host, then the same 10 vulnerabilities will be logged again. This is acceptable, as the scan represents the current state of the host.
- The System Monitor supports one Nexpose server per message source and configuration file.
- The System Monitor downloads reports for all projects within the Nexpose server.
LogRhythm supports only the Pro versions of Nexpose, up to and including Nexpose 6.4.51. Nexpose community versions are not supported.
Prerequisites
The following prerequisites apply to the Nexpose server and the connection between Nexpose and LogRhythm System Monitor being used for collection.
The System Monitor collecting Nexpose data references a local configuration file and uses state tracking to maintain the last log read from the scanner. To ensure the collection performs as expected, perform the following before you start to configure collection:
- Gather connection details for the NeXpose server where the System Monitor will collect scan data.
- Gather details of the System Monitor that will collect data from Nexpose.
- Ensure that you have enabled the Nexpose API on the NeXpose server.
Configure the nexpose.ini File
Configure LogRhythm's Nexpose interface by modifying nexpose.ini, located by default in C:\Program Files\LogRhythm\LogRhythm System Monitor\config. The file contains the following settings:
| Setting | Default Value | Description |
|---|---|---|
| NexposeHost | CHANGE_THIS | Host name or IP address of Nexpose server. |
| NexposeXMLServerPort | 3780 | The TCP port on the Nexpose server where the API is listening for requests. |
| UserName | CHANGE_THIS | The user name to send for connecting to the Nexpose API. |
| Password | CHANGE_THIS | The password to send for connecting to the Nexpose API. The password must be encrypted using the lrcrypt command line utility. Usage: lrcrypt [-e passwordtoencrypt] [path\inifile] See LogRhythm Password Encryption for more information on how to use the LogRhythm Encryption Utility. |
| Monday..Sunday | Monday=true Tuesday=false Wednesday=false Thursday=false Friday=false Saturday=false Sunday=false | The days of the week when the System Monitor should query the Nexpose server for scan data. To query the server on a specific day, set the value for that day to true. The server will not be queried on a day that is set to false. |
| Time | Time=01:00AM | The local time of day when the System Monitor should query the NeXpose server for scan data. You can use 12-hour or 24-hour formats (for example, 11:00PM or 23:00). For 12-hour format, do not use spaces before AM or PM. |
| StartupDelayInSeconds | 60 | The amount of time after starting, in seconds, that the System Monitor should wait before it queries the Nexpose server for scan data. The valid range for this value is 0–300 (0=infinite). |
| IncludeServices | false | If true, the System Monitor will log the services it discovers to be running on the Nexpose server. |
| Timeout | 100 | The amount of time, in seconds, that the System Monitor should wait to receive Nexpose data before timing out. The valid range for this value is 0–300. If you set this value to 0, the System Monitor will never time out the attempt. |
After you configure the device, you must also configure LogRhythm according to the instructions provided on the overview page of this guide. You need a System Monitor to collect Nexpose logs, and the host running the LogRhythm System Monitor must have network access to the Nexpose server.
Only Global Admins or Restricted Admins with elevated View and Manage privileges can take this action.
The name of the log message source is API - Nexpose Vulnerability Scanner. In addition, when configuring this log source:
- For Log Message Processing Mode, select MPE Processing Enabled, Event Forwarding Enabled.
- For Log Message Processing Engine (MPE) Policy, select LogRhythm Default.
- On the Flat File Settings tab, enter the following:
- File Path. <path to log file, including the file name and extension>