Posts Tagged ‘nexpose grep’

NeXpose Troubleshooting – Grepin’ Logs

As much as I would love to say NeXpose never has issues the reality is,its software. In many cases NeXpose will encounter an unfavorable response from a target or a peer will drop the connection when being probed. While trying to isolate errors, the ability to search through multiple logs at the same time is priceless. [Enters] grep!

I’ve outlined a number of key search phrases that can be used to isolate specific issues.

I recommend the below command to pipe the search findings to a text file for review. If you would just like the output of the search printed to your screen, then replace “ > out.txt” with “| less”. After going into the appropriate log folder (mentioned in my 1/13/10 post) the below string can be used:

grep [search term] ./[log directory]/ns* > out.txt

**Keep in mind that Linux is case sensitive**

  • Identify where external/remote scanning starts :

“Connecting to NSE”

  • Identify where a local scan starts

“Scan started”

  • Policy issues :

“nexpose is running as”

  • Serial Number  *This search is used in the NSC log

“AutoUpdate“

  • Fingerprint

“Starting fingerprinting”

  • Finished scan *The search is used in the NSE log

“Completed in”

  • Remote Engine Issues *This command is used in the NSC log

“Failure communicating with NSE”

  • Memory Error *This search is used in the NSE log

“OutOfMemoryError”

  • Java Heap Space Error

“Java heap space”

  • GC Memory Error

“GC overhead limit exceeded”

  • Find if scan stopped or started

a)  “(userID)” – find the specific user that started or stopped the scanner

b)  “<>” –  find if a scan was stopped or started

  • Beginning of Scan Configuration *This command is used in the NSC log (helpful to find the list of sites)

“Scan configs” – This can be used this to find where the config ids start. You should being reading from Using it with grep will show the beginning of the scan configuration. It’s better to search for it in a program like notepad++ where we can begin to view the ids themselves after it.

  • Search config Site by site

“Site:”

  • IP’s in a site

“range from=”

  • Starting Scan *This command is used in the NSC log

“job JobID”

  • Scan Stopped

“stopped:”

  • Look for connection to remote engines

“Updating remote scan engines”

  • Look for recent successful connection to host

“Scan engine is current”

  • Find complete scans

“completed in”

  • If engine is shutdown

“stopped: Scan Engine Shutdown”

  • Web service shutting down *This command is used in the NSC log

“HTTPServerMain shutting down…”

  • Null Pointer

“NullPointerException”

  • Update issue *The search is used in the NSE log

FAILURE =>”

  • Alert delivery failure

“Failed to deliver”

  • Export issue

“Generating report: Database Export”