Last updated at Wed, 27 Sep 2017 20:48:52 GMT
Introduction
Nexpose logs messages for tasks that the system has performed as well as events that occurred as a result of those tasks. The messages vary with respect to the features in the product such as users logging into Nexpose successfully, launching a scan for a site, or generating a report. The log files are helpful in understanding what Nexpose has already done. In the latest release, Nexpose 5.2, we have introduced a number of enhancements to the log files such as reducing disk usage and improving usability. Below is a summary of the changes as well as instructions on how to use the new features.
File name and location changes
Prior to this update, log files were located in different directories within a Nexpose installation. Now, all log files are located in the nsc/logs directory for Security Consoles and nse/logs for distributed Scan Engines. Some log files were renamed for consistency. The um_log file has been renamed to auth.log and the access_log has been renamed to access.log. The file tomcat.log is no longer used; log messages previously logged there for the Security Consoles are now logged in nsc.log and nse.log for distributed Scan Engines.
Archiving of log files
Log files have a maximum file size limit. On reaching that limit, they are archived and renamed with a number at the end. The range of numbers appended at the end of each file are 0-9.There can be no more than 10archives for each log file. Examples of the newest and oldest archives for the nsc.log file are:
nsc.log.gz.0
nsc.log.gz.9
When a new log file is archived, the oldest archive file is discarded, and the number for the remaining archive files is incremented by one.
Log message levels
All log messages have a severity level, which is based on the context of the message. Here is a summary of the different severity levels.
| Level | Definition | Examples |
|---|---|---|
| ERROR | An abnormal event that prevents successful execution of system processes and can prevent a user operation, such as scanning. | Failure to connect to the database. |
| WARN | An abnormal event that prevents successful execution of system processes but does not completely prevent a user operation, such as scanning. | Disruption in communication with a remote Scan Engine. |
| INFO | A normal, expected event that is noteworthy for providing useful information about system activity. | Attempts to establish connections with remote Scan Engines. |
| DEBUG | A normal, expected event has occurred that need not be viewed except for debugging purposes. | Messages identifying which operation within the Console-Engine protocol are being executed. |
New format in log files
The messages are largely unchanged, but the header has been improved to make searching easer. The severity levels are now part of the header, and we have replaced the facility label (found at the beginning of the header) with the name of the Java thread. These changes are to help Technical Support understand what is happening in the system. The new header format is as follows:
“%date{yyyy-MM-dd'T'HH:mm:ss,GMT} [%level] [Thread: %thread] %msg%n”
Here is an example of a log message in the old format:
NSC 2012-01-05T20:36:17 Browse to https://localhost:3780/
Here is an example of a log message in the new format:
2011-12-21T20:03:19 [INFO] [Thread: Security Console] Security Console web interface ready. Browse to https://localhost:3780/
Local time zone displayed in standard output
Log messages display a timestamp. For messages inside log files, the time zone is Greenwich Mean Time (GMT). For messages logged to standard output, the time zone is in the time zone local to the Security Console or distributed Scan Engine.
Enhanced logging configurations
Previously, Nexpose supported verbose logging for displaying additional information. Nexpose now supports more granular control of log levels. You can now configure the logging based on the severity levels of the log message. To configure the log files, open the user-log-settings.xml file located in nsc/conf for Security Consoles and nse/conf for Scan Engines. There are four log files that can be configured. In order to configure a log file you must define an XML element like this:
<property name=" " value=" "/>
The name attribute identifies the log file that will be configured. Below is a table mapping a name to a log file:
| Name | Log file |
|---|---|
| default-level | nsc.log |
| auth-level | auth.log |
| access-level | access.log |
| memory-level | mem.log |
The value attribute specifies the severity level. The accepted values are: DEBUG, INFO, WARN, and ERROR.
Here is an example where the nsc.log file logs at the WARN severity level and the access.log file logs at the DEBUG severity level.
<included>
<property name="default-level" value="WARN"/>
<property name="access-level" value="DEBUG"/>
</included>
Nexpose API testing and the access.log file
The access.log file contains a few enhancements that should help debugging users' scripts. All API requests are now logged in access.log instead of nsc.log. When access.log is configured at the INFO severity level, Nexpose will log API requests.This way users can see the requests logged without having to lower the logging level in logging.xml. We are also logging the client's IP address and the API version in the log message. Here is an example of an API client accessing the SiteListing command:
2012-02-03T16:22:00 [INFO] [Thread: /api/1.1/xml Request Handler] Processing LoginRequest from 127.0.0.1.
2012-02-03T16:22:00 [INFO] [Thread: /api/1.1/xml Request Handler] Processing SiteListingRequest from 127.0.0.1.
When access.log is configured to at the DEBUG level, Nexpose will log the request and response messages. Below an example where Nexpose logs the request and response messages for the SiteListing command:
2012-02-03T19:32:43 [DEBUG] [Thread: /api/1.1/xml Request Handler] Executing 1.1 xml API call.
2012-02-03T19:32:43 [INFO] [Thread: /api/1.1/xml Request Handler] Processing SiteListingRequest from 127.0.0.1.
2012-02-03T19:32:43 [DEBUG] [Thread: XML API SiteListingRequest] Completed xml API call in 0 seconds.
2012-02-03T19:32:43 [DEBUG] [Thread: XML API SiteListingRequest] Response: <SiteListingResponse success="1">
<SiteSummary id="1" name="Test Site" description="" riskfactor="1.0" riskscore="87654.321"/>
</SiteListingResponse>
Additional changes
- Scan events are no longer displayed in command prompts for Windows installations and shell sessions for Linux installations.
- Spelling and grammatical errors in our log messages have been corrected. If you are currently searching for a message that contains either spelling or grammatical errors, then you may have to update your search patterns.