Introduction

Nexpose logs messages for tasks that the system has performed as well as events that occurred as a result of those tasks. The messages vary with respect to the features in the product such as users logging into Nexpose successfully, launching a scan for a site, or generating a report. The log files are helpful in understanding what Nexpose has already done. In the latest release, Nexpose 5.2, we have introduced a number of enhancements to the log files such as reducing disk usage and improving usability. Below is a summary of the changes as well as instructions on how to use the new features.

File name and location changes

Prior to this update, log files were located in different directories within a Nexpose installation. Now, all log files are located in the nsc/logs directory for Security Consoles and nse/logs for distributed Scan Engines. Some log files were renamed for consistency. The um_log file has been renamed to auth.log and the access_log has been renamed to access.log. The file tomcat.log is no longer used; log messages previously logged there for the Security Consoles are now logged in nsc.log and nse.log for distributed Scan Engines.

Archiving of log files

Log files have a maximum file size limit. On reaching that limit, they are archived and renamed with a number at the end. The range of numbers appended at the end of each file are 0-9.There can be no more than 10archives for each log file. Examples of the newest and oldest archives for the nsc.log file are:

nsc.log.gz.0 
nsc.log.gz.9

When a new log file is archived, the oldest archive file is discarded, and the number for the remaining archive files is incremented by one.

Log message levels

All log messages have a severity level, which is based on the context of the message. Here is a summary of the different severity levels.

Level Definition Examples
ERROR An abnormal event that prevents successful execution of system processes and can prevent a user operation, such as scanning. Failure to connect to the database.
WARN An abnormal event that prevents successful execution of system processes but does not completely prevent a user operation, such as scanning. Disruption in communication with a remote Scan Engine.
INFO A normal, expected event that is noteworthy for providing useful information about system activity. Attempts to establish connections with remote Scan Engines.
DEBUG A normal, expected event has occurred that need not be viewed except for debugging purposes. Messages identifying which operation within the Console-Engine protocol are being executed.

New format in log files

The messages are largely unchanged, but the header has been improved to make searching easer. The severity levels are now part of the header, and we have replaced the facility label (found at the beginning of the header) with the name of the Java thread. These changes are to help Technical Support understand what is happening in the system. The new header format is as follows:

“%date{yyyy-MM-dd'T'HH:mm:ss,GMT} [%level] [Thread: %thread] %msg%n”  

Here is an example of a log message in the old format:

NSC         2012-01-05T20:36:17 Browse to https://localhost:3780/ 

Here is an example of a log message in the new format:

2011-12-21T20:03:19 [INFO] [Thread: Security Console] Security Console web interface ready. Browse to https://localhost:3780/  

Local time zone displayed in standard output

Log messages display a timestamp. For messages inside log files, the time zone is Greenwich Mean Time (GMT). For messages logged to standard output, the time zone is in the time zone local to the Security Console or distributed Scan Engine.

Enhanced logging configurations

Previously, Nexpose supported verbose logging for displaying additional information. Nexpose now supports more granular control of log levels. You can now configure the logging based on the severity levels of the log message. To configure the log files, open the user-log-settings.xml file located in nsc/conf for Security Consoles and nse/conf for Scan Engines. There are four log files that can be configured. In order to configure a log file you must define an XML element like this:

<property name=" " value=" "/>  

The name attribute identifies the log file that will be configured. Below is a table mapping a name to a log file:

Name Log file
default-level nsc.log
auth-level auth.log
access-level access.log
memory-level mem.log

The value attribute specifies the severity level. The accepted values are: DEBUG, INFO, WARN, and ERROR.

Here is an example where the nsc.log file logs at the WARN severity level and the access.log file logs at the DEBUG severity level.

<included>  
   <property name="default-level" value="WARN"/>  
   <property name="access-level" value="DEBUG"/>  
</included>  

Nexpose API testing and the access.log file

The access.log file contains a few enhancements that should help debugging users' scripts. All API requests are now logged in access.log instead of nsc.log. When access.log is configured at the INFO severity level, Nexpose will log API requests.This way users can see the requests logged without having to lower the logging level in logging.xml. We are also logging the client's IP address and the API version in the log message. Here is an example of an API client accessing the SiteListing command:

2012-02-03T16:22:00 [INFO] [Thread: /api/1.1/xml Request Handler] Processing LoginRequest from 127.0.0.1.  
2012-02-03T16:22:00 [INFO] [Thread: /api/1.1/xml Request Handler] Processing SiteListingRequest from 127.0.0.1.  

When access.log is configured to at the DEBUG level, Nexpose will log the request and response messages. Below an example where Nexpose logs the request and response messages for the SiteListing command:

2012-02-03T19:32:43 [DEBUG] [Thread: /api/1.1/xml Request Handler] Executing 1.1 xml API call.  
2012-02-03T19:32:43 [INFO] [Thread: /api/1.1/xml Request Handler] Processing SiteListingRequest from 127.0.0.1.  
2012-02-03T19:32:43 [DEBUG] [Thread: XML API SiteListingRequest] Completed xml API call in 0 seconds.  
2012-02-03T19:32:43 [DEBUG] [Thread: XML API SiteListingRequest] Response: <SiteListingResponse success="1">  
<SiteSummary id="1" name="Test Site" description="" riskfactor="1.0" riskscore="87654.321"/>  
</SiteListingResponse>  

Additional changes

  • Scan events are no longer displayed in command prompts for Windows installations and shell sessions for Linux installations.
  • Spelling and grammatical errors in our log messages have been corrected. If you are currently searching for a message that contains either spelling or grammatical errors, then you may have to update your search patterns.