All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Issues with Qualys Technology Add-on (TA) 1.5.1 unable to fetch data

sayantabasak
Explorer
‎09-16-2019 09:43 PM

Hello All,

We are facing issues with our Qualys Technology Add-on (TA) 1.5.1 where it is unable to fetch any data ( host detection/knowledge base ) from Cloud api.

ta_QualysCloudPlatform.log:
TA-QualysCloudPlatform: 2019-09-17 06:16:11 PID=18177 [MainThread] INFO: TA-QualysCloudPlatform (knowledge_base) - Making request: https://certs.qualys.eu/msp/about.php with params={}
TA-QualysCloudPlatform: 2019-09-17 06:21:11 PID=18177 [MainThread] INFO: TA-QualysCloudPlatform (knowledge_base) - Making request: https://certs.qualys.eu/msp/about.php with params={}

splunkd.log:
09-17-2019 06:26:12.124 +0200 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/TA-QualysCloudPlatform/bin/qualys.py" INFO:TA-QualysCloudPlatform (knowledge_base):Making request: https://certs.qualys.eu/msp/about.php with params={}
09-17-2019 06:31:12.156 +0200 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/TA-QualysCloudPlatform/bin/qualys.py" INFO:TA-QualysCloudPlatform (knowledge_base):Making request: https://certs.qualys.eu/msp/about.php with params={}

Configuration:
Qualys TA has been installed in both Search head and heavy forwarder as per the Qualys guidelines
Host_dection input has been enabled in HF and KB input enabled in SH

Configuration on SH:

inputs.conf
[qualys://knowledge_base]
duration = */5 * * * *
index = main
start_date = 1999-01-01T00:00:00Z
disabled = 0

qualys.conf
[setupentity]
api_server = https://certs.qualys.eu
ca_key = /opt/splunk/etc/auth/qualys/client_key.key
ca_path = /opt/splunk/etc/auth/qualys/client_cert.cert
ca_pass = password ( hashed out in passwords.conf )
username = username ( hashed out in passwords.conf )
password = password ( hashed out in passwords.conf )
cs_log_container_summary_events = 0
cs_log_individual_container_events = 0
cs_log_individual_events = 0
cs_log_summary_events = 0
cs_multi_threading_enabled = 0
enable_debug = 1
enable_full_pull = 0
log_detections = 0
log_extra_host_summary = 0
log_host_details_in_detections = 0
log_host_summary = 0
log_individual_compliance_events = 0
log_policy_summary = 0
proxy_server = proxy_server_ip:port
use_ca = 1
use_multi_threading = 0
use_multi_threading_for_was = 0
use_proxy = 1

The api pull works when done via curl command using the same certificate/credentials and proxy from the same server just not happening from qualys add-on.

Any suggestions will be appreciated

0 Karma
Reply
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...