All Apps and Add-ons

Issues with the Qualys TA were not ALL scan information is pulled.

Robbie1194
Communicator

Hi guys,

This is a bit of a generic question but I thought I'd ask in case anyone had ever seen issues from Qualys like this before.

We currently ingest our data from Qualys 3 times a day (every 8 hours) using the Qualys TA, but I've found that sometimes in our data we just don't have certain scan results. For example, a scan runs from 1pm-3pm on a Friday and it scans 2000 hosts (as seen in qualys) but splunk only has data on 1500 hosts over that time frame,

Anyone seen anything like this before?

Any help/suggestions would be appreciated.

Cheers!

AlexeySh
Communicator

Hello Robbie1194,

We have the same issue with Qualys WAS module and we investigate it with Qualys support (very slowly, actually). All we could find by today is that the issue most likely related to timestamp parse error. To check if you have the same issue cause you can perform the search:

index=_internal ‘your_qualys_scan_sourcetype’ log_level=WARN

If you have the message like: “Failed to parse timestamp. Defaulting to timestamp of previous event…” you probably have the same issue.

P.S. I did say that we have the same issue with WAS but it’s quite possible that the issue exist on other modules as well. We use Cloud Agent instead of VM; Cloud Agent perform ‘mini-scans’ several time per day and probably we are not conscious about the data integrity problem.

Regards,
Alexey.

0 Karma

alikapucu
Explorer

What is the solution for this issue?

0 Karma

AlexeySh
Communicator

Hello,

Unfortunately, there is no solution. Or at least I didn't find one. Things looks much better with the last TA-Qualys version (1.3.2), but it's still an issue.

Regards,
Alex.

0 Karma

deepashri_123
Motivator

Hey Robbie1194,

Can you try changing limit in limits.conf.

limit = (integer)
* The maximum number of fields that an automatic key-value field extraction
(auto kv) can generate at search time.
* If search-time field extractions are disabled (KV_MODE=none in props.conf)
then this setting determines the number of index-time fields that will be
returned.
* The summary fields 'host', 'index', 'source', 'sourcetype', 'eventtype',
'linecount', 'splunk_server', and 'splunk_server_group' do not count against
this limit and will always be returned.
* Increase this setting if, for example, you have indexed data with a large
number of columns and want to ensure that searches display all fields from
the data.
* Default: 100

Hope this helps!!!

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...