All Apps and Add-ons

Qualys App for Splunk Enterprise: How do I troubleshoot error "APIRequestError:...Unauthorized"?

jeffriesa
Path Finder

So i have installed the Qualys App for Splunk Enterprise, but it looks like both the KnowledgeBase data and Detection data aren't getting pulled down.

The debug logs show:

QualysSplunkPopulator: 2015-03-23T20:25:14Z PID=28092 [MainThread] ERROR: QualysSplunkPopulator - Error during request to /msp/about.php, [None] Unauthorized

QualysSplunkPopulator: 2015-03-23T17:17:57Z PID=12172 [MainThread] ERROR: QualysSplunkPopulator - Error during request to /api/2.0/fo/knowledge_base/vuln/, [None] Unauthorized Traceback (most recent call last): File "/apps/splunk/etc/apps/qualys_splunk_app/qualys/qualys_log_populator.py", line 132, in _run resp = kbPopulator.run() File "/apps/splunk/etc/apps/qualys_splunk_app/qualys/splunkpopulator/basepopulator.py", line 75, in run return self.__fetch_and_parse() File "/apps/splunk/etc/apps/qualys_splunk_app/qualys/splunkpopulator/basepopulator.py", line 98, in __fetch_and_parse response = self.__fetch(params) File "/apps/splunk/etc/apps/qualys_splunk_app/qualys/splunkpopulator/basepopulator.py", line 90, in __fetch response = self.api_client.get(self.api_end_point, api_params, api.Client.XMLFileBufferedResponse(filename)) File "/apps/splunk/etc/apps/qualys_splunk_app/qualys/lib/api/Client.py", line 226, in get raise APIRequestError("Error during request to %s, [%s] %s" % (end_point, ue.errno, ue.reason)) APIRequestError: Error during request to /api/2.0/fo/knowledge_base/vuln/, [None] Unauthorized
0 Karma
1 Solution

jleggett
Explorer

"You need to contact Qualys and make sure the user account you are using has access to the KB and Vulnerability APIs. This isnt enabled by default, nor is it free. Additionally, they may have you enabled on a different API host depending on your region and services you subscribe to."

In Qualys Under the user you are trying to connect with, go to User Role and Ensure you have the API box checked. If it's the same as your Sourcefire user, it's probably OK. Also, make sure you used the correct endpoint platform in the setup screen.

View solution in original post

becksyboy
Communicator

Hi we have an account with API access enabled but is Read Only, do you know if it needs to be at the Manager Role?

We are also seeing these errors from testing:

message from "python /opt/splunk/etc/apps/TA-QualysCloudPlatform/bin/qualys.py" qualysModule.lib.api.Client.APIRequestError: Error during request to /msp/about.php, [None] Unauthorized
message from "python /opt/splunk/etc/apps/TA-QualysCloudPlatform/bin/qualys.py"     raise APIRequestError("Error during request to %s, [%s] %s" % (end_point, ue.errno, ue.reason))
message from "python /opt/splunk/etc/apps/TA-QualysCloudPlatform/bin/qualys.py"   File "/opt/splunk/etc/apps/TA-QualysCloudPlatform/bin/qualysModule/lib/api/Client.py", line 254, in get
message from "python /opt/splunk/etc/apps/TA-QualysCloudPlatform/bin/qualys.py"     response = self.get("/msp/about.php", {}, SimpleAPIResponse())
message from "python /opt/splunk/etc/apps/TA-QualysCloudPlatform/bin/qualys.py"   File "/opt/splunk/etc/apps/TA-QualysCloudPlatform/bin/qualysModule/lib/api/Client.py", line 199, in validate
message from "python /opt/splunk/etc/apps/TA-QualysCloudPlatform/bin/qualys.py"     qapi.client.validate()
message from "python /opt/splunk/etc/apps/TA-QualysCloudPlatform/bin/qualys.py"   File "/opt/splunk/etc/apps/TA-QualysCloudPlatform/bin/qualys.py", line 166, in run
message from "python /opt/splunk/etc/apps/TA-QualysCloudPlatform/bin/qualys.py"     run()
message from "python /opt/splunk/etc/apps/TA-QualysCloudPlatform/bin/qualys.py"   File "/opt/splunk/etc/apps/TA-QualysCloudPlatform/bin/qualys.py", line 269, in main
message from "python /opt/splunk/etc/apps/TA-QualysCloudPlatform/bin/qualys.py"     main()
message from "python /opt/splunk/etc/apps/TA-QualysCloudPlatform/bin/qualys.py"   File "/opt/splunk/etc/apps/TA-QualysCloudPlatform/bin/qualys.py", line 276, in 
message from "python /opt/splunk/etc/apps/TA-QualysCloudPlatform/bin/qualys.py" Traceback (most recent call last):
0 Karma

Lindaiyu
Path Finder

Well, according to my experience, even with the role of reader, you should get data. If you get the "Unauthorized error", it means that you have a wrong username or password.
Do the test with your browser, type the URL and then try username and password, if you can login successfully with the URL, this type error should not be occurred.

0 Karma

becksyboy
Communicator

Thanks for the confirnation, yes it looks like it was an issue with the password!

0 Karma

jleggett
Explorer

"You need to contact Qualys and make sure the user account you are using has access to the KB and Vulnerability APIs. This isnt enabled by default, nor is it free. Additionally, they may have you enabled on a different API host depending on your region and services you subscribe to."

In Qualys Under the user you are trying to connect with, go to User Role and Ensure you have the API box checked. If it's the same as your Sourcefire user, it's probably OK. Also, make sure you used the correct endpoint platform in the setup screen.

View solution in original post

jeffriesa
Path Finder

You need to have API access and have paid for it.

The account details are correct, check the proxy settings if you need to use one. Make sure you have the API server address right:
https://qualysapi.qualys.com

And enable debug.

0 Karma

Lindaiyu
Path Finder

Jeffriesa,
Thank you very much for your help.
I am sure that we have paid for it and now I thought the error "Unauthorized" had dispersed.
Here is the log:
QualysSplunkPopulator: 2016-01-28T09:30:21Z PID=29858 [MainThread] INFO: QualysSplunkPopulator - Done logging knowledgebase

QualysSplunkPopulator: 2016-01-28T09:30:21Z PID=29858 [MainThread] INFO: QualysSplunkPopulator - Parsed 26267 knowledgebase entry. Logged=0

QualysSplunkPopulator: 2016-01-28T09:30:21Z PID=29858 [MainThread] INFO: QualysSplunkPopulator - Updated lookup file: /mnt/sdb1/splunk/etc/apps/qualys_splunk_app/lookups/qualys_kb.csv with 26267 QIDs

QualysSplunkPopulator: 2016-01-28T09:30:21Z PID=29858 [MainThread] INFO: QualysSplunkPopulator - Update lookup file: /mnt/sdb1/splunk/etc/apps/qualys_splunk_app/lookups/qualys_kb.csv with 26267 QIDs

QualysSplunkPopulator: 2016-01-28T09:30:18Z PID=29858 [MainThread] INFO: QualysSplunkPopulator - Parsing knowledgebase XML

QualysSplunkPopulator: 2016-01-28T09:30:18Z PID=29858 [MainThread] INFO: QualysSplunkPopulator - knowledgebase fetched

QualysSplunkPopulator: 2016-01-28T09:21:04Z PID=29858 [MainThread] INFO: QualysSplunkPopulator - Outputting logs to stdout

QualysSplunkPopulator: 2016-01-28T09:21:04Z PID=29858 [MainThread] INFO: QualysSplunkPopulator - Start logging knowledgebase

QualysSplunkPopulator: 2016-01-28T09:21:04Z PID=29858 [MainThread] INFO: QualysSplunkPopulator - Start

does it means that API is ok?
However, there is no data in this App.
Thank you very much for your response.

Best regards,
Daiyu

0 Karma

Lindaiyu
Path Finder

Thank you for your replying
For using it, do you only install "Qualys App for Splunk Enterprise"
or with "Splunk Add-on for Qualys" also?
I install the two apps now and now for search index=qualys,
there are the data

host_ip="xxx.xxx.210.253",host_id="100176181",results="Scan duration: 395 seconds Start time: Fri, Jan 29 2016, 10:12:09 GMT End time: Fri, Jan 29 2016, 10:18:44 GMT",type="Info",last_scan_datetime="2016-01-29T10:20:26Z",datetime="2016-01-29T10:22:53Z",tracking_method="IP",qid="45038" 

However the error still exists: when I run the search "eventtype=qualys_ta_log_error"

2016-01-29 08:20:18,007 ERROR 140240278779648 - Failed to connect https://qualysapi.qualys.eu/api/2.0/fo/asset/host/vm/detection/, code=2000, reason="Bad Login/Password"

So I think , for the host:detection, it works and for vm_detection, it doesn't work

Thank very much for you help and wish you a nice day

Daiyu

0 Karma

jeffriesa
Path Finder

Try logging in using the account you are trying to use for the API. The error stats it cannot access the vm component, so check you have access with the account you are using.

You dont need the TA / Add on for Qualys to get things going. Made remove that though it shouldnt make a differennce.

0 Karma

jeffriesa
Path Finder

to me that is populating.

When you do a search using index=qualys what do you see?

0 Karma

jeffriesa
Path Finder

I got this working, we have api access which we have to pay for but it looks like its worth it.

Nice app and is quicker to search Qualys data through splunk than their site.

0 Karma

Lindaiyu
Path Finder

Hello,

I got the same problem and I have check my user role in Qualys, shown as follows:

Role:
Manager
Business Unit:
Unassigned
GUI Access
Yes
API Access
Yes

however it doesn't work and show the same errors
Could you give me some advice, please?
Thank you very much!!!

0 Karma

esix_splunk
Splunk Employee
Splunk Employee

You need to contact Qualys and make sure the user account you are using has access to the KB and Vulnerability APIs. This isnt enabled by default, nor is it free. Additionally, they may have you enabled on a different API host depending on your region and services you subscribe to.

0 Karma

Lindaiyu
Path Finder

Hello,

I got the same problem and I have check my user role in Qualys, shown as follows:

Role:
Manager
Business Unit:
Unassigned
GUI Access
Yes
API Access
Yes

however it doesn't work and show the same errors
Could you give me some advice, please?
Thank you very much!!!

0 Karma

jeffriesa
Path Finder

ok, i got api access. One note is the user acount needs manager access.

Next error:
Tunnel connection failed: 503 Service Unavailable

0 Karma

esix_splunk
Splunk Employee
Splunk Employee

503 for what?

If you go in the the qualys app and run the python scripts, you can confirm if its local splunk error or something related to the API. 503 would reflect API issue..

From qualys/bin...

/opt/splunk/bin/splunk cmd python /opt/splunk/etc/apps/qualys/bin/filename.py

** change the path to the qualys app and the filename.py to the python script invoked via inputs.conf. This should either run, or give you an error. Post the results here.

0 Karma

jeffriesa
Path Finder

We do have api access, we use the qualys connector for Sourcefire.

Is this the same?

0 Karma

esix_splunk
Splunk Employee
Splunk Employee

In my recent experience, these are not the same. Qualys seems to be moving away from this model.

0 Karma
.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!