All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Qualys App for Splunk Enterprise: How do I troubleshoot error "APIRequestError:...Unauthorized"?

jeffriesa
Path Finder
‎03-23-2015 02:35 AM

So i have installed the Qualys App for Splunk Enterprise, but it looks like both the KnowledgeBase data and Detection data aren't getting pulled down.

The debug logs show:

QualysSplunkPopulator: 2015-03-23T20:25:14Z PID=28092 [MainThread] ERROR: QualysSplunkPopulator - Error during request to /msp/about.php, [None] Unauthorized

QualysSplunkPopulator: 2015-03-23T17:17:57Z PID=12172 [MainThread] ERROR: QualysSplunkPopulator - Error during request to /api/2.0/fo/knowledge_base/vuln/, [None] Unauthorized Traceback (most recent call last): File "/apps/splunk/etc/apps/qualys_splunk_app/qualys/qualys_log_populator.py", line 132, in _run resp = kbPopulator.run() File "/apps/splunk/etc/apps/qualys_splunk_app/qualys/splunkpopulator/basepopulator.py", line 75, in run return self.__fetch_and_parse() File "/apps/splunk/etc/apps/qualys_splunk_app/qualys/splunkpopulator/basepopulator.py", line 98, in __fetch_and_parse response = self.__fetch(params) File "/apps/splunk/etc/apps/qualys_splunk_app/qualys/splunkpopulator/basepopulator.py", line 90, in __fetch response = self.api_client.get(self.api_end_point, api_params, api.Client.XMLFileBufferedResponse(filename)) File "/apps/splunk/etc/apps/qualys_splunk_app/qualys/lib/api/Client.py", line 226, in get raise APIRequestError("Error during request to %s, [%s] %s" % (end_point, ue.errno, ue.reason)) APIRequestError: Error during request to /api/2.0/fo/knowledge_base/vuln/, [None] Unauthorized
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

jleggett
Explorer
‎03-23-2015 11:45 AM

"You need to contact Qualys and make sure the user account you are using has access to the KB and Vulnerability APIs. This isnt enabled by default, nor is it free. Additionally, they may have you enabled on a different API host depending on your region and services you subscribe to."

In Qualys Under the user you are trying to connect with, go to User Role and Ensure you have the API box checked. If it's the same as your Sourcefire user, it's probably OK. Also, make sure you used the correct endpoint platform in the setup screen.

View solution in original post

Reply
Solved! Jump to solution

becksyboy
Contributor
‎11-03-2016 05:19 AM

Hi we have an account with API access enabled but is Read Only, do you know if it needs to be at the Manager Role?

We are also seeing these errors from testing:

message from "python /opt/splunk/etc/apps/TA-QualysCloudPlatform/bin/qualys.py" qualysModule.lib.api.Client.APIRequestError: Error during request to /msp/about.php, [None] Unauthorized
message from "python /opt/splunk/etc/apps/TA-QualysCloudPlatform/bin/qualys.py"     raise APIRequestError("Error during request to %s, [%s] %s" % (end_point, ue.errno, ue.reason))
message from "python /opt/splunk/etc/apps/TA-QualysCloudPlatform/bin/qualys.py"   File "/opt/splunk/etc/apps/TA-QualysCloudPlatform/bin/qualysModule/lib/api/Client.py", line 254, in get
message from "python /opt/splunk/etc/apps/TA-QualysCloudPlatform/bin/qualys.py"     response = self.get("/msp/about.php", {}, SimpleAPIResponse())
message from "python /opt/splunk/etc/apps/TA-QualysCloudPlatform/bin/qualys.py"   File "/opt/splunk/etc/apps/TA-QualysCloudPlatform/bin/qualysModule/lib/api/Client.py", line 199, in validate
message from "python /opt/splunk/etc/apps/TA-QualysCloudPlatform/bin/qualys.py"     qapi.client.validate()
message from "python /opt/splunk/etc/apps/TA-QualysCloudPlatform/bin/qualys.py"   File "/opt/splunk/etc/apps/TA-QualysCloudPlatform/bin/qualys.py", line 166, in run
message from "python /opt/splunk/etc/apps/TA-QualysCloudPlatform/bin/qualys.py"     run()
message from "python /opt/splunk/etc/apps/TA-QualysCloudPlatform/bin/qualys.py"   File "/opt/splunk/etc/apps/TA-QualysCloudPlatform/bin/qualys.py", line 269, in main
message from "python /opt/splunk/etc/apps/TA-QualysCloudPlatform/bin/qualys.py"     main()
message from "python /opt/splunk/etc/apps/TA-QualysCloudPlatform/bin/qualys.py"   File "/opt/splunk/etc/apps/TA-QualysCloudPlatform/bin/qualys.py", line 276, in 
message from "python /opt/splunk/etc/apps/TA-QualysCloudPlatform/bin/qualys.py" Traceback (most recent call last):
0 Karma
Reply
Solved! Jump to solution

Lindaiyu
Path Finder
‎11-03-2016 07:11 AM

Well, according to my experience, even with the role of reader, you should get data. If you get the "Unauthorized error", it means that you have a wrong username or password.
Do the test with your browser, type the URL and then try username and password, if you can login successfully with the URL, this type error should not be occurred.

0 Karma
Reply
Solved! Jump to solution

becksyboy
Contributor
‎11-03-2016 08:50 AM

Thanks for the confirnation, yes it looks like it was an issue with the password!

0 Karma
Reply
Solved! Jump to solution
Solution

jleggett
Explorer
‎03-23-2015 11:45 AM

"You need to contact Qualys and make sure the user account you are using has access to the KB and Vulnerability APIs. This isnt enabled by default, nor is it free. Additionally, they may have you enabled on a different API host depending on your region and services you subscribe to."

In Qualys Under the user you are trying to connect with, go to User Role and Ensure you have the API box checked. If it's the same as your Sourcefire user, it's probably OK. Also, make sure you used the correct endpoint platform in the setup screen.

Reply
Solved! Jump to solution

jeffriesa
Path Finder
‎01-27-2016 01:47 PM

You need to have API access and have paid for it.

The account details are correct, check the proxy settings if you need to use one. Make sure you have the API server address right:
https://qualysapi.qualys.com

And enable debug.

0 Karma
Reply
Solved! Jump to solution

Lindaiyu
Path Finder
‎01-28-2016 01:27 AM

Jeffriesa,
Thank you very much for your help.
I am sure that we have paid for it and now I thought the error "Unauthorized" had dispersed.
Here is the log:
QualysSplunkPopulator: 2016-01-28T09:30:21Z PID=29858 [MainThread] INFO: QualysSplunkPopulator - Done logging knowledgebase

QualysSplunkPopulator: 2016-01-28T09:30:21Z PID=29858 [MainThread] INFO: QualysSplunkPopulator - Parsed 26267 knowledgebase entry. Logged=0

QualysSplunkPopulator: 2016-01-28T09:30:21Z PID=29858 [MainThread] INFO: QualysSplunkPopulator - Updated lookup file: /mnt/sdb1/splunk/etc/apps/qualys_splunk_app/lookups/qualys_kb.csv with 26267 QIDs

QualysSplunkPopulator: 2016-01-28T09:30:21Z PID=29858 [MainThread] INFO: QualysSplunkPopulator - Update lookup file: /mnt/sdb1/splunk/etc/apps/qualys_splunk_app/lookups/qualys_kb.csv with 26267 QIDs

QualysSplunkPopulator: 2016-01-28T09:30:18Z PID=29858 [MainThread] INFO: QualysSplunkPopulator - Parsing knowledgebase XML

QualysSplunkPopulator: 2016-01-28T09:30:18Z PID=29858 [MainThread] INFO: QualysSplunkPopulator - knowledgebase fetched

QualysSplunkPopulator: 2016-01-28T09:21:04Z PID=29858 [MainThread] INFO: QualysSplunkPopulator - Outputting logs to stdout

QualysSplunkPopulator: 2016-01-28T09:21:04Z PID=29858 [MainThread] INFO: QualysSplunkPopulator - Start logging knowledgebase

QualysSplunkPopulator: 2016-01-28T09:21:04Z PID=29858 [MainThread] INFO: QualysSplunkPopulator - Start

does it means that API is ok?
However, there is no data in this App.
Thank you very much for your response.

Best regards,
Daiyu

0 Karma
Reply
Solved! Jump to solution

Lindaiyu
Path Finder
‎01-29-2016 02:30 AM

Thank you for your replying
For using it, do you only install "Qualys App for Splunk Enterprise"
or with "Splunk Add-on for Qualys" also?
I install the two apps now and now for search index=qualys,
there are the data 

host_ip="xxx.xxx.210.253",host_id="100176181",results="Scan duration: 395 seconds Start time: Fri, Jan 29 2016, 10:12:09 GMT End time: Fri, Jan 29 2016, 10:18:44 GMT",type="Info",last_scan_datetime="2016-01-29T10:20:26Z",datetime="2016-01-29T10:22:53Z",tracking_method="IP",qid="45038"

However the error still exists: when I run the search "eventtype=qualys_ta_log_error"

2016-01-29 08:20:18,007 ERROR 140240278779648 - Failed to connect https://qualysapi.qualys.eu/api/2.0/fo/asset/host/vm/detection/, code=2000, reason="Bad Login/Password"

So I think , for the host:detection, it works and for vm_detection, it doesn't work

Thank very much for you help and wish you a nice day

Daiyu

0 Karma
Reply
Solved! Jump to solution

jeffriesa
Path Finder
‎01-31-2016 01:09 PM

Try logging in using the account you are trying to use for the API. The error stats it cannot access the vm component, so check you have access with the account you are using.

You dont need the TA / Add on for Qualys to get things going. Made remove that though it shouldnt make a differennce.

0 Karma
Reply
Solved! Jump to solution

jeffriesa
Path Finder
‎01-28-2016 02:12 PM

to me that is populating.

When you do a search using index=qualys what do you see?

0 Karma
Reply
Solved! Jump to solution

jeffriesa
Path Finder
‎03-26-2015 02:14 AM

I got this working, we have api access which we have to pay for but it looks like its worth it.

Nice app and is quicker to search Qualys data through splunk than their site.

0 Karma
Reply
Solved! Jump to solution

Lindaiyu
Path Finder
‎01-27-2016 08:41 AM

Hello,

I got the same problem and I have check my user role in Qualys, shown as follows:

Role:
Manager
Business Unit:
Unassigned
GUI Access
Yes
API Access
Yes

however it doesn't work and show the same errors
Could you give me some advice, please?
Thank you very much!!!

0 Karma
Reply
Solved! Jump to solution

esix_splunk
Splunk Employee
Splunk Employee
‎03-23-2015 02:54 AM

You need to contact Qualys and make sure the user account you are using has access to the KB and Vulnerability APIs. This isnt enabled by default, nor is it free. Additionally, they may have you enabled on a different API host depending on your region and services you subscribe to.

0 Karma
Reply
Solved! Jump to solution

Lindaiyu
Path Finder
‎01-27-2016 09:19 AM

Hello,

I got the same problem and I have check my user role in Qualys, shown as follows:

Role:
Manager
Business Unit:
Unassigned
GUI Access
Yes
API Access
Yes

however it doesn't work and show the same errors
Could you give me some advice, please?
Thank you very much!!!

0 Karma
Reply
Solved! Jump to solution

jeffriesa
Path Finder
‎03-24-2015 02:58 AM

ok, i got api access. One note is the user acount needs manager access.

Next error:
Tunnel connection failed: 503 Service Unavailable

0 Karma
Reply
Solved! Jump to solution

esix_splunk
Splunk Employee
Splunk Employee
‎03-24-2015 03:07 AM

503 for what?

If you go in the the qualys app and run the python scripts, you can confirm if its local splunk error or something related to the API. 503 would reflect API issue..

From qualys/bin...

/opt/splunk/bin/splunk cmd python /opt/splunk/etc/apps/qualys/bin/filename.py

** change the path to the qualys app and the filename.py to the python script invoked via inputs.conf. This should either run, or give you an error. Post the results here.

0 Karma
Reply
Solved! Jump to solution

jeffriesa
Path Finder
‎03-23-2015 03:10 AM

We do have api access, we use the qualys connector for Sourcefire.

Is this the same?

0 Karma
Reply
Solved! Jump to solution

esix_splunk
Splunk Employee
Splunk Employee
‎03-23-2015 06:23 PM

In my recent experience, these are not the same. Qualys seems to be moving away from this model.

0 Karma
Reply
Get Updates on the Splunk Community!

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...

State of Splunk Careers 2024: Maximizing Career Outcomes and the Continued Value of ...

For the past four years, Splunk has partnered with Enterprise Strategy Group to conduct a survey that gauges ...

Data-Driven Success: Splunk & Financial Services

Splunk streamlines the process of extracting insights from large volumes of data. In this fast-paced world, ...