- Community
- :
- Splunk Answers
- :
- Apps and Add-ons
- :
- All Apps and Add-ons
- :
- Qualys-TA: Error during knowledgebase-run
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Qualys-TA: Error during knowledgebase-run
First time installer of Qualys-TA.
After completing all the setup in UI, i ran the command (as mentioned in page 26 of the docs: https://www.qualys.com/docs/qualys-ta-for-splunk.pdf😞
"
cd $SPLUNK_HOME/etc/apps/TA-QualysCloudPlatform
$SPLUNK_HOME/bin/splunk cmd python ./bin/run.py -k -s -u <qualys username> -p <qualys password>
"
This throws an error in log ($SPLUNK_HOME/var/log/splunk/ta_QualysCloudPlatform.log) as follows:
qualysModule.splunkpopulator.basepopulator.BasePopulatorException: could not load API response. Reason: 'Event' object has no attribute 'write_event'
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/opt/splunk/etc/apps/TA-QualysCloudPlatform/bin/qualysModule/qualys_log_populator.py", line 240, in _run
qlogger.error(e.message)
AttributeError: 'BasePopulatorException' object has no attribute 'message'
When i added more debug info to the various python scripts, i saw that the error pointed to "NoneType" for self.EVENT_WRITER.
The above log contained more info as below:
TA-QualysCloudPlatform: 2021-11-24 15:09:52 PID=564017 [MainThread] INFO: Python interpreter version = 3
TA-QualysCloudPlatform: 2021-11-24 15:09:52 PID=564017 [MainThread] INFO: Qualys TA version=1.8.11
TA-QualysCloudPlatform: 2021-11-24 15:09:52 PID=564017 [MainThread] INFO: Running for policy_posture_info. Host name to be used: $decideOnStartup. Index configured: main. Run duration: 9 * * * *. Default start date: 1999-01-01T00:00:00Z.
TA-QualysCloudPlatform: 2021-11-24 15:09:52 PID=564017 [MainThread] INFO: TA-QualysCloudPlatform using username trann3ls73 and its associated password.
TA-QualysCloudPlatform: 2021-11-24 15:09:52 PID=564017 [MainThread] INFO: API URL changed to https://qualysguard.qg3.apps.qualys.com for policy_posture_info data input
TA-QualysCloudPlatform: 2021-11-24 15:09:52 PID=564017 [MainThread] INFO: Another instance of policy_posture_info is already running with PID 508724. I am exiting.
on doing ps-ax | grep splunk, i could see many instances running as below:
root@splunktest:/opt/splunk/etc/apps/TA-QualysCloudPlatform/tmp# ps ax | grep splunk
12657 ? Sl 15:28 splunkd -p 8090 start
12658 ? Ss 0:00 [splunkd pid=12657] splunkd -p 8090 start [process-runner]
508681 ? S 0:00 /opt/splunk/bin/python3.7 /opt/splunk/etc/apps/TA-QualysCloudPlatform/bin/qualys.py
508724 ? S 0:00 /opt/splunk/bin/python3.7 /opt/splunk/etc/apps/TA-QualysCloudPlatform/bin/qualys.py
508734 ? S 0:00 /opt/splunk/bin/python3.7 /opt/splunk/etc/apps/TA-QualysCloudPlatform/bin/qualys.py
508908 ? S 0:21 /opt/splunk/bin/python3.7 /opt/splunk/etc/apps/TA-QualysCloudPlatform/bin/qualys.py
555183 ? S 0:00 /opt/splunk/bin/python3.7 /opt/splunk/etc/apps/TA-QualysCloudPlatform/bin/qualys.py
555192 ? S 0:00 /opt/splunk/bin/python3.7 /opt/splunk/etc/apps/TA-QualysCloudPlatform/bin/qualys.py
555219 ? S 0:00 /opt/splunk/bin/python3.7 /opt/splunk/etc/apps/TA-QualysCloudPlatform/bin/qualys.py
565505 ? Sl 0:15 splunkd -p 8089 restart
565506 ? Ss 0:00 [splunkd pid=565505] splunkd -p 8089 restart [process-runner]
Finally, after killing those PIDs , i could get rid of the error.
This really needs to be fixed or a proper troubleshooting must be documented as it caused me headaches for 2 whole days! 🙂
Thanks!
Splunk Security Content for Threat Detection & Response, Q1 Roundup
Splunk Life | Happy Pride Month!
SplunkTrust | Where Are They Now - Michael Uschmann
