First time installer of Qualys-TA.

After completing all the setup in UI, i ran the command (as mentioned in page 26 of the docs: https://www.qualys.com/docs/qualys-ta-for-splunk.pdf😞

"

cd $SPLUNK_HOME/etc/apps/TA-QualysCloudPlatform

$SPLUNK_HOME/bin/splunk cmd python ./bin/run.py -k -s -u   <qualys username> -p <qualys password>

"

This throws an error in log ($SPLUNK_HOME/var/log/splunk/ta_QualysCloudPlatform.log)  as follows:

qualysModule.splunkpopulator.basepopulator.BasePopulatorException: could not load API response. Reason: 'Event' object has no attribute 'write_event'

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File "/opt/splunk/etc/apps/TA-QualysCloudPlatform/bin/qualysModule/qualys_log_populator.py", line 240, in _run
qlogger.error(e.message)
AttributeError: 'BasePopulatorException' object has no attribute 'message'

When i added more debug info to the various python scripts, i saw that the error pointed to "NoneType" for self.EVENT_WRITER.

The above log contained more info as below:

TA-QualysCloudPlatform: 2021-11-24 15:09:52 PID=564017 [MainThread] INFO: Python interpreter version = 3
TA-QualysCloudPlatform: 2021-11-24 15:09:52 PID=564017 [MainThread] INFO: Qualys TA version=1.8.11
TA-QualysCloudPlatform: 2021-11-24 15:09:52 PID=564017 [MainThread] INFO: Running for policy_posture_info. Host name to be used: $decideOnStartup. Index configured: main. Run duration: 9 * * * *. Default start date: 1999-01-01T00:00:00Z.
TA-QualysCloudPlatform: 2021-11-24 15:09:52 PID=564017 [MainThread] INFO: TA-QualysCloudPlatform using username trann3ls73 and its associated password.
TA-QualysCloudPlatform: 2021-11-24 15:09:52 PID=564017 [MainThread] INFO: API URL changed to https://qualysguard.qg3.apps.qualys.com for policy_posture_info data input
TA-QualysCloudPlatform: 2021-11-24 15:09:52 PID=564017 [MainThread] INFO: Another instance of policy_posture_info is already running with PID 508724. I am exiting.

on doing ps-ax | grep splunk, i could see many instances running as below:

root@splunktest:/opt/splunk/etc/apps/TA-QualysCloudPlatform/tmp# ps ax | grep splunk
12657 ? Sl 15:28 splunkd -p 8090 start
12658 ? Ss 0:00 [splunkd pid=12657] splunkd -p 8090 start [process-runner]
508681 ? S 0:00 /opt/splunk/bin/python3.7 /opt/splunk/etc/apps/TA-QualysCloudPlatform/bin/qualys.py
508724 ? S 0:00 /opt/splunk/bin/python3.7 /opt/splunk/etc/apps/TA-QualysCloudPlatform/bin/qualys.py
508734 ? S 0:00 /opt/splunk/bin/python3.7 /opt/splunk/etc/apps/TA-QualysCloudPlatform/bin/qualys.py
508908 ? S 0:21 /opt/splunk/bin/python3.7 /opt/splunk/etc/apps/TA-QualysCloudPlatform/bin/qualys.py
555183 ? S 0:00 /opt/splunk/bin/python3.7 /opt/splunk/etc/apps/TA-QualysCloudPlatform/bin/qualys.py
555192 ? S 0:00 /opt/splunk/bin/python3.7 /opt/splunk/etc/apps/TA-QualysCloudPlatform/bin/qualys.py
555219 ? S 0:00 /opt/splunk/bin/python3.7 /opt/splunk/etc/apps/TA-QualysCloudPlatform/bin/qualys.py
565505 ? Sl 0:15 splunkd -p 8089 restart
565506 ? Ss 0:00 [splunkd pid=565505] splunkd -p 8089 restart [process-runner]

Finally, after killing those PIDs , i could get rid of the error.

This really needs to be fixed or a proper troubleshooting must be documented as it caused me headaches for 2 whole days! 🙂

Thanks!