Is Qualys TA for Splunk supported on SHC? looking at various threads, it appears to be not supported. Is that because of 'inputs.conf' running in SH and possible duplicate of the WAS and Host detection data or is there any limitation with the Add-on?
Quick overview : The answer to your question is an emphatic Yes. Qualys TA is supported in SHC as following
TA on forwarder will fetch data from Qualys Server and forward data to indexer. The search heads will talk to indexer and generate reports from VM App and WAS App on SH.
Steps to setup each Splunk instance as Forwarder, Indexer , Search heads , Deployer (optional) is documented at Splunk portal - https://docs.splunk.com/Documentation/SplunkCloud/6.6.0/Forwarding/Enableareceiver
If this information helps , kindly rate points or accept answer. Thanks.
Thanks for the comment. The TA is supported in distributed deployments, but cannot be run on its own in an SHC instance as the modular input calls qualys API and uses checkpoint to pull incremental data. So, only option at the moment is to deploy the TA on a dedicated splunk instance to pull the data (vulnerability / WAS) and forward to indexing tier for searches. However, the KB can possibly work in the SHC as it doesn't make a rest call to qualys API server.
I would split the TA into two apps
- inputs section just for collecting data. You call it as "my_app_qualys_inputs" and configure inputs.conf and deploy into your HF or standalone
- Qualys TA as it is with inputs.conf stripped out (or disabled) for cluster for Index and Search time extractions
in general, apps / TA's that has modular inputs in them are better be configured (the inputs) on a single splunk instance, either dedicated search head or Heavy Forwarder as in a cluster configuration all 3 search heads (or more) will start and try to make the API calls. you will probably still need the add-on for search time extractions and other knowledge objects
hope it helps