All Apps and Add-ons

Qualys TA : setting up in SHC

lakshman239
SplunkTrust
SplunkTrust

Is Qualys TA for Splunk supported on SHC? looking at various threads, it appears to be not supported. Is that because of 'inputs.conf' running in SH and possible duplicate of the WAS and Host detection data or is there any limitation with the Add-on?

0 Karma

nit123
Path Finder

Quick overview : The answer to your question is an emphatic Yes. Qualys TA is supported in SHC as following

  1. Install TA on Forwarder and enable all inputs for VM , WAS and KB
  2. Install TA on Search Heads but only enable Knowledge Base input since that is a periodic self-updating lookup file of all QIDs
  3. Install VM App and WAS App on Search Heads if you care about reports on indexed data.

TA on forwarder will fetch data from Qualys Server and forward data to indexer. The search heads will talk to indexer and generate reports from VM App and WAS App on SH.

Steps to setup each Splunk instance as Forwarder, Indexer , Search heads , Deployer (optional) is documented at Splunk portal - https://docs.splunk.com/Documentation/SplunkCloud/6.6.0/Forwarding/Enableareceiver

If this information helps , kindly rate points or accept answer. Thanks.

0 Karma

lakshman239
SplunkTrust
SplunkTrust

Thanks for the comment. The TA is supported in distributed deployments, but cannot be run on its own in an SHC instance as the modular input calls qualys API and uses checkpoint to pull incremental data. So, only option at the moment is to deploy the TA on a dedicated splunk instance to pull the data (vulnerability / WAS) and forward to indexing tier for searches. However, the KB can possibly work in the SHC as it doesn't make a rest call to qualys API server.

0 Karma

koshyk
Super Champion

I would split the TA into two apps
- inputs section just for collecting data. You call it as "my_app_qualys_inputs" and configure inputs.conf and deploy into your HF or standalone
- Qualys TA as it is with inputs.conf stripped out (or disabled) for cluster for Index and Search time extractions

0 Karma

adonio
SplunkTrust
SplunkTrust

hello there,
in general, apps / TA's that has modular inputs in them are better be configured (the inputs) on a single splunk instance, either dedicated search head or Heavy Forwarder as in a cluster configuration all 3 search heads (or more) will start and try to make the API calls. you will probably still need the add-on for search time extractions and other knowledge objects
hope it helps

0 Karma