All Apps and Add-ons

Qualys TA

anandhalagarasa
Path Finder

Hi All,

I have installed the (App: Qualys VM App for Splunk Enterprise) & (Add-On: Qualys Technology Add-on for Splunk) in my Search Head server. And also I have installed the (Add-On: Qualys Technology Add-on for Splunk) in my Heavy Forwarder server.

I have few queries how to setup the app?

1.) When I launch the setup of Add-On in Heavy Frowarder it asks for QUALYS URI , User name and password. So should i need to key in the URI, Username and password only in Heavy Forwarder or also I need to key in the username and password for Search Head as well?

2.)We just need VM Detection and no WAS findings. So as per the answer provided i have created the host_detection in Heavy Forwarder -->Data Inputs-->TA-Qualys-Add-On and added New. I have provided the cron as 24h and Start Date as 2018-01-01T00:00:00Z . And i just left it as (main) the default index and saved it. In the host column I have just left the Heavy forwarder server name as it is. Then I went to the backend and changed the index name as qualys. These steps i have done in Heavy Forwarder. From disabled state I have moved to enabled state. I have also restarted the Heavy Forwarder service as well.

3.)Similarly I have created knowledge_base in Search Head -->Data Inputs-->TA-Qualys-Add-On and added New. I have provided the cron as 24h and Start Date as 2018-01-01T00:00:00Z . And i just changed the host name as Heavy forwarder server name and kept the index name as Qualys. From disabled state I have moved to enabled state.

4.)So should i need to add both host_detection & knowledge_base in Heavy Forwarder as well as in Search head or should i leave it as it is.

5.)Also is it mandate to provide the squid proxy information in both search head and heavy forwarder during setup? Or else will it work as it is.

Since when i search the data with index=qualys and hostname as heavyforwarder server i am not getting any information.

Tags (1)
0 Karma
1 Solution

lakshman239
SplunkTrust
SplunkTrust

Pls refer to vendors guide for most up-to-date procedure. https://www.qualys.com/docs/qualys-ta-for-splunk.pdf.

The TA needs to be installed in a HF and configured to collect the data via the API. Pls ensure your account has API enabled for qualys scan/retrieving host detection data. [ This will create inputs.conf in your HF]

The knowledge base can be enabled in SH or HF.

You need to provide proxy details to connect to Qualys, if your SH or HF is behind firewall [ i.e. no direct connectivity to internet]

View solution in original post

0 Karma

dinesh143
Loves-to-Learn

Hi, I am also facing the same issue after configure add-on and apps in SH and HF. I don't see any logs in index. I checked for error logs there is no error logs as well. 

0 Karma

lakshman239
SplunkTrust
SplunkTrust

Pls refer to vendors guide for most up-to-date procedure. https://www.qualys.com/docs/qualys-ta-for-splunk.pdf.

The TA needs to be installed in a HF and configured to collect the data via the API. Pls ensure your account has API enabled for qualys scan/retrieving host detection data. [ This will create inputs.conf in your HF]

The knowledge base can be enabled in SH or HF.

You need to provide proxy details to connect to Qualys, if your SH or HF is behind firewall [ i.e. no direct connectivity to internet]

0 Karma

anandhalagarasa
Path Finder

Hi lakshman239,

Thanks for your response.

This is what i have done till now. So kindly let me know if there is any lags.

Recently we have downloaded and installed the (App: Qualys VM App for Splunk Enterprise) & (Add-On: Qualys Technology Add-on for Splunk) in my Search Head server. And also as recommended I have installed only the (Add-On: Qualys Technology Add-on for Splunk) in my Heavy Forwarder server.

https://splunkbase.splunk.com/app/3141/

https://splunkbase.splunk.com/app/2964/

Post which I am not getting any logs for Qualys app for TA.

The configuration has been done as mentioned below:

Heavy Forwarder Configurations:
1.)Post installation of Qualys Technology Add-on for Splunk we have navigated to the settings and provided the URI information, username and password credentials and saved the same. Kindly note we didnt filled any other informations and just saved it.

2.) Similarly we have navigated to Data Inputs-->TA-Qualys Technology Add-On--> And added new.
i.e. host_detection

I have provided the cron interval as 24h and start date as 2018-01-01T00:00:00Z and the host name as heavyforwarder server name and index as qualys.

By default i can see the index as main (Actually qualys index was not listing in the drop down) so i have updated the same at the backend in inputs.conf and I have moved to enabled state and restarted the Heavy forwarder.

Search Head Configrations:
1.)Post installation of Qualys Technology Add-on for Splunk we have navigated to the settings and provided the URI information, username and password credentials and saved the same. Kindly note we didnt filled any other informations and just saved it.

2.)Similarly we have navigated to Data Inputs-->TA-Qualys Technology Add-On--> And added new.
i.e. knowledge_base

I have provided the cron interval as 24h and start date as 2018-01-01T00:00:00Z and the host name as heavyforwarder server name and i didnt changed as per search head server name and choosen the index as qualys and enabled the knowledge_base data inputs.

3.) Also I have installed the App (App: Qualys VM App for Splunk Enterprise) in our Search head server as mentioned above.

Now my query is that i can able to see the dahboards in the app seems to be getting updated but when i search the query with index=qualys i couldnt able to fetch any data. So kindly help on the same.

0 Karma

harsmarvania57
SplunkTrust
SplunkTrust

Have you created qualys index on your Indexer ?

0 Karma

anandhalagarasa
Path Finder

yes already we have the indexer.

0 Karma

lakshman239
SplunkTrust
SplunkTrust

can you test the following?
index=_internal host= yourHFhostname -- this will ensure splunk is connected and sending logs.

index=qualys OR index=main sourcetype=qualys* --- will show any errors/process details.

index=main -- search for all time and check if you see any logs to confirm the correct configured index.

index=qualys -- search for all time and check if you see any logs.

0 Karma

anandhalagarasa
Path Finder

I can able to see qualys:hostDetection reporting in Splunk and I have configured the knowledge_base inputs in Heavy Forwarder but i cant able to see any logs related to knowledge base in Splunk. I have checked in the inputs.conf and i can able to see only host_detection inputs over there. Whereas i couldn't able to find knowledge base related inputs. so can you let me know how to get those logs into splunk.

0 Karma

anandhalagarasa
Path Finder

@lakshman239 I just want to know will i be getting events in Search and Reporting App if i enable knowledge_base in data inputs in Search head or Heavy Forwarder.

0 Karma

lakshman239
SplunkTrust
SplunkTrust

yes, you should be able to view and search them in the search app, if the Qualys TA is installed with 'global' permissions.

0 Karma

anandhalagarasa
Path Finder

@lakshman239 ,

Currently I have enabled the knowledge_base in Search Head server and the duration which i have selected is mentioned below:

Cron Interval : */1 * * * *
Start Date: 1999-01-01T00:00:00Z

when i checked the internal indexes I am getting the error as below for knowledge_base"

TA-QualysCloudPlatform: Date PID=47445 [MainThread] ERROR: TA-QualysCloudPlatform (knowledge_base) - API concurrency limit reached. Must sleep for 300 seconds and try again. Retry count: 1

And i think because of this issue i am not getting logs for knowledge_base so kindly help on the same.

0 Karma

lakshman239
SplunkTrust
SplunkTrust

change your cron to run once or two times in a day, using similar syntex which you have defined for the working host detection input. Also, change start to 2019-01-01. If you call the API very frequently you will hit the limit and it will fail, like the way you see in your case.

0 Karma

anandhalagarasa
Path Finder

Thanks I have modified the same and saved it but still i couldn't see any data. Also @harsmarvania57 commented there wont be any logs for Knowledge_base and the csv only will be getting updated but you have confirmed we can see logs getting indexed for knowledge_base so i am little bit confused.

So kindly help to clarify on the same as well.

0 Karma

lakshman239
SplunkTrust
SplunkTrust

Normally, after you update inputs.conf and restart the HF/SH, based on your cron, some times it can take upto 24 hours to get the data. Knowledge base modular input updates the qualys_kb.csv, which is used to enrich the data coming from your host detection inputs. useful when you search index=qualys.

you can see the API calls in index=_internal sourcetype=qualys ("detection" OR "knowledge") when api calls are made [ based on your cron]

0 Karma

harsmarvania57
SplunkTrust
SplunkTrust

Just for information, Qualys knowledge_base does not ingest any data/logs in indexes but it will generate CSV file in path $SPLUNK_HOME/etc/apps/TA-QualysCloudPlatform/lookups/qualys_kb.csv, as this lookup file ships with Qualys add-on you need to check modtime to confirm whether it is updating or not.

0 Karma

anandhalagarasa
Path Finder

@harsmarvania57 , Thanks for your information. I can see that the file is getting updated in the mentioned location in regular basis.

So we will be receiving only qualys:hostDetection am i right and no other sourcetypes will be reporting to Splunk.

0 Karma

harsmarvania57
SplunkTrust
SplunkTrust

That's correct for vulnerability detection and when you run search against qualys index on Search Head (where I am assuming you are running knowledge_base) so there is automatic lookup in Qualys add-on which map qualys:hostDetection QID with QID in lookup file and populate fields (Like SEVERITY, VULN_TYPE) in Interesting Fields on left hand side.

As a side note, please upvote or accept answers/comment which helped you to achieve resolution of your issue so that it will boost community member's participation and person who really helped you will get karma points for acceptance or upvote of his/her comment/answer

anandhalagarasa
Path Finder

Hi Lakshman,

Now i am getting logs from sourcetype host:Detection but not for knowledge base.

So kindly let me know how to fix it asap.

0 Karma

anandhalagarasa
Path Finder

I can able to see qualys:hostDetection reporting in Splunk and I have configured the knowledge_base inputs in Heavy Forwarder but i cant able to see any logs related to knowledge base in Splunk. I have checked in the inputs.conf and i can able to see only host_detection inputs over there. Whereas i couldn't able to find knowledge base related inputs. so can you let me know how to get those logs into splunk.

0 Karma

lakshman239
SplunkTrust
SplunkTrust

You need to have stanza for knowledge_base in your inputs.conf either in SH or in HF [ Use data inputs-> qualys-> add knowledge base]. This will then connect to the Qualys platform based on your cron schedule and pull the data. Sometime, it will take a while to get the data and always search for 'All time' in the correct index - main or qualys as per your config.

0 Karma

anandhalagarasa
Path Finder

@lakshman239 I have created the same in HF for knowledge_base and provided the cron schedule as 1m and date i left as default and pointed to main index and saved it.

So when i navigated to inputs.conf i couldnt able to find the knowledge_base in inputs.conf and only i can able to find host_detection alone?

Not sure where the lag is hence because of this we are not getting any logs for knowledge_base.

0 Karma
Get Updates on the Splunk Community!

Data Preparation Made Easy: SPL2 for Edge Processor

By now, you may have heard the exciting news that Edge Processor, the easy-to-use Splunk data preparation tool ...

Introducing Edge Processor: Next Gen Data Transformation

We get it - not only can it take a lot of time, money and resources to get data into Splunk, but it also takes ...

Tips & Tricks When Using Ingest Actions

Tune in to learn about:Large scale architecture when using Ingest ActionsRegEx performance considerations ...