Hi lakshman239,

Thanks for your response.

This is what i have done till now. So kindly let me know if there is any lags.

Recently we have downloaded and installed the (App: Qualys VM App for Splunk Enterprise) & (Add-On: Qualys Technology Add-on for Splunk) in my Search Head server. And also as recommended I have installed only the (Add-On: Qualys Technology Add-on for Splunk) in my Heavy Forwarder server.

https://splunkbase.splunk.com/app/3141/

https://splunkbase.splunk.com/app/2964/

Post which I am not getting any logs for Qualys app for TA.

The configuration has been done as mentioned below:

Heavy Forwarder Configurations:
1.)Post installation of Qualys Technology Add-on for Splunk we have navigated to the settings and provided the URI information, username and password credentials and saved the same. Kindly note we didnt filled any other informations and just saved it.

2.) Similarly we have navigated to Data Inputs-->TA-Qualys Technology Add-On--> And added new.
i.e. host_detection

I have provided the cron interval as 24h and start date as 2018-01-01T00:00:00Z and the host name as heavyforwarder server name and index as qualys.

By default i can see the index as main (Actually qualys index was not listing in the drop down) so i have updated the same at the backend in inputs.conf and I have moved to enabled state and restarted the Heavy forwarder.

Search Head Configrations:
1.)Post installation of Qualys Technology Add-on for Splunk we have navigated to the settings and provided the URI information, username and password credentials and saved the same. Kindly note we didnt filled any other informations and just saved it.

2.)Similarly we have navigated to Data Inputs-->TA-Qualys Technology Add-On--> And added new.
i.e. knowledge_base

I have provided the cron interval as 24h and start date as 2018-01-01T00:00:00Z and the host name as heavyforwarder server name and i didnt changed as per search head server name and choosen the index as qualys and enabled the knowledge_base data inputs.

3.) Also I have installed the App (App: Qualys VM App for Splunk Enterprise) in our Search head server as mentioned above.

Now my query is that i can able to see the dahboards in the app seems to be getting updated but when i search the query with index=qualys i couldnt able to fetch any data. So kindly help on the same.

Have you created qualys index on your Indexer ?

yes already we have the indexer.

can you test the following?
index=_internal host= yourHFhostname -- this will ensure splunk is connected and sending logs.

index=qualys OR index=main sourcetype=qualys* --- will show any errors/process details.

index=main -- search for all time and check if you see any logs to confirm the correct configured index.

index=qualys -- search for all time and check if you see any logs.

I can able to see qualys:hostDetection reporting in Splunk and I have configured the knowledge_base inputs in Heavy Forwarder but i cant able to see any logs related to knowledge base in Splunk. I have checked in the inputs.conf and i can able to see only host_detection inputs over there. Whereas i couldn't able to find knowledge base related inputs. so can you let me know how to get those logs into splunk.

@lakshman239 I just want to know will i be getting events in Search and Reporting App if i enable knowledge_base in data inputs in Search head or Heavy Forwarder.

yes, you should be able to view and search them in the search app, if the Qualys TA is installed with 'global' permissions.

@lakshman239 ,

Currently I have enabled the knowledge_base in Search Head server and the duration which i have selected is mentioned below:

Cron Interval : */1 * * * *
Start Date: 1999-01-01T00:00:00Z

when i checked the internal indexes I am getting the error as below for knowledge_base"

TA-QualysCloudPlatform: Date PID=47445 [MainThread] ERROR: TA-QualysCloudPlatform (knowledge_base) - API concurrency limit reached. Must sleep for 300 seconds and try again. Retry count: 1

And i think because of this issue i am not getting logs for knowledge_base so kindly help on the same.

change your cron to run once or two times in a day, using similar syntex which you have defined for the working host detection input. Also, change start to 2019-01-01. If you call the API very frequently you will hit the limit and it will fail, like the way you see in your case.

Thanks I have modified the same and saved it but still i couldn't see any data. Also @harsmarvania57 commented there wont be any logs for Knowledge_base and the csv only will be getting updated but you have confirmed we can see logs getting indexed for knowledge_base so i am little bit confused.

So kindly help to clarify on the same as well.

Normally, after you update inputs.conf and restart the HF/SH, based on your cron, some times it can take upto 24 hours to get the data. Knowledge base modular input updates the qualys_kb.csv, which is used to enrich the data coming from your host detection inputs. useful when you search index=qualys.

you can see the API calls in index=_internal sourcetype=qualys ("detection" OR "knowledge") when api calls are made [ based on your cron]

Just for information, Qualys knowledge_base does not ingest any data/logs in indexes but it will generate CSV file in path $SPLUNK_HOME/etc/apps/TA-QualysCloudPlatform/lookups/qualys_kb.csv, as this lookup file ships with Qualys add-on you need to check modtime to confirm whether it is updating or not.

@harsmarvania57 , Thanks for your information. I can see that the file is getting updated in the mentioned location in regular basis.

So we will be receiving only qualys:hostDetection am i right and no other sourcetypes will be reporting to Splunk.

That's correct for vulnerability detection and when you run search against qualys index on Search Head (where I am assuming you are running knowledge_base) so there is automatic lookup in Qualys add-on which map qualys:hostDetection QID with QID in lookup file and populate fields (Like SEVERITY, VULN_TYPE) in Interesting Fields on left hand side.

As a side note, please upvote or accept answers/comment which helped you to achieve resolution of your issue so that it will boost community member's participation and person who really helped you will get karma points for acceptance or upvote of his/her comment/answer

Hi Lakshman,

Now i am getting logs from sourcetype host:Detection but not for knowledge base.

So kindly let me know how to fix it asap.

I can able to see qualys:hostDetection reporting in Splunk and I have configured the knowledge_base inputs in Heavy Forwarder but i cant able to see any logs related to knowledge base in Splunk. I have checked in the inputs.conf and i can able to see only host_detection inputs over there. Whereas i couldn't able to find knowledge base related inputs. so can you let me know how to get those logs into splunk.

You need to have stanza for knowledge_base in your inputs.conf either in SH or in HF [ Use data inputs-> qualys-> add knowledge base]. This will then connect to the Qualys platform based on your cron schedule and pull the data. Sometime, it will take a while to get the data and always search for 'All time' in the correct index - main or qualys as per your config.

@lakshman239 I have created the same in HF for knowledge_base and provided the cron schedule as 1m and date i left as default and pointed to main index and saved it.

So when i navigated to inputs.conf i couldnt able to find the knowledge_base in inputs.conf and only i can able to find host_detection alone?

Not sure where the lag is hence because of this we are not getting any logs for knowledge_base.