Hello,
I have Search cluster (3 nodes) and Indexer Cluster(3 nodes) + UFs. I have Deployment Server on an search node and deployer for shcluster on an indexer node.
Please explain me a deployment Qualys apps (TA and VM) for my installations - I do not see enough information in the docs.
On UFs, you need only TA. On SHs, you need to have VM app.
There's a technical problem with SHC when it comes to knowledgebase. The TA have knowledgebase as a lookup csv. This does not get forwarded by default. Remember, there's a data input for KB as well, so that you can keep updating your Kb copy periodically.
And you need it basically on SHs to provide extra information on some of the reports. So, to solve the problem I would recommend you to setup some remote syncing (rsync etc) to keep on syncing /lookups/qualys_kb.csv file on SHs. Ultimately, your KB data input will periodically update csv file on UFs, and rsync will keep Kb copy on SHs up to date.
Hello,
Thanks for reply but I still do not understand. I installed TA on UF but it does not work - I have next errors:
2/28/17 5:04:51.823 PM 02-28-2017 17:04:51.823 +0300 ERROR ModularInputs - Unable to initialize modular input "qualys" defined inside the app "TA-QualysCloudPlatform": Introspecting scheme=qualys: script running failed (exited with code 1).
host = server source = /opt/splunkforwarder/var/log/splunk/splunkd.log sourcetype = splunkd
2/28/17 5:04:51.822 PM 02-28-2017 17:04:51.822 +0300 ERROR ModularInputs - Introspecting scheme=qualys: script running failed (exited with code 1).
host = server source = /opt/splunkforwarder/var/log/splunk/splunkd.log sourcetype = splunkd
2/28/17 5:04:51.707 PM 02-28-2017 17:04:51.707 +0300 INFO SpecFiles - Found external scheme definition for stanza "qualys://" with 2 parameters: duration, start_datehost = server source = /opt/splunkforwarder/var/log/splunk/splunkd.log sourcetype = splunkd
Can you please confirm the TA version?
Also, have you added any data inputs after you set it up?
@Prabas - is the latest version of the TA 1.1.0 supported on SHC? It throws similar errors.
Hello,
TA verion is 1.1.0
I enabled host_detection and knowledge_base in SHcluster nodes
Well, from the error message it seems that Splunk isn't being able to run the TA.
On your UF, can you please run following command: /opt/splunk/bin/splunk cmd python ./bin/run.py -d -s 2017-01-01T00:00:00Z
This will run the TA code, WITHOUT ingesting any data into Splunk. See what Python error/exception you get there. That's probably the reason why Splunk is unable to initialize the scheme.
For more details on this command, you may run this: /opt/splunk/bin/splunk cmd python ./bin/run.py -h
Let's nail it down now.
bash-4.2$ /opt/splunkforwarder/bin/splunk cmd python ./bin/run.py -h
couldn't run "/opt/splunkforwarder/bin/python": No such file or directory
Please replace /opt/splunk
with your SPLUNK_HOME value. I forgot to mention that in my comment.
Also, please change your directory to SPLUNK_HOME/TA-QualysCloudPlatform OR change the run.py path accordingly. This script is in TA-QualysCloudPlatform/bin path.
I have not /opt/splunk, only /opt/splunkforwarder/ because I have only UF on this server
What I meant is, in the commands given by me, replace /opt/splunk
with value of your SPLUNK_HOME env variable.
Hello, results:
bash-4.2$ /opt/splunkforwarder/bin/splunk cmd python /opt/splunkforwarder/etc/apps/TA-QualysCloudPlatform/bin/run.py -g -s https://qualysapi.qualys.eu -u user1 -p password -x proxy:8080
TA-QualysCloudPlatform: 2017-03-15T13:59:57Z PID=25951 [MainThread] INFO: TA-QualysCloudPlatform - Making request: https://qualysapi.qualys.eu/msp/about.php with params={}
_internal
TA-QualysCloudPlatform: 2017-03-15T13:59:57Z PID=25951 [MainThread] ERROR: TA-QualysCloudPlatform - Error during request to /msp/about.php, [None] [Errno 111] Connection refused
_internal
Traceback (most recent call last):
File "/opt/splunkforwarder/etc/apps/TA-QualysCloudPlatform/bin/run.py", line 138, in
qapi.client.validate()
File "/opt/splunkforwarder/etc/apps/TA-QualysCloudPlatform/bin/qualysModule/lib/api/Client.py", line 200, in validate
response = self.get("/msp/about.php", {}, SimpleAPIResponse())
File "/opt/splunkforwarder/etc/apps/TA-QualysCloudPlatform/bin/qualysModule/lib/api/Client.py", line 259, in get
raise APIRequestError("Error during request to %s, [%s] %s" % (end_point, ue.errno, ue.reason))
qualysModule.lib.api.Client.APIRequestError: Error during request to /msp/about.php, [None] [Errno 111] Connection refused