All Apps and Add-ons

TA and VM apps for SHcluster and Indexer Cluster

akashirin
Explorer

Hello,
I have Search cluster (3 nodes) and Indexer Cluster(3 nodes) + UFs. I have Deployment Server on an search node and deployer for shcluster on an indexer node.
Please explain me a deployment Qualys apps (TA and VM) for my installations - I do not see enough information in the docs.

prabhasgupte
Communicator

On UFs, you need only TA. On SHs, you need to have VM app.

There's a technical problem with SHC when it comes to knowledgebase. The TA have knowledgebase as a lookup csv. This does not get forwarded by default. Remember, there's a data input for KB as well, so that you can keep updating your Kb copy periodically.
And you need it basically on SHs to provide extra information on some of the reports. So, to solve the problem I would recommend you to setup some remote syncing (rsync etc) to keep on syncing /lookups/qualys_kb.csv file on SHs. Ultimately, your KB data input will periodically update csv file on UFs, and rsync will keep Kb copy on SHs up to date.

0 Karma

akashirin
Explorer

Hello,
Thanks for reply but I still do not understand. I installed TA on UF but it does not work - I have next errors:
2/28/17 5:04:51.823 PM 02-28-2017 17:04:51.823 +0300 ERROR ModularInputs - Unable to initialize modular input "qualys" defined inside the app "TA-QualysCloudPlatform": Introspecting scheme=qualys: script running failed (exited with code 1).
host = server source = /opt/splunkforwarder/var/log/splunk/splunkd.log sourcetype = splunkd
2/28/17 5:04:51.822 PM 02-28-2017 17:04:51.822 +0300 ERROR ModularInputs - Introspecting scheme=qualys: script running failed (exited with code 1).
host = server source = /opt/splunkforwarder/var/log/splunk/splunkd.log sourcetype = splunkd
2/28/17 5:04:51.707 PM 02-28-2017 17:04:51.707 +0300 INFO SpecFiles - Found external scheme definition for stanza "qualys://" with 2 parameters: duration, start_datehost = server source = /opt/splunkforwarder/var/log/splunk/splunkd.log sourcetype = splunkd

0 Karma

prabhasgupte
Communicator

Can you please confirm the TA version?
Also, have you added any data inputs after you set it up?

0 Karma

lakshman239
SplunkTrust
SplunkTrust

@Prabas - is the latest version of the TA 1.1.0 supported on SHC? It throws similar errors.

0 Karma

akashirin
Explorer

Hello,
TA verion is 1.1.0
I enabled host_detection and knowledge_base in SHcluster nodes

0 Karma

prabhasgupte
Communicator

Well, from the error message it seems that Splunk isn't being able to run the TA.

On your UF, can you please run following command: /opt/splunk/bin/splunk cmd python ./bin/run.py -d -s 2017-01-01T00:00:00Z

This will run the TA code, WITHOUT ingesting any data into Splunk. See what Python error/exception you get there. That's probably the reason why Splunk is unable to initialize the scheme.

For more details on this command, you may run this: /opt/splunk/bin/splunk cmd python ./bin/run.py -h

Let's nail it down now.

0 Karma

akashirin
Explorer

bash-4.2$ /opt/splunkforwarder/bin/splunk cmd python ./bin/run.py -h
couldn't run "/opt/splunkforwarder/bin/python": No such file or directory

0 Karma

prabhasgupte
Communicator

Please replace /opt/splunk with your SPLUNK_HOME value. I forgot to mention that in my comment.

Also, please change your directory to SPLUNK_HOME/TA-QualysCloudPlatform OR change the run.py path accordingly. This script is in TA-QualysCloudPlatform/bin path.

0 Karma

akashirin
Explorer

I have not /opt/splunk, only /opt/splunkforwarder/ because I have only UF on this server

0 Karma

prabhasgupte
Communicator

What I meant is, in the commands given by me, replace /opt/splunk with value of your SPLUNK_HOME env variable.

0 Karma

akashirin
Explorer

Hello, results:
bash-4.2$ /opt/splunkforwarder/bin/splunk cmd python /opt/splunkforwarder/etc/apps/TA-QualysCloudPlatform/bin/run.py -g -s https://qualysapi.qualys.eu -u user1 -p password -x proxy:8080
TA-QualysCloudPlatform: 2017-03-15T13:59:57Z PID=25951 [MainThread] INFO: TA-QualysCloudPlatform - Making request: https://qualysapi.qualys.eu/msp/about.php with params={}
_internal
TA-QualysCloudPlatform: 2017-03-15T13:59:57Z PID=25951 [MainThread] ERROR: TA-QualysCloudPlatform - Error during request to /msp/about.php, [None] [Errno 111] Connection refused
_internal
Traceback (most recent call last):
File "/opt/splunkforwarder/etc/apps/TA-QualysCloudPlatform/bin/run.py", line 138, in
qapi.client.validate()
File "/opt/splunkforwarder/etc/apps/TA-QualysCloudPlatform/bin/qualysModule/lib/api/Client.py", line 200, in validate
response = self.get("/msp/about.php", {}, SimpleAPIResponse())
File "/opt/splunkforwarder/etc/apps/TA-QualysCloudPlatform/bin/qualysModule/lib/api/Client.py", line 259, in get
raise APIRequestError("Error during request to %s, [%s] %s" % (end_point, ue.errno, ue.reason))
qualysModule.lib.api.Client.APIRequestError: Error during request to /msp/about.php, [None] [Errno 111] Connection refused

0 Karma
Register for .conf21 Now! Go Vegas or Go Virtual!

How will you .conf21? You decide! Go in-person in Las Vegas, 10/18-10/21, or go online with .conf21 Virtual, 10/19-10/20.