Splunk Enterprise Security

How to limit the Qualys Technology Add-on (TA) for Splunk frequent logins to Qualys Cloud?

james190190
Explorer

Hi,

I have successfullly configured the Qualys TA and everything seems to be working just fine. I have enabled the Knowledge Base and Host Detection inputs and it's indexing and searchable. The inputs are set up to run once a day and as such that is what happens. There is always a but 🙂

BUT... I can see that the TA is polling the Qualys Cloud every minute even when it is not actually going to trigger an API call to retrieve the data. This is what I can see in my ta_QualysCloudPlatform.log:

TA-QualysCloudPlatform: 2018-03-28T11:17:28Z PID=1260 [MainThread] INFO: TA-QualysCloudPlatform - Start qualys TA
TA-QualysCloudPlatform: 2018-03-28T11:17:28Z PID=1260 [MainThread] INFO: TA-QualysCloudPlatform - TA-QualysCloudPlatform using username ******.
TA-QualysCloudPlatform: 2018-03-28T11:17:28Z PID=1260 [MainThread] INFO: TA-QualysCloudPlatform - Making request: https://qualysapi.qualys.eu/msp/about.php with params={}
TA-QualysCloudPlatform: 2018-03-28T11:17:29Z PID=1260 [MainThread] INFO: TA-QualysCloudPlatform - Found QWEB_VERSION=8.12
TA-QualysCloudPlatform: 2018-03-28T11:17:29Z PID=1260 [MainThread] INFO: TA-QualysCloudPlatform - Running for qualys://host_detection
TA-QualysCloudPlatform: 2018-03-28T11:17:29Z PID=1260 [MainThread] INFO: TA-QualysCloudPlatform - host_detection cron/duration: 01 05 * * *
TA-QualysCloudPlatform: 2018-03-28T11:17:29Z PID=1260 [MainThread] INFO: TA-QualysCloudPlatform - Current time (2018-03-28 11:17:00) does not match cron format (01 05 * * *) defined for host_detection. Will not run. Next run is on 2018-03-29 05:01:00

So as you can see the TA connects to Qualys and makes the request "https://qualysapi.qualys.eu/msp/about.php with params={}" but subsequently confirms that it's not actually time to run.

It's not a major thing but it is being flagged by our VM team as they are seeing the activity filling the logs on the Qualys side. I have raised it with Qualys to see if this is normal behaviour and more importantly if this counts toward our API call limit. I am pretty confident that this is absolutely fine but would be interested to hear if anyone has found a way to limit these logins to appease the local VM team.

Labels (2)
0 Karma
1 Solution

james190190
Explorer

In full - in order to get the TA to pull the host_detection once a day and the knowledge_base once a week the following changes were made:

edit the default/input.conf and change the interval to 8640 (24 hours):

[qualys]
index = main
disabled = true
interval = 8640

The TA inputs Cron Entry / Interval was updated:

host_detection: * * * * * 
knowledge_base: * * * * 4

This will mean the host_detction runs every time qualys.py runs (once a day now) and knowledge_base every time qualys.py runs on a Thursday (so once a week)

We may see multiple runs if the Splunk instance is restarted but we can live with that for now.

View solution in original post

0 Karma

christian_088
Explorer

The interval is specified in the qualys stanza of the inputs.conf file. Create a local directory in the root of the app and create an inputs.conf file in the new directory. Then recreate the [qualys] stanza.

The inputs.conf file's interval value can be a cron expression. This way you can specify specific times of the day and allow a period of time in which you can reboot without affecting your inputs. To run your inputs daily at 4:30 am every day you can use:

[qualys]
index = main
disabled = true
interval = 30 4 * * *

Alternatively, you may specify an interval in seconds in which you can specify a decimal. For example, 'interval = 8640' would run every day (assuming no restarts).

0 Karma

james190190
Explorer

In full - in order to get the TA to pull the host_detection once a day and the knowledge_base once a week the following changes were made:

edit the default/input.conf and change the interval to 8640 (24 hours):

[qualys]
index = main
disabled = true
interval = 8640

The TA inputs Cron Entry / Interval was updated:

host_detection: * * * * * 
knowledge_base: * * * * 4

This will mean the host_detction runs every time qualys.py runs (once a day now) and knowledge_base every time qualys.py runs on a Thursday (so once a week)

We may see multiple runs if the Splunk instance is restarted but we can live with that for now.

0 Karma

christian_088
Explorer

Making changes to default conf files should be avoided. Unless you are the original author of the app. When you update the app to the next version, your changes will be undone and fixes will be broken.

Instead, create a local directory in the root of the app and create a inputs.conf file in the new directory. Then recreate the [qualys] stanza.

Additionally, the inputs.conf file's interval value can be a cron expression. This way you can specify specific times of the day and allow a period of time in which you can reboot without affecting your inputs. To run your inputs daily at 4:30 am every day you can use.

[qualys]
index = main
disabled = true
interval = 30 4 * * *
0 Karma

pbankar
Path Finder

@james190190
The next release version of Qualys TA will cover this case. Meanwhile, you can use this nifty edit in the ./default/input.conf
Provide the desired value to run the qualys.py after that much interval. The default is 60 sec.

[qualys]
index = main
disabled = true
interval = 60 # you can change it to desired seconds

james190190
Explorer

Got it. Thanks for this.

As an additonal change I have set the inputs to run every minute as I think it might be hit and miss if I set them any wider due to the way qualys.py decides when it actually needs to run. It seems to work ok and I have set the interval to 8640 so it only runs once a day.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...