Can you confirm the version of TA please ?
To share more light on your questions, refer to the following
Does that forwarding/parsing process run at scheduled intervals?
For each input enabled, Splunk calls the modular input every minute. With each call, it passes XML containing information regarding that input. You need to configure supported inputs before you can use them. Go to Settings >Data Inputs > TA-QualysCloudPlatform and click New button. Enter asked inputs, and click Next. Again go to Settings > Data Inputs > TA-QualysCloudPlatform, and enable required input(s).
Does it remove the collected files once they've been forwarded?
If you are talking of the files in /tmp folder, note that when the data is being fetched the API responses are stored in XML files that are later deleted when TA is done with processing. XML files are meant for temporary parsing workflow.
What process is actually reading and forwarding the collected data ?
Once the TA is configured and data inputs are enabled, the TA will start fetching the data from Qualys API server. When TA runs for any data input (host detection/knowledge base/WAS), it creates a PID file per input, and writes the current process' PID in it. XML files in tmp directory contain the API response and that is parsed by threads of TA and then data is indexed to Splunk under the index you selected. Note that if you have set your splunk instance as forwarder to X IP, the data shall be forwarder to the indexer without saving on the forwarder (Light forwarder). If its a heavy forwarder, data is saved and also forwarded.
Is there a way to configure a higher level of logging for this application ?
TA write logs for error conditions on every milestone of TA. There seem to be a lot of improvements into logging & error handling gone into the newer release of TA and that shall serve user with detailed information on what is possibly wrong with TA processing if at all.
Hope this write-up offer you some assistance. Thanks.
... View more