Hi,
following are working steps to parse the host tags. Please note, Tags will be added to host summary events (lines starting with HOSTSUMMARY:)
Steps:
1) On setup page, set Host detection extra parameter field: 'show_tags=1'
2) Take a backup of this file: /etc/apps/TA-QualysCloudPlatform/bin/qualysModule/splunkpopulator/detectionpopulator.py
3) Open and Edit code file: /etc/apps/TA-QualysCloudPlatform/bin/qualysModule/splunkpopulator/detectionpopulator.py
Tags are shown like this in API response:
<TAGS>
<TAG>
<TAG_ID>
<![CDATA[12345]]>
</TAG_ID>
<NAME>
<![CDATA[Test]]>
</NAME>
</TAG>
<TAG>
<TAG_ID>
<![CDATA[12346]]>
</TAG_ID>
<NAME>
<![CDATA[Test-2]]>
</NAME>
</TAG>
</TAGS>
So, you will have to add TAGS to host_fields_to_log.
3.1 - Telling code to parse tags
search for method "_process_root_element" in class "HostDetectionPopulator".
Put following line as fist line of this method:
HostDetectionPopulator.host_fields_to_log = ["ID", "IP", "TRACKING_METHOD", "DNS", "NETBIOS", "OS", "LAST_SCAN_DATETIME", "TAGS"]
Edit it as per your need.
3.2 - outputting tags inline with current style
in the same file, go to Look for 'if' condition shown below.
class HostDetectionPopulator(BasePopulator):
...
def _process_root_element(self, elem):
...
if name in HostDetectionPopulator.host_fields_to_log:
val = sub_ele.text
if name in fields_to_encode:
val = val.encode('utf-8')
host_summary.append("%s=\"%s\"" % (name, val))
Now, because of #3.1 above, your code enters this if block. Check if name == 'TAGS'. If yes, you will have to parse the sub-XML (You will have to read TAG.NAME for each child of TAGS element.)
Since there could be multiple tags associated with host, its better to put them in list and then joining them while outputing.
Refering to same if block (indicated above), replace following line:
val = sub_ele.text
with code block below:
if name == "TAGS":
host_tags = []
tag_elements = sub_ele.findall('./TAG/NAME')
for tag_element in list(tag_elements):
host_tags.append(tag_element.text)
# for
val = ",".join(host_tags)
# tags parsing ends here
else:
val = sub_ele.text
4) Save the file and restart your Splunk.
Now, your _process_root_element method should look similar to this:
class HostDetectionPopulator(BasePopulator):
...
def _process_root_element(self, elem):
HostDetectionPopulator.host_fields_to_log = ["ID", "IP", "TRACKING_METHOD", "DNS", "NETBIOS", "OS", "LAST_SCAN_DATETIME", "TAGS"]
...
if name in HostDetectionPopulator.host_fields_to_log:
if name == "TAGS":
host_tags = []
tag_elements = sub_ele.findall('./TAG/NAME')
for tag_element in list(tag_elements):
host_tags.append(tag_element.text)
# for
val = ",".join(host_tags)
# tags parsing ends here
else:
val = sub_ele.text
if name in fields_to_encode:
val = val.encode('utf-8')
host_summary.append("%s=\"%s\"" % (name, val))
Check if you are now getting host tags in host summary events (Splunk events starting with HOSTSUMMARY:)
If anything goes wrong, restore the backup and restart your Splunk.
Let me know if that helps you.
... View more