Installation
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Qualys App - How to force the downloading of all data assets in Splunk?

cbrahamcha
New Member
‎06-16-2017 01:41 AM

Hello,

I'm using Qualys App in order to import vulnerabilities data in Splunk for reporting.

Since about 2 months, I can see a discrepancy between datas in the DB Splunk and Qualys. Some assets in Splunk are missing.

I have checked, and :
-> it isn't a problem of rights of the qualys API account
-> I don't see any error messages in Splunk
-> I don't hit the Qualys API limit.

I guess it's a problem of "delta" download, but I'm not sure.

Does it exist a way to force the Qualys App in Splunk to force the downloading of all the datas (not only the new datas) ?

Thanks a lot for your help

Best regards,

Cyrille

Labels (1)
Labels
0 Karma
Reply

nit123
Path Finder
‎06-16-2017 06:04 AM

Can you confirm the following . I assume you are using /api/2.0/fo/asset/host/vm/detection/ API.

  1. Version of Qualys App

  2. Is the data input enabled on your Splunk instance ?

  3. Are you pulling vulnerabilities data for the first time or doing a delta pull ? if you already have data pulled from earlier API pull, the checkpoint file shall have the date of when the last run happened.

Now, to answer your question 'Does it exist a way to force the Qualys App in Splunk to force the downloading of all the datas (not only the new datas) ? '

  1. The checkpoint file is located at /opt/splunk/var/lib/splunk/modinputs/qualys/filename . If you are ok with pulling entire data again, delete that file specific to your input.

  2. Restart your splunk instance so that app repolls the data .

Tips to check data pull

  1. The older app had a script, which was used to debug the data pulling operations. If your SPLUNK_HOME is /opt/splunk, then from SPLUNK_HOME/etc/apps/TA-QualysCloudPlatform run following command - /opt/splunk/bin/splunk cmd python ./bin/run.py -h

  2. Check if there are any API errors at /opt/splunk/var/log/splunk/ta_QualysCloudPlatform.log

Hope this helps solve your question. If not , request you to provide more information on the questions above. Thanks.

Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...