Installation

Where to install Qualys TA in my deployment?

LM_ACN
Engager

Good morning everyone,

for my customer, i have a Splunk deployment as follow:

1 Search head

3 Indexer in cluster

1 Monitoring Console/License Master/Master node

I need to integrate our Qualys solution with Splunk, but i'm reading the Technology Add-on should be installed on a forwarder. However, we do not have an Heavy forwarder.

Hence, could i install it on an Indexer? Is data replication still available for index qualys?

Thanks in advance,

Luca

Labels (2)
0 Karma
1 Solution

VatsalJagani
Champion

A few points:

* Never install data collection module on Indexer for data collection.

* Recommendation is that you have to do the data collection on Heavy Forwarder in the case of TA Qualys.

* But if you don't want to install a separate instance, the next place would be to install on Seach Head. 

* If you install on SH you need to make sure that you are forwarding the Search Head logs to indexers - https://docs.splunk.com/Documentation/Splunk/8.2.4/DistSearch/Forwardsearchheaddata

 

Second point:

* The Add-on does not have an index anymore so you have to create a new index "qualys" as you mentioned from the Cluster Master as you do with other indexes.

View solution in original post

0 Karma

VatsalJagani
Champion

A few points:

* Never install data collection module on Indexer for data collection.

* Recommendation is that you have to do the data collection on Heavy Forwarder in the case of TA Qualys.

* But if you don't want to install a separate instance, the next place would be to install on Seach Head. 

* If you install on SH you need to make sure that you are forwarding the Search Head logs to indexers - https://docs.splunk.com/Documentation/Splunk/8.2.4/DistSearch/Forwardsearchheaddata

 

Second point:

* The Add-on does not have an index anymore so you have to create a new index "qualys" as you mentioned from the Cluster Master as you do with other indexes.

0 Karma

LM_ACN
Engager

Thanks for the solution, Vatsal.

So i need to create two indexes, one on SH and the same on IDXs via Master node, that's right?

 

0 Karma

VatsalJagani
Champion

You need on both:

* Only the indexer will store the data.

* On search is not compulsory, but it is only needed so when you type index=, you will see qualys as suggestions on the Splunk search bar.

0 Karma
Get Updates on the Splunk Community!

Using Machine Learning for Hunting Security Threats

WATCH NOW Seeing the exponential hike in global cyber threat spectrum, organizations are now striving more for ...

New Learning Videos on Topics Most Requested by You! Plus This Month’s New Splunk ...

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

How I Instrumented a Rust Application Without Knowing Rust

As a technical writer, I often have to edit or create code snippets for Splunk's distributions of ...