AnsweredAssumed Answered

TA_QualysCloudPlatform :  not downloading host detection info  -> SOLVED

Question asked by Jerbo on Sep 14, 2016

In the past we used the old beta app (1.22 Beta) to read qualys data into splunk.  Worked fine and was easy to schedule (because it were scripts and you were able to put cron times)

 

Because of an update of the underling server we upgraded to the latest TA-QualysCloudPlatform  app (v 1.0.5 at this moment)  and there the downloads of the host_detection info stops

The knowledge base info is retrieved en updated correctly, so the api is working.

Fetching the host detection data gives no data.  (though there were servers scanned last night)

Initialy have put debug-logging on and discovered the log file will written to /tmp ,     not in the tmp folder of the app nor in the "normal" splunk log folder

That found, i still have no clou why the data is not retrieved.

 

We have the app running for more than two days now so i assumed to have  data (we had scans last night) , which was not the case.

 

What am i missing / doing wrong ?

Is there a way to trigger the download manualy ?

 

(Interesting thing i see in the logfile is that the recommended interval time is an invalid one.  (following the manual i entered 86400  as interval time).)

 

 

Here the logfile  (/tmp/ta_qualys)  after a reboot of the device.

 

QualysSplunkPopulator: 2016-09-14T09:20:21Z PID=1375 [MainThread] INFO: QualysSplunkPopulator - Start

QualysSplunkPopulator: 2016-09-14T09:20:21Z PID=1375 [MainThread] INFO: QualysSplunkPopulator - Start

QualysSplunkPopulator: 2016-09-14T09:20:21Z PID=1375 [MainThread] INFO: QualysSplunkPopulator - Fetching detection data for Hosts which were scanned after 1999-01-01T00:00:00Z

QualysSplunkPopulator: 2016-09-14T09:20:21Z PID=1375 [MainThread] INFO: QualysSplunkPopulator - Fetching all detection data

QualysSplunkPopulator: 2016-09-14T09:20:22Z PID=1434 [MainThread] INFO: QualysSplunkPopulator - Start

QualysSplunkPopulator: 2016-09-14T09:20:22Z PID=1434 [MainThread] INFO: QualysSplunkPopulator - Start logging knowledgebase

QualysSplunkPopulator: 2016-09-14T09:20:22Z PID=1434 [MainThread] INFO: QualysSplunkPopulator - Outputting logs to stdout

QualysSplunkPopulator: 2016-09-14T09:20:24Z PID=1440 [MainThread] INFO: QualysSplunkPopulator - Start

QualysSplunkPopulator: 2016-09-14T09:20:24Z PID=1440 [MainThread] INFO: QualysSplunkPopulator - Start

QualysSplunkPopulator: 2016-09-14T09:20:24Z PID=1375 [MainThread] INFO: QualysSplunkPopulator - detection fetched

QualysSplunkPopulator: 2016-09-14T09:20:24Z PID=1375 [MainThread] INFO: QualysSplunkPopulator - Parsing detection XML

QualysSplunkPopulator: 2016-09-14T09:20:24Z PID=1375 [MainThread] INFO: QualysSplunkPopulator - Parsed 0 detection entry. Logged=0

QualysSplunkPopulator: 2016-09-14T09:20:24Z PID=1375 [MainThread] INFO: QualysSplunkPopulator - Done loading detections for 0 hosts.

QualysSplunkPopulator: 2016-09-14T09:20:24Z PID=1375 [MainThread] INFO: QualysSplunkPopulator - Done

QualysSplunkPopulator: 2016-09-14T09:20:24Z PID=1375 [MainThread] INFO: QualysSplunkPopulator - time interval = 86400

QualysSplunkPopulator: 2016-09-14T09:20:24Z PID=1375 [MainThread] INFO: QualysSplunkPopulator - ERROR: Time interval input 86400 is not valid.Using default time interval 1d.

QualysSplunkPopulator: 2016-09-14T09:20:24Z PID=1375 [MainThread] INFO: QualysSplunkPopulator - time interval 86400 translates to 86400 seconds

QualysSplunkPopulator: 2016-09-14T09:20:24Z PID=1440 [MainThread] INFO: QualysSplunkPopulator - Fetching WAS findings data for Hosts which were scanned after 2016-08-29T09:23:25Z

QualysSplunkPopulator: 2016-09-14T09:20:24Z PID=1440 [MainThread] INFO: QualysSplunkPopulator - Fetching all WAS detection data

QualysSplunkPopulator: 2016-09-14T09:20:28Z PID=1440 [MainThread] INFO: QualysSplunkPopulator - WAS detection fetched

QualysSplunkPopulator: 2016-09-14T09:20:28Z PID=1440 [MainThread] INFO: QualysSplunkPopulator - Parsing WAS detection XML

QualysSplunkPopulator: 2016-09-14T09:20:28Z PID=1440 [MainThread] INFO: QualysSplunkPopulator - API Response Code = SUCCESS

QualysSplunkPopulator: 2016-09-14T09:20:28Z PID=1440 [MainThread] INFO: QualysSplunkPopulator - Done loading detections for 0 hosts.

QualysSplunkPopulator: 2016-09-14T09:20:28Z PID=1440 [MainThread] INFO: QualysSplunkPopulator - Done

QualysSplunkPopulator: 2016-09-14T09:20:28Z PID=1440 [MainThread] INFO: QualysSplunkPopulator - time interval = 86400

QualysSplunkPopulator: 2016-09-14T09:20:28Z PID=1440 [MainThread] INFO: QualysSplunkPopulator - ERROR: Time interval input 86400 is not valid.Using default time interval 1d.

QualysSplunkPopulator: 2016-09-14T09:20:28Z PID=1440 [MainThread] INFO: QualysSplunkPopulator - time interval 86400 translates to 86400 seconds

QualysSplunkPopulator: 2016-09-14T09:22:27Z PID=1434 [MainThread] INFO: QualysSplunkPopulator - knowledgebase fetched

QualysSplunkPopulator: 2016-09-14T09:22:27Z PID=1434 [MainThread] INFO: QualysSplunkPopulator - Parsing knowledgebase XML

QualysSplunkPopulator: 2016-09-14T09:22:30Z PID=1434 [MainThread] INFO: QualysSplunkPopulator - Update lookup file: /opt/splunk/etc/apps/TA-QualysCloudPlatform/lookups/qualys_kb.csv with 29641 QIDs

QualysSplunkPopulator: 2016-09-14T09:22:30Z PID=1434 [MainThread] INFO: QualysSplunkPopulator - Updated lookup file: /opt/splunk/etc/apps/TA-QualysCloudPlatform/lookups/qualys_kb.csv with 29641 QIDs

QualysSplunkPopulator: 2016-09-14T09:22:30Z PID=1434 [MainThread] INFO: QualysSplunkPopulator - Parsed 29641 knowledgebase entry. Logged=0

QualysSplunkPopulator: 2016-09-14T09:22:30Z PID=1434 [MainThread] INFO: QualysSplunkPopulator - Done logging knowledgebase

QualysSplunkPopulator: 2016-09-14T09:22:30Z PID=1434 [MainThread] INFO: QualysSplunkPopulator - time interval = 86400

QualysSplunkPopulator: 2016-09-14T09:22:30Z PID=1434 [MainThread] INFO: QualysSplunkPopulator - ERROR: Time interval input 86400 is not valid.Using default time interval 1d.

QualysSplunkPopulator: 2016-09-14T09:22:30Z PID=1434 [MainThread] INFO: QualysSplunkPopulator - time interval 86400 translates to 86400 seconds

 

 

 

SOLVED :   because we restricted the api user from manager to user, there were no assetgroups assigned to this user, therefore no info provided.   set assetgroups to ALL -> voila  all info.

Outcomes