AnsweredAssumed Answered

Errors seen with TA-QualysCloudPlatform v1.1.0

Question asked by Ashfaq Hussain on Nov 16, 2016
Latest reply on Nov 16, 2016 by Ashfaq Hussain

Hi,

we are testing the TA-QualysCloudPlatform v1.1.0 within our Dev Splunk environment v6.4.2.

 

At the moment the Dev environment does not have external internet access to make API calls to Qualys. However we are seeing a few errors and was wondering if any of them relate to the lack of internet access or a Splunk or TA configuration issue:

 

Issue [1]

We are seeing the following error within the Splunk web console messages drop down:

msg="A script exited abnormally" input="/opt/splunk/etc/apps/Splunk_TA_QualysCloudPlatform/bin/qualys.py" stanza="qualys://knowledge_base" status="exited with code 1"

 

I think this maybe related to the lack of internet access?

 

Issue [2]

When we restart Splunk, from the Linux command line console we are seeing the following:

 

    Checking conf files for problems...
                Invalid key in stanza [apply_qualys_tag_to_webapp] in /opt/splunk/etc/apps/TA-QualysCloudPlatform/default/alert_actions.conf, line 11: param.tag_ids  (value:  0).
                Invalid key in stanza [apply_qualys_tag_to_webapp] in /opt/splunk/etc/apps/TA-QualysCloudPlatform/default/alert_actions.conf, line 17: param._cam  (value:  {
"supports_adhoc": true,
"category": ["Information Gathering"],
"task": ["create"],
"subject": ["process.reputation-service"],
"technology": [ {"vendor": "Qualys"},{"product": "WAS"},{"version": "0.1"}]}).
                Invalid key in stanza [qualys] in /opt/splunk/etc/apps/TA-QualysCloudPlatform/default/inputs.conf, line 5: passAuth  (value:  admin).
                Your indexes and inputs configurations are not internally consistent. For more information, run 'splunk btool check --debug'

 

We have disabled this;

splunk ~/etc/apps/TA-QualysCloudPlatform/local cat alert_actions.conf
[apply_qualys_tag_to_webapp]
disabled = 1
ttl = 0

 

But we are still seeing the errors, which are related to the "custom params" in the allerttypes.conf,

 

thanks

Outcomes