When I activate assets I see a way too many assets under connector or tag. My question is why and how to fix it. Most of host can't be activated because of "host is in terminated state".
At this point, even hosts in the "Terminated" state are picked up by the connector.
To purge these, first find all assets in the "Terminated" state by running this query in AssetView: aws.ec2.instanceState:"TERMINATED"
Next, delete these assets from VM > Assets > Host Assets > Remove IP's.
Alright... thank you very much for that!
aws.ec2.instanceState:"TERMINATED" returned 13000 instances. Some of them are without IP. What is most efficient way to delete these 13000 records?
I'll suggest one, probably there could be other as well:
Run aws.ec2.instanceState:"TERMINATED" in AssetView and download the results in CSV (using the settings icon on right-side). Copy these IP's.
Head over to Vulnerability Management > Assets > Host Assets > New > Remove IPs, paste the IPs and Remove.
Please note, by doing this all data about these Assets will be removed.
I put 3.000 IPs to remove. Now I see 16.000 IPs as TERMINATED. Before remove it was 13.000...
Can you explain that further, please?
As your EC2 instances change state (from running to terminated), the Qualys EC2 connector detects these and shows them in AssetView. These numbers may change quickly depending on how quickly your EC2 environment changes.
Can you please advise how I can sort results by date to see which hosts were terminated lately?
The last update date (in other words, terminated date) of the EC2 instance is not capture in the CSV.
However, the AssetView query can be modified to see which instances have been terminated in the last few days/weeks.
Query: aws.ec2.instanceState:"TERMINATED" and updated:[now-2w ... now]
The above query will list assets that were terminated in the last 2 weeks.
Are you sure about
aws.ec2.instanceState:"TERMINATED" and updated:[now-2w ... now]
I see hosts with activity "September".
Hi, just sent you a direct message.
lukcem: Did you get a chance to see my direct message?
The query should only show you assets terminated in the last 2 weeks, because the query looks for assets with state as terminated and updated in 2 weeks - after termination, assets wouldn't be updated.
If it's not clear, we can get on a Webex.
Hi Shyamraj! Thank you for your help. Something is wrong so I opened a ticket with Qualys support 4 weeks ago, but it is still under review.
Retrieving data ...