AnsweredAssumed Answered

TA-Qualys for Splunk Data Input Issue

Question asked by Alexey Shalygin on Jun 22, 2018
Latest reply on Jul 6, 2018 by Alexey Shalygin

Hello,

 

We recently encountered an issue with Qualys Technical Add-on (TA) for Splunk. Few days ago we had to re-installed the TA on our Splunk server and reconfigure it and since we have a trouble with data inputs. We’ve been able to add and enable the ‘host_detection’, ‘knowlegebase’ and ‘was_findings’ Qualys Metrics, but only ‘knowlegebase’ works correctly. For 2 other inputs we have an error message in ta_QualysCloudPlatform.log file:

 

PID=13444 [MainThread] ERROR: TA-QualysCloudPlatform - This setup is configured as Search Head. You should not run %s on Search Head. I am Exiting.

*actually PID is different every time

 

At the same time for the ‘knowlegebase’ call the logs tells:

 

PID=12689 [MainThread] INFO: TA-QualysCloudPlatform - TA-QualysCloudPlatform using username <our username> and its associated password.

PID=12689 [MainThread] INFO: TA-QualysCloudPlatform [knowledge_base] - Making request: https://qualysapi.qualys.eu/msp/about.php with params={}

PID=12689 [MainThread] INFO: TA-QualysCloudPlatform [knowledge_base] - Updated lookup file: /opt/splunk/etc/apps/TA-QualysCloudPlatform/lookups/qualys_kb.csv with 38367 QIDs

PID=12689 [MainThread] INFO: TA-QualysCloudPlatform [knowledge_base] - Parsed 38367 knowledgebase entry. Logged=0

PID=12689 [MainThread] INFO: TA-QualysCloudPlatform [knowledge_base] - Done logging knowledgebase

 

It makes us believe that the TA was installed perfectly well, the API server is correct and the credentials are functional. So it looks like we are forgot or missed something.

 

Do you have any ideas?

 

Thanks for the help.

 

Regards,

Alex.

Outcomes