AnsweredAssumed Answered

Display QG_HOSTID in Splunk

Question asked by Busby on May 22, 2019

Recently I was trying to upgrade Splunk so I could use the new Qualys TA for Splunk (Qualys Technology Add-on (TA) for Splunk | Splunkbase ); this helps you get the Qualys Data into Splunk.

 

However; even testing the newest version did not give me the QG_HOSTID which we needed to correlate with another tool running on the end Point.  That tool is getting the ID reading the registry.

 

Here is what I did to get this into Splunk and so far works but probably some comments from Qualys would be code.

 

Locate the file: detectionpopulator.py     

Now make a back up please.

Look for the following lines; in version 1.4.1 they are

BEFORE

LINE 159

    host_fields_to_log = ["ID", "IP", "TRACKING_METHOD", "DNS", "NETBIOS", "OS", "LAST_SCAN_DATETIME"]

 

AFTER

LINE 159

    host_fields_to_log = ["ID", "IP", "TRACKING_METHOD", "DNS", "NETBIOS", "OS", "LAST_SCAN_DATETIME", "QG_HOSTID"]

 

BEFORE

LINE 205

   def _process_root_element(self, elem):
        HostDetectionPopulator.host_fields_to_log = ["ID", "IP", "TRACKING_METHOD", "DNS", "NETBIOS", "OS",
                                                     "LAST_SCAN_DATETIME", "TAGS", "NETWORK_ID", "LAST_VM_SCANNED_DATE",
                                                     "LAST_VM_SCANNED_DURATION"]

 

AFTER

 

LINE 205

   def _process_root_element(self, elem):
        HostDetectionPopulator.host_fields_to_log = ["ID", "IP", "TRACKING_METHOD", "DNS", "NETBIOS", "OS",
                                                     "LAST_SCAN_DATETIME", "TAGS", "NETWORK_ID", "LAST_VM_SCANNED_DATE",
                                                     "LAST_VM_SCANNED_DURATION", "QG_HOSTID"]

 

You will then need to re-start the splunk service but then you should start to see this field of data being populated.

 

Wish you all the best of luck.  laura.seletos or jleggett may have better suggestions.

 

David

Outcomes