How to configure the Qualys App for Splunk Enterpr...

rahul_jasrotia · ‎11-23-2015

Had few questions regarding this app, can anyone please help?

In a distributed envt, I have installed this app on the forwarder. The index exists on the indexer and I'm able to see the data in the index on the search head when I search for index=qualys, but the lookup file qualys_kb lies on the forwarder, so I'm unable to see the lookup data on the search head. What to do in this case??
Should we install the app on both Forwarder and Search head in this case?
But i think it'll duplicate the indexed events, correct me if I'm wrong.
And in case ans to above is true, then how do I disable the script for detection on the search head and only enable the kb populator script? Only enabling the kb populator script under Data inputs-> Scripts in search head isn't updating the lookup file on the search head.

Any pointers to the same are welcome.

Thanks
Rahul

nit123 · ‎06-24-2017

TA should be installed on the forwarder and each of the search heads.
While all data inputs ( WAS, VM, KB ) should be enabled in TA on forwarder, only kb input should be enabled on search head.

Data for enabled inputs shall be forwarder to indexer and VM App and WAS app be installed on Search heads for reporting purposes. TA be installed on SH with only kb input enabled. disable vm and was in TA on search head.

This answers your point 1 and 2.

Regarding point 3 , the new version of TA has the intelligence to check where is the TA running on ? on SH or forwarder. Accordingly, the detection script shall run to populate data into Splunk.

Hope this clarifies your questions. If you need more assistance, feel free to reply back.

rahul_jasrotia · ‎12-01-2015

Does anyone has any clue for the same???????

How to configure the Qualys App for Splunk Enterprise for Kb lookup file in a distributed search environment?

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes