We have Qualys Technology Add-on (TA) for Splunk installed on a Heavy Forwarder that stopped working shortly after this error came up. This is the log in full:
TA-QualysCloudPlatform: 2017-03-02T07:54:19Z PID=9576 [MainThread] ERROR: TA-QualysCloudPlatform - An error occurred
Traceback (most recent call last):
File "/opt/splunk/etc/apps/TA-QualysCloudPlatform/bin/qualysModule/qualys_log_populator.py", line 414, in _run
wfc.coordinate()
File "/opt/splunk/etc/apps/TA-QualysCloudPlatform/bin/qualysModule/splunkpopulator/WASFindingsFetchCoordinator.py", line 97, in coordinate
self.getWebAppIds()
File "/opt/splunk/etc/apps/TA-QualysCloudPlatform/bin/qualysModule/splunkpopulator/WASFindingsFetchCoordinator.py", line 56, in getWebAppIds
fetcher.run()
File "/opt/splunk/etc/apps/TA-QualysCloudPlatform/bin/qualysModule/splunkpopulator/webapp.py", line 55, in run
super(webAppIdFetcher, self).run()
File "/opt/splunk/etc/apps/TA-QualysCloudPlatform/bin/qualysModule/splunkpopulator/basepopulator.py", line 78, in run
return self.__fetch_and_parse()
File "/opt/splunk/etc/apps/TA-QualysCloudPlatform/bin/qualysModule/splunkpopulator/basepopulator.py", line 105, in __fetch_and_parse
response = self.__fetch(params)
File "/opt/splunk/etc/apps/TA-QualysCloudPlatform/bin/qualysModule/splunkpopulator/basepopulator.py", line 97, in __fetch
response = self.api_client.get(self.api_end_point, api_params, api.Client.XMLFileBufferedResponse(filename))
File "/opt/splunk/etc/apps/TA-QualysCloudPlatform/bin/qualysModule/lib/api/Client.py", line 259, in get
raise APIRequestError("Error during request to %s, [%s] %s" % (end_point, ue.errno, ue.reason))
APIRequestError: Error during request to /qps/rest/3.0/search/was/webapp, [None] Not Found
After performing a server refresh, Qualys began ingesting again, but the file location the error mentions is nowhere on the Forwarder.
Also, if it looks for nothing it probably won't find it. What caused Qualys to do this?
Your information is insufficient to arrive at possible reasons of failure. Can you confirm the following
a. The version of Qualys Technology Add-on (TA) ?
b. User account has a valid Qualys subscription and WAS module ?
c. API Access is enabled ?
d. If your SPLUNK_HOME is /opt/splunk, then from SPLUNK_HOME/etc/apps/TA-QualysCloudPlatform run following command - /opt/splunk/bin/splunk cmd python ./bin/run.py -h to check data pull operations for the config you have added.
e. Check if there are any API errors at /opt/splunk/var/log/splunk/ta_QualysCloudPlatform.log