Installation

Qualys App - How to force the downloading of all data assets in Splunk?

cbrahamcha
New Member

Hello,

I'm using Qualys App in order to import vulnerabilities data in Splunk for reporting.

Since about 2 months, I can see a discrepancy between datas in the DB Splunk and Qualys. Some assets in Splunk are missing.

I have checked, and :
-> it isn't a problem of rights of the qualys API account
-> I don't see any error messages in Splunk
-> I don't hit the Qualys API limit.

I guess it's a problem of "delta" download, but I'm not sure.

Does it exist a way to force the Qualys App in Splunk to force the downloading of all the datas (not only the new datas) ?

Thanks a lot for your help

Best regards,

Cyrille

Labels (1)
0 Karma

nit123
Path Finder

Can you confirm the following . I assume you are using /api/2.0/fo/asset/host/vm/detection/ API.

  1. Version of Qualys App

  2. Is the data input enabled on your Splunk instance ?

  3. Are you pulling vulnerabilities data for the first time or doing a delta pull ? if you already have data pulled from earlier API pull, the checkpoint file shall have the date of when the last run happened.

Now, to answer your question 'Does it exist a way to force the Qualys App in Splunk to force the downloading of all the datas (not only the new datas) ? '

  1. The checkpoint file is located at /opt/splunk/var/lib/splunk/modinputs/qualys/filename . If you are ok with pulling entire data again, delete that file specific to your input.

  2. Restart your splunk instance so that app repolls the data .

Tips to check data pull

  1. The older app had a script, which was used to debug the data pulling operations. If your SPLUNK_HOME is /opt/splunk, then from SPLUNK_HOME/etc/apps/TA-QualysCloudPlatform run following command - /opt/splunk/bin/splunk cmd python ./bin/run.py -h

  2. Check if there are any API errors at /opt/splunk/var/log/splunk/ta_QualysCloudPlatform.log

Hope this helps solve your question. If not , request you to provide more information on the questions above. Thanks.

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...