Hi,
we are using version 1.4 of Qualys Technology Add-on (TA) for Splunk.
Our $SPLUNK_HOME/etc/apps/TA-QualysCloudPlatform/local/inputs.conf is:
[qualys://host_detection]
duration = 0 * * * *
index = vulnerabilities
start_date = 1999-01-01T00:00:00Z
disabled = 0
However the gathered information ist written to the main index:
[...]
TA-QualysCloudPlatform: 2019-02-18 16:00:31 PID=89627 [MainThread] INFO: TA-QualysCloudPlatform - Running for knowledge_base. Host name to be used: our_host. Index configured: main. Run duration: 0 * * * *. Default start date: 1999-01-01T00:00:00Z.
[...]
The TA is installed on a heavy forwarder. The index vulnerabilities is defined on our indexpeers, but not on the heavy forwarder.
How can i configure the TA to write to the index vulnerabilities instead of main?
Thanks!
My restart command didn't work, because of the new splunk systemd service file.
After checking and restarting splunk manually everything works fine now.
My restart command didn't work, because of the new splunk systemd service file.
After checking and restarting splunk manually everything works fine now.
Change your default start date to more recent one start_date = 2019-01-01T00:00:00Z
Restart HF and Indexers.
Some simple checks could help
Change the path for you splunk bin directory
Thanks for your input!
My restart command didn't work, because of the new splunk systemd service file.
After checking and restarting splunk manually everything works fine now.