I was eventually able to make it work, after patching to version 1.1.0 and starting from prabhasgupte's steps:
Step 1: edit qualys.conf in $SPLUNK_HOME/etc/apps/TA-QualysCloudPlatform/local/
append the following line to the file
detection_params = {"show_tags":1}
Step 2: edit detectionpopulator.py in $SPLUNK_HOME/etc/apps/TA-QualysCloudPlatform/bin/qualysModule/splunkpopulator/
(starting from a default file, here are the sections of my working file that I changed - line numbers and unmodified lines shown to make it easier to locate the items that need to be changed and the relative code block indentations)
2.1
100 class HostDetectionPopulator(BasePopulator):
101 PLUGINS = []
102 OBJECT_TYPE = "detection"
103 FILE_PREFIX = "host_detection"
104 ROOT_TAG = 'HOST'
105
106 detection_fields_to_log = ["QID", "TYPE", "PORT", "PROTOCOL", "SSL", "STATUS", "LAST_UPDATE_DATETIME",
107 "LAST_FOUND_DATETIME", "FIRST_FOUND_DATETIME", "LAST_TEST_DATETIME"]
108 host_fields_to_log = ["ID", "IP", "TRACKING_METHOD", "DNS", "NETBIOS", "OS", "LAST_SCAN_DATETIME", "TAGS"]
109
2.2
155 def _process_root_element(self, elem):
156 HostDetectionPopulator.host_fields_to_log = ["ID", "IP", "TRACKING_METHOD", "DNS", "NETBIOS", "OS", "LAST_SCAN_DATETIME", "TAGS"]
157 if elem.tag == "HOST":
2.3
174 if name in HostDetectionPopulator.host_fields_to_log:
175 # TAGS parsing starts here
176 if name == "TAGS":
177 host_tags = []
178 tag_elements = sub_ele.findall('./TAG/NAME')
179 for tag_element in list(tag_elements):
180 host_tags.append(tag_element.text)
181
182 val = ",".join(host_tags)
183 else:
184 # TAGS parsing ends here
185 val = sub_ele.text
186
187 if name in fields_to_encode:
188 val = val.encode('utf-8')
189 host_summary.append("%s=\"%s\"" % (name, val))
Step 3
restart splunk
Step 4
Confirm it is working
search for sourcetype="qualys:hostDetection" eventtype=qualys_host_summary_event | stats count by TAGS
If troubleshooting try searching index=_internal sourcetype=splunkd TA-QualysCloudPlatform source="/opt/splunk/var/log/splunk/splunkd.log" OR if debug logs are enabled, try looking in $SPLUNK_HOME/var/log/splunk/ta_QualysCloudPlatform.log
I hope that helps clear up the confusion for anyone else with this problem.
... View more