Troubleshooting

Here are some tips for troubleshooting

Looking for Logs?

Qualys logs are populated in Splunk’s index “_internal”.

Use this search to find logs:

index=_internal source="$SPLUNK_HOME/var/log/splunk/ta_QualysCloudPlatform.log"

Troubleshooting the Setup

  • Be sure to enter the proper API Server URL for the configuration.
  • Verify that you can reach the API from the Splunk Search Head where you have installed the Qualys App for Splunk Enterprise (no firewall or other infrastructure).
  • Be sure the Qualys user account you use to connect has API access. Edit the user account in the Qualys UI and select the API access check box in the user settings. If you are not able to see this option, contact Qualys Support or your Technical Account Manager.

Updated TA setup page does not reflect

If you are not able to see the updated TA Setup page, clear the cache and perform a hard reload to view changes.

Check if any API requests are initiated

In the Splunk setup where the failing account is used, run the following search to see if API requests are being made to Qualys APIs:

index=_internal source="$SPLUNK_HOME/var/log/splunk/ta_QualysCloudPlatform.log" ("/api/2.0/fo/asset/host/vm/detection/" OR "/api/2.0/fo/knowledge_base/vuln/" OR "/api/2.0/fo/compliance/posture/info/" OR "/qps/rest/3.0/search/was/finding")

No entries for API call; check if the data feed is enabled

If you do not see any entry for the API call, then check that the data input was added and enabled.

  • Enable it if already not enabled.
  • If you still cannot see any records for the API call, even if it is enabled, check the TA installation directory. If you come across the file named "host_detection.pid" in the installation directory, remove it.

You should be able to find entries for the /api/2.0/fo/knowledge_base/vuln/ API call.

If you can not see data, check the error logs

  1. If all inputs are added and enabled and API calls are initiated but you are still not able to view the data,  check the internal index for errors logged for TA-QualysCloudPlatform.
  2. Run the following search and provide error logs to Qualys Support:

    index=_internal source="$SPLUNK_HOME/var/log/splunk/ta_QualysCloudPlatform.log" ERROR:

Not able to view the data, d elete the checkpoint file and pull the data again for a Qualys module

  • Navigate to $SPLUNK_HOME/var/lib/splunk/modinputs/qualys/.
  • Delete the checkpoint file of the desired module.

    For example, Delete 'host_detection' file for module Host Detection and initiate the pull once again. TA now pulls the data from the date configured in Data Input Settings for the respective Qualys module.

qualys.py is running even after the data input is disabled or Splunk is restarted

This issue is mainly seen on Ubuntu OS, which has the default shell set to 'dash'. To fix this issue, change the default shell from 'dash' to 'bash'.

Follow these steps to change the Ubuntu configuration:

  1.  ~# debconf-show dash

    * dash/sh: true

  2.  ~# debconf-set-selections <<< "dash dash/sh string false"

  3. ~# debconf-show dash

    * dash/sh: false

  4. ~# dpkg-reconfigure -f noninteractive dash

    Removing 'diversion of /bin/sh to /bin/sh.distrib by dash'

    Adding 'diversion of /bin/sh to /bin/sh.distrib by bash'

    Removing 'diversion of /usr/share/man/man1/sh.1.gz to /usr/share/man/man1/sh.distrib.1.gz by dash'

    Adding 'diversion of /usr/share/man/man1/sh.1.gz to /usr/share/man/man1/sh.distrib.1.gz by bash'

  5. ~# debconf-show dash

    * dash/sh: false

How to switch the Python interpreter for Python3?

  1. Go to the path - $SPLUNK_HOME/etc/system/local/server.conf
  2. Add the python.version=python3 under [general].

    python_interpreter

  3. Restart the Splunk.

Blank dashboard for the KnowledgeBase data

Perform these steps to identify and troubleshoot the issue:

  1. Check whether the correct index is used in the SPL added for the scheduled saved search.
  2. In case you disabled indexing after enabling it earlier, then check whether the scheduled saved search is also disabled as it is running for the index in which data is not updated.
  3. Go to the Settings > Lookups > Lookup table files and on the Lookup table files page select All from the App drop-down field.
  4. Check qualys_kb.csv is generated for which app.
  5. On enabling the indexing, the file should be present for search app, and on disabling the indexing, the file should be present for the TA-QualysCloudPlatform application.
  6. If qualys_kb.csv exists for another app, delete it to avoid a blank KnowledgeBase dashboard.

Working logic of VM And PCRS Maximum API retry count in VM Detection Settings and Policy Compliance Reporting Service settings

VM Detection Settings

  • If TA receives the expected 429 Client Error: Too Many Requests while running host_detection data input, the retry count increases, regardless of the maximum retry limit set in the TA setup page under VM Detection settings.
  • If the TA encounters an error other than 429 Client Error: Too Many Requests, the configured maximum retry limit is considered, and the number of retry counts matches the configured value of Host List Detection maximum API retry count on the TA setup page, the Host Ids or Host Id range for that specific API request is skipped, and it proceeds further.

Policy Compliance Reporting Service Settings

  • If TA receives a 429 Client Error: Too Many Requests while running pcrs_posture_info data input, the retry count increases, regardless of the maximum retry limit configured in the TA setup page under PCRS settings.
  • If TA encounters an error other than 429 Client Error: Too Many Requests, the configured maximum retry limit is considered, and the number of retry counts matches the configured value of PCRS maximum API retry count on the TA setup page, the batch size for that specific API request is skipped, and it proceeds further.

How to know if Data input is enabled or disabled

To check if the data input is enabled or disabled, use the tail command or SPL as follows.
This feature has been added in the latest version:

  • Tail command: tail -f /opt/splunk/var/log/splunk/ta_QualysCloudPlatform.log*| grep "Last enable details|Last disable details"
  • Run the following SPL Into the Splunk :
    index="_internal" source="/opt/splunk/var/log/splunk/ta_QualysCloudPlatform.log*" ("last enable details" OR "last disable details")

This case is only supported for Splunk versions 9.x.x or above

URL to the Qualys API Server

The Qualys API URL you should use for API requests depends on the Qualys platform where your account is located.

Click here to identify your Qualys platform and get the API URL.

  • You can find the API server URL for your account.
  • Log in to your Qualys account and go to Help > About.

    You can view this information under Security Operations Center (SOC).

    about-2

© 2024 Qualys, Inc. All rights reserved. Privacy Policy.