FAQs for Configurations in Splunk

How to setup for a Search Head Cluster

  1. Install Qualys TA on your Forwarder. Depending on the type of data you want to ingest, add and enable all or any of these data inputs: host_detection, was_findings, policy_posture_info.

  2. Use Deployer to push Qualys visualization apps.

  3. On each Search Heads, manually configure the event types.

  4. To add event types, go to Settings > Event Types.

  5. From the Event types page, click New Event Type.

  6. In the Add new page, provide the search string for the new event type and click Save.

How to index KB data into Splunk

We support indexing of the KnowledgeBase (KB) data in Splunk so that the Splunk TA users on the distributed setup environment can get the updated KnowledgeBase data on the Search Head from the Heavy Forwarder.

On the TA set up page, we added a KnowledgeBase Settings section that has a check box 'Index the KnowledgeBase. CSV lookup...'.

The check box indicates whether to index the KnowledgeBase data in Splunk or write the data into a CSV file. When you select the check box and click Save, TA fetches the KB data and indexes it in Splunk. If the check box is not selected, TA does not index the KB data into Splunk and creates a CSV file. The CSV file contains KB data from 1999-01-01.

add_data_kb

On the Settings > Data Inputs > Add Data page for Qualys technology add on, we added the information that for knowledge_base Start Date field is applicable only if the Index the KnowledgeBase. CSV lookup. . . option is enabled for the Knowledge Base settings on the TA set up page.

After you enable the index KB data option, you need to generate KB CSV lookup on the Search Head. See KnowledgeBase Settings.

How to get the RESULTS field indexed in host detection input

Update optional parameters on the TA setup page to include show_results=1.

Already have optional parameters listed? Append this with an ‘&’ sign, for example show_tags=1&show_results=1.

How to populate the Diagnosis, Consequence and Solution information in Splunk

Go to the KnowledgeBase Settings section on the TA setup page and select the 'Log additional fields (SOLUTION, CONSEQUENCE, DIAGNOSIS)' check box.

TA fetches the Diagnosis, Consequence, and Solution fields from Qualys cloud in the KB data. Search the KB data in Splunk to view information related to these fields.

Related Topics

Troubleshooting

Application Management

 

© 2024 Qualys, Inc. All rights reserved. Privacy Policy.