Troubleshooting

In this section you can get the resolutions for the issue you my encounter while using -QRadar.

If you see no data

If the application is not fetching your detection data, go through the list as follows:

  1. Check the data whether data indexing is happening properly with the help of AQL.
  2. Check the app configuration. Also, check host detection ETL is enabled in Qualys App Settings.
    1. Check cron jobs scheduled properly.
      For more information about cron jobs scheduling, refer https://crontab.guru/.
    2. Make sure you have the correct API and access permissions.
    3. Make sure your credentials are correct.
    4. If you set start date-time, make sure it complies with Qualys required format.
    5. If you added extra API parameters, make sure the JSON is valid and that all the extra parameters listed are valid.

  3. Make sure application dependencies were installed correctly

  4. Make sure you have done Deploy Full Configurations and your TCP port in listening.

  5. Make sure QRadar has Internet access and can reach your Qualys API server.

  6. Check your host detection ETL is running:

    Login to Qualys App container and run below commands:
    ps aux | grep python

If your host detection job is not running

To run the host detection ETL, run the following command:

python /app/etl_host_detection.py -d
Once you run above command, make sure you can see screen like:

If you get [Errno 111] Connection refused error

Following error messages will be displayed for different cases:

Case 1

ERROR: Socket connection on port 12468 configured for 'QualysMultiline' log source is refused, 'Deploy Full Configuration'. Error while connecting to socket: [Errno 111] Connection refused

This error occurs when the Listen port is not LISTENING. You need to do the Deploy Full Configuration on QRadar box to resolve this issue.

Case 2

Making Request - https://qualysapi.qualys.com/msp/about.php with PARAM: {} 2020-01-16T10:19:58Z PID=421 Qualys:HostDetection client ERROR: Error during request to https://qualysapi.qualys.com/msp/about.php:<urlopen error [Errno 111] Connection refused>

This error occurs if the proxy settings are not configured on Qualys App Settings page. You need to configure proxy setup in Qualys App Settings.

If you see HTTP Error 401: Unauthorized error

This error occurs if you provide invalid credentials. To resolve this issue, check the API server URL and credentials.

If you see the ‘Number of host detections logged = 0’ in host detection

This can be due to following reasons:

  • No scan was performed on the POD in the given period.
  • No vulnerabilities are detected for the scan.
  • If the API parameters are incorrect.

For Example, the '_processed_after': '1999-01-01 00:00' is wrong in following API Request.

https://qualysapi.qualys.com/api/2.0/fo/asset/host//detection/ with PARAM: {'truncation_limit': 10, 'show_results': 0, 'show_igs': 1, 'output_format': 'XML', 'show_tags': 0, 'action': 'list', '_processed_after': '1999-01-01 00:00'}

If you see corresponding record not found in KB message

The following message may appear in Host Detection logs:

A record for QID QID-Number found on Host %s, but its corresponding record not found in KB. May be KB is not updated.

This means you have some detections of given QID, but since your knowledgebase is not up to date, the app could not enrich the event data with QID details (like title, category, CVEs, patchable and so on). You have not enabled the Knowledgebase input in Qualys App Settings.

Enable it and schedule it to run at least once a week.

If you see Internal Server Error while saving settings

Perform the following steps to troubleshoot:

  1. This error occurs if Log Source QualysMultiline is not configured. You need to complete Log Source configurations.
  2. This error occurs if Deploy Full Configuration is not done before configuring Qualys App for QRadar.
  3. Log source TCP port is not listening. To check, run the following command on QRadar box. netstat -tulpn | grep LISTEN

    To enable TCP listen port, you need to Deploy Full Configurations. Even after the Deploy Full Configuration, contact IBM Support

  4. There might be some issue with cron service.
    Perform the following steps given below to identify the issue.
    • Go to QRadar terminal and connect to Qualys app’s container. Check if cron service is up and running, if it is not running, start it.
    • If you do not find cron service, QRadar did not install cron while installing Qualys app. You need to manually install the cron service and start it. You can confirm the issue from /store/log/startup.log file as well. It should indicate that cron installation failed.

If dashboard widgets are not showing data for multi-tenant environment

When the dashboard widgets are not loading or showing no data even if the data fetch is completed:

  • Check whether the Event ID, Event Category, and Event Mapping is created for the desired log source as suggested.
  • If more multiple log sources are created and the Event ID, Event Category and Event Mapping are created, make sure all of them are created in same specific order. Suppose if the user has 3 log sources - QualysMultiline(default), QualysTokyo and QualysBerlin, then while creating the event id and event category, order should be similar in both.If the order of creating Event ID and Event Category with respect to the desired log sources mismatches, then the order in QualysLEEFCustom_ext may get affected and hence events parsing may get failed. Also, the events may get addressed as Unknown and not sent to the selected log source.

DSM editor does not show Tags or DNS properties and you cannot add them

After installation of Qualys App, if DSM editor does not show TAGS and DNS properties, you can try adding them manually. If you are unable to add them manually, perform the following steps:

  1. Check if QualysMultiline Log Source has correct Log Source Type. If it is not correct, delete the log source.
  2. From DSM editor, delete the Qualys LEEF entry and create a new one. Add appropriate event mappings as mentioned in the Check Log Source Event Mapping section of this document.
  3. Create a new Log Source using newly created Qualys LEEF as Log Source Type.
  4. Complete Deploy Full Configurations step.
  5. Go through the Check Custom Event Properties section of this document to make sure event mappings are all correct.

If you need to delete and recreate Log Source Type Qualys LEEF

Add the following custom event properties to newly created Log Source Type. For each property in the table below, Type should be Regex.

Property Name

Log Source

Type

Log

Source

Event Name

Expression

App Version

Qualys LEEF

All

QualysMultiline Information

app_version=([^\t]+)

CVE

Qualys LEEF

All

QualysMultiline Information

cves=([^\t]+)

DNS

Qualys LEEF

All

QualysMultiline Information

dns=([^\t]+)

Detection Type

Qualys LEEF

All

QualysMultiline Information

detection_type=([^\t]+)

First Found Datetime

Qualys LEEF

All

QualysMultiline Information

first_found_datetime=([^\t]+)

Host IP

Qualys LEEF

All

QualysMultiline Information

ip=([^\t]+)

Last Fixed Datetime

Qualys LEEF

All

QualysMultiline Information

last_fixed_datetime=([^\t]+)

Last Found Datetime

Qualys LEEF

All

QualysMultiline Information

last_found_datetime=([^\t]+)

Last Scan Datetime

Qualys LEEF

All

QualysMultiline Information

last_scan_datetime=([^\t]+)

App ID

Qualys LEEF

All

QualysMultiline Information

app_id=([^\t]+)

Last Test Datetime

Qualys LEEF

All

QualysMultiline Information

last_test_datetime=([^\t]+)

Last Update Datetime

Qualys LEEF

All

QualysMultiline Information

last_update_datetime=([^\t]+)

Network ID

Qualys LEEF

All

QualysMultiline Information

network_id=([^\t]+)

Operating System

Qualys LEEF

All

QualysMultiline Information

os=([^\t]+)

PCI Flag

Qualys LEEF

All

QualysMultiline Information

pci_flag=([^\t]+)

Patchable

Qualys LEEF

All

QualysMultiline Information

patchable=([^\t]+)

QID Category

Qualys LEEF

All

QualysMultiline Information

category=([^\t]+)

QID Title

Qualys LEEF

All

QualysMultiline Information

title=([^\t]+)

Qualys Host Id

Qualys LEEF

All

QualysMultiline Information

host_id=([^\t]+)

Qualys QID

Qualys LEEF

All

QualysMultiline Information

qid=([^\t]+)

Qualys Severity

Qualys LEEF

All

QualysMultiline Information

severity=([^\t]+)

Severity Level

Qualys LEEF

All

QualysMultiline Information

sev=([^\t])

Status

Qualys LEEF

All

QualysMultiline Information

status=([^\t]+)

Tags

Qualys LEEF

All

QualysMultiline Information

tags=([^\t]+)

Tracking Method

Qualys LEEF

All

QualysMultiline Information

tracking_method=([^\t]+)

Helpful AQLs to check Detection Logs and Events

Use the following AQLs to check detection data and perform troubleshooting.

To check the logs, you can download app logs from Qualys App container. Go to Advanced tab and click Download button next to Download Application Logs. You can also see ETL logs in ETL folder from the downloaded zip file.

Get the PID (process id) of either etl_host_detection or etl_knowledgebase using the below command inside the container:

cat /app/host_detection.pid
cat /app/etl_knowledgebase.pid

On the Log Activity search following queries under Advance Search. It shows you the log for the particular PID (replace the <PID> with the appropriate process id):

SELECT UTF8(payload) as utf8_payload from events where utf8_payload ILIKE '%PID=<PID>%' ORDER BY utf8_payload ASC
SELECT UTF8(payload) as utf8_payload from events where utf8_payload ILIKE '%Qualys:HostDetection%' ORDER BY utf8_payload ASC
SELECT UTF8(payload) as utf8_payload from events where utf8_payload ILIKE '%Qualys:Knowledgebase%' ORDER BY utf8_payload ASC
SELECT UTF8(payload) as utf8_payload from events where utf8_payload ILIKE '%detections =%' ORDER BY utf8_payload ASC
SELECT UTF8(payload) as utf8_payload from events where LOGSOURCENAME(logsourceid) = 'Qualys' OR LOGSOURCENAME(logsourceid) = 'QualysMultiline'

To check the event data payload:

SELECT LOGSOURCENAME(logsourceid) as logsourceids, UTF8(payload) as utf8_payload from events where LOGSOURCENAME(logsourceid) = 'Qualys' OR LOGSOURCENAME(logsourceid) = 'QualysMultiline'
SELECT Qualys Host Id, Operating System, Last Scan Datetime, Tracking Method, Qualys QID, Qualys Severity, Detection Type, Status from events where LOGSOURCENAME(logsourceid) = 'Qualys' OR LOGSOURCENAME(logsourceid) = 'QualysMultiline'

If you get Event 0 or Unknown in the Log Activity Event name

To populate event Qualys Multiline Information in the Log Activity tab, fperform the following steps:

  1. Navigate to the Admin section.
  2. In the Data Source Section, select DSM Editor.
  3. Under Search Log Source Type, choose Qualys LEEF, and click Select.
  4. Switch to the Event Mappings tab.
  5. Click Save to implement changes.
  6. Click Close to exit the setup.

Known Issues

The following are the known issues of this release:

  • Reports and search table rendering happens after all the records for search results are fetched. Sometime is observed that reports rendering breaks for huge data while processing and loading data table.
  • For Active Host widgets on Summary dashboard, the aggregate AQL returns maximum 1000001 hosts.

© Qualys, Inc. All rights reserved. Privacy Policy.