Agent Correlation Identifier allows you to merge unauthenticated and authenticated vulnerability scan results from scanned IP interfaces and agent VM scans for your cloud agent assets. The Agent Correlation Identifier is supported for VM only and is detected by QID 48143 “Qualys Correlation ID Detected”.
For more information on merging unauthenticated and scan agent results, visit our blog and watch video!
Notes:
The Agent Correlation Identifier feature must be available on your Qualys Cloud Platform.
- Your agent hosts must have the minimum Cloud Agent version: Windows Agent version 4.2 or later | Linux Agent version 3.1 or later
- The agent configuration profile must have the Agent Scan Merge option enabled. See steps below to learn how to enable this option in the Cloud Agent UI.
- By default, the following TCP ports must not be blocked: 10001, 10002, 10003, 10004, 10005. You can customize the list of ports in the Configuration Profile in Cloud Agent. The ports listed will be included in your vulnerability scans automatically when the agent correlation identifier option is accepted. We’ll add these ports to the scanned ports list.
- Your vulnerability scans must include Information Gathered QID 48143 “Qualys Correlation ID Detected”. A Full vulnerability scan will include this QID by default. If you run a custom scan using a search list, then you’ll need to make sure this QID is included. Add the QID to a search list and add the search list to the scan option profile under Vulnerability Detection: Custom.
- Make sure that agentid-service is running on the agent and listening on the port.
Follow the steps below to start using the Agent Correlation Identifier.
1) Toggle ON the Enable Agent Scan Merge for this profile option in the configuration profile. Choose Cloud Agent from the app picker, then go to Agent Management > Configuration Profiles. Create a new profile (or edit an existing profile) and select this option.
If you toggle Bind All to ON, the service tries to connect to all the listed ports. Else service just tries to connect to the lowest free port among those specified. For Window’s agent version below 4.6, it opens these ports on all network interfaces like WiFi, Token Ring, Ethernet, Optical LAN. For Windows agents 4.6 and later, you can configure Windows agent to bind to an interface which is connected to the approved network.
2) (Manager primary contact) Go to Assets > Setup > Asset Tracking & Data Merging. On the Unique Asset Identifiers tab, scroll down to Agent Correlation Identifier and select the option Accept Agent Correlation Identifier.
3) Go to Scans > Option Profiles. Create a new option profile (or edit an existing profile) and make sure the scan is a Full scan or Custom scan with QID 48143 added.
4) Run new vulnerability scans to start gathering data for QID 48143.
Click the links below for help with troubleshooting.
Troubleshooting Unauth Merge for WindowsTroubleshooting Unauth Merge for Windows
Log Location: C:\ProgramData\Qualys\QualysAgent\Correlation\Resources\logs\agentid.txt
Example: agentid-2021-01-07T06-31-17.992.log.gz
Check running process: Go to Task Manager and search 'agentid-service.exe' process.
Process: agentid-service
After logs exceed 10MB threshold, the logs are rolled, compressed and archived with log name and current UTC time appended. This process continues for 5 rotations.
Artifact Location: C:\ProgramData\Qualys\QualysAgent\Correlation
- Windows XP
- Windows Vista
- Windows Server 2003
- Windows Server 2008
Troubleshooting Unauth Merge for LinuxTroubleshooting Unauth Merge for Linux
Log location: /var/log/qualys/agentid.log
If user has relocated the log directory, then agentid.log will also be stored there.
Example: agentid-2021-01-07T06-31-17.992.log.gz
Check running process: Run ps -aux | grep agentid-service command.
Process: agentid-service
After logs exceed 10MB threshold, the logs are rolled, compressed and archived with log name and current UTC time appended. This process continues for 5 rotations.
Artifact Location: /usr/local/qualys/cloud-agent/correlation/manifests
- CentOS 5.x
- Red Hat 5.x
- Suse 10.x
- MacOS
- AIX