Skip to content

Instantly share code, notes, and snippets.

@pmgupte

pmgupte/Qualys_TA_HostDetection_RESULTS.md

Last active October 10, 2017 09:45
Show Gist options
  • Save pmgupte/f9dd2d62c4861bfc852ef92137307515 to your computer and use it in GitHub Desktop.
Save pmgupte/f9dd2d62c4861bfc852ef92137307515 to your computer and use it in GitHub Desktop.
Download ZIP
How to get RESULTS field into the Host Detection feed
Raw
Qualys_TA_HostDetection_RESULTS.md

How to get RESULTS field into the Host Detection feed

for Qualys TA version 1.2.2+

To get the RESULTS field indexed in host detection input, do the followings:

  1. On TA Setup page, in VM Detection extra parameters, set show_results=1
  2. Open <TA DIR>bin/qualysModule/splunkpopulator/detectionpopulator.py and find class HostDetectionPopulator.
  3. In this class, find _process_root_element(self, elem) method.
  4. In that method, we have a list named HostDetectionPopulator.detection_fields_to_log. Its a list of fields to parse from detection tag.
  5. In that list, add "RESULTS" at the end. As a best practice, add a comment describing why you edited this list. This will tell code to parse that XML tag as well and output it while printing the event data.
  6. Save the file and restart your Splunk.

Let me draw your attention to the fact that, RESULTS in host detection API output could be multi-line text. As KV_MODE is set to auto for hostDetection input in props.conf, we are not sure how Splunk will treat the events when RESULTS field is multi-line text. It may or may not consider the multi-line text to be the part of same single event. The newline character might confuse Splunk's event detection.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment