Versions Compared

Old Version 2

changes.mady.by.user Juan Tomás Alonso Nieto

Saved on

compared with

New Version 3

changes.mady.by.user Juan Tomás Alonso Nieto

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Table of Contents
minLevel2
maxLevel2
typeflat

Overview

Qualys, Inc. (NASDAQ: QLYS) is a pioneer and leading provider of cloud-based security and compliance solutions. The Qualys Cloud Platform and its integrated apps help businesses simplify security operations and lower the cost of compliance by delivering critical security intelligence on demand and automating the full spectrum of auditing, compliance and protection for IT systems and web applications.

Devo collector features

Feature

Details

Allow parallel downloading (multipod)

not allowed

Running environments

  • collector server

  • on-premise

Populated Devo events

table

Flattening preprocessing

no

Allowed source events obfuscation

yes

Data sources

Data source

Description

API endpoint

Collector service name

Devo table

Available from release

VM Scans

The VM Scan API (/api/2.0/fo/scan/) is used to obtain a list of vulnerability scans in your account and to take actions on them like cancel, pause, resume, and fetch (download) finished results. 

https://cdn2.qualys.com/docs/qualys-api-vmpc-user-guide.pdf#page=27&zoom=100,76,89 

/scan/

vm_scans

vuln.qualys.vulnerabilities

v1.0.0

Host List

Download a list of scanned hosts in the user’s account. By default, all scanned hosts in the user account are included and basic information about each host is provided. Hosts in the XML output are sorted by host ID in ascending order.

https://cdn2.qualys.com/docs/qualys-api-vmpc-user-guide.pdf#page=381 

/asset/host/

host_list

vuln.qualys.hosts

v1.0.0

Host List Detection

Download a list of hosts with the hosts latest vulnerability data, based on the host based scan data available in the user’s account. This data brings a lot of value to customers because they provide the latest complete vulnerability status for the hosts (NEW, ACTIVE, FIXED, REOPENED) and history information.

https://cdn2.qualys.com/docs/qualys-api-vmpc-user-guide.pdf#page=390 

/asset/host/vm/detection/

host_list_detection

vuln.qualys.hostdetections

v1.0.0

User Activity Log

You can view the Activity Log using the Qualys user interface and the Activity Log API

(/api/2.0/fo/activity_log). The Activity Log shows details about user actions taken.

https://cdn2.qualys.com/docs/qualys-api-vmpc-user-guide.pdf#page=641 

/activity_log/

user_activity

vuln.qualys.useractivitylog

v1.0.0

For more information on how the events are parsed, visit our page.

Minimum configuration required for basic pulling

Although this collector supports advanced configuration, the fields required to retrieve data with basic configuration are defined below.

Info

This minimum configuration refers exclusively to those specific parameters of this integration. There are more required parameters related to the generic behavior of the collector. Check setting sections for details.

Setting

Details

username

The Qualys username.

password

The Qualys password.

hostname

The Qualys hostname. This must be supplied by every customer that wants to use this collector. For the "hostname", you can identify it in

https://www.qualys.com/platform-identification/.

Please, note that the hostname should not include the https:// protocol prefix.

Info

See the Accepted authentication methods section to verify what settings are required based on the desired authentication method.

Accepted authentication methods

Authentication method

username

password

username/password

Required

Required

Vendor setup

In order to retrieve the data, you need the following:

Create Qualys user account

Authentication with valid Qualys user account credentials is required in order to run Qualys API requests to the Qualys API servers.

These servers are hosted at the Qualys platform, also referred to as the Security Operations Center (SOC), where your account is located. If you need assistance with obtaining a Qualys account, please contact your Qualys account representative. Users with a Qualys user account may access the API functions. When a subscription has multiple users, all users with any user role (except Contact) can use the Qualys API. Each user’s permissions correspond to their assigned user role.

Qualys user accounts that have been enabled with VIP two-factor authentication can be used with the Qualys API, however two-factor authentication will not be used when making API requests. Two-factor authentication is only supported when logging into the Qualys GUI.

Get Qualys API Server URL

The Qualys API URL you should use for API requests depends on the Qualys platform where your account is located. Click here to identify your Qualys platform and get the API URL. This documentation uses the API server URL for Qualys US Platform 1 (https://qualysapi.qualys.com ) in sample API requests.

If you’re on another platform, please replace this URL with the appropriate server URL for your account. Still have questions? You can easily find the API server URL for your account. Just log in to your Qualys account and go to Help → About. You’ll see this information under Security Operations Center (SOC). 

You can find the complete API here.

Assigning required permissions

Expand
titleVM Scans

User role

Permissions

Unit Manager

Manage scans on all IPs in the subscription.

Scanner

Launch, list and fetch scans on IPs in the user’s business unit. And take actions on scans launched by users in the same business unit (cancel, pause, resume and delete).

Reader

View scans with targets containing IPs in the user’s account. Download scan results when the target includes at least one IP in the user’s account.

Auditor

No permissions.

Expand
titleHosts Lists

Managers view all scanned hosts in subscription. Auditors view all scanned compliance hosts in subscription. Unit Managers view scanned hosts in user’s business unit. Scanners and Readers view scanned hosts in user’s account. Please note that this API only returns information for hosts that are assigned to each user through asset groups in VM/VMDR and PC. For Unit Managers, Scanners, and Readers to view compliance hosts, the “Manage compliance” permission must be granted in the user’s account.

Expand
titleHosts List Detection

Managers view all VM scanned hosts in subscription. Auditors have no permission to view VM scanned hosts. Unit Managers view VM scanned hosts in the user’s assigned business unit. Scanners and Readers view VM scanned hosts in the user’s account. Please note that this API only returns information for hosts that are assigned to each user through asset groups in VM/VMDR

Expand
titleUser Activity Log

Managers and Administrators can view all users in subscription. See Unit Manager Permissions for full details.

For more information check this article.

Run the collector

Once the data source is configured, you can either send us the required information if you want us to host and manage the collector for you (Cloud collector), or deploy and host the collector in your own machine using a Docker image (On-premise collector).

Rw ui tabs macro
Rw tab
titleOn-premise collector

This data collector can be run in any machine that has the Docker service available because it should be executed as a docker container. The following sections explain how to prepare all the required setup for having the data collector running.

Structure

The following directory structure should be created for being used when running the collector:

Code Block
<any_directory>
└── devo-collectors/
    └── <product_name>/
        ├── certs/
        │   ├── chain.crt
        │   ├── <your_domain>.key
        │   └── <your_domain>.crt
        ├── state/
        └── config/ 
            └── config.yaml
Note

Replace <product_name> with the proper value.

Devo credentials

In Devo, go to Administration → Credentials → X.509 Certificates, download the Certificate, Private key and Chain CA and save them in <product_name>/certs/. Learn more about security credentials in Devo here.

image-20240124-095215.png
Note

Replace <product_name> with the proper value.

Editing the config.yaml file

Code Block
globals:
  debug: false
  id: not_used
  name: <collector_name>
  persistence:
    type: filesystem
    config:
      directory_name: state
outputs:
  devo_1:
    type: devo_platform
    config:
      address: <devo_address>
      port: 443
      type: SSL
      chain: <chain_filename>
      cert: <cert_filename>
      key: <key_filename>
inputs:
  qualys:
    id: <short_unique_id>
    enabled: true
    environment: <environment_value>
    credentials:
      hostname: <hostname_value>
      username: <username_value>
      password: <password_value>
    services:
      vm_scans::
        request_period_in_seconds: <request_period_in_seconds_value>
        override_tag: <override_tag_value>
        start_time_utc: <start_time_in_utc_value>
      user_activity::
        request_period_in_seconds: <request_period_in_seconds_value>
        override_tag: <override_tag_value>
        start_time_utc: <start_time_in_utc_value>
      host_list::
        request_period_in_seconds: <request_period_in_seconds_value>
        override_tag: <override_tag_value>
        start_time_utc: <start_time_in_utc_value>
        filters: <host_filters_value>
      host_list_detection::
        request_period_in_seconds: <request_period_in_seconds_value>
        override_tag: <override_tag_value>
        start_time_utc: <start_time_in_utc_value>
        filters: <host_filters_detection_value>
Info

All defined service entities will be executed by the collector. If you do not want to run any of them, just remove the entity from the services object.

Replace the placeholders with your required values following the description table below:

Parameter

Data type

Type

Value range

Details

collector_name

str

Mandatory

Minimum length: 1

Use this param to give a name to this collector.

devo_address

str

Mandatory

collector-us.devo.io 

collector-eu.devo.io 

Use this parameter to identify the Devo Cloud where the events will be sent.

chain_filename

str

Mandatory

minimum length: 4

maximum length: 20

Use this parameter to identify the chain.cert file downloaded from your Devo domain. Usually this file's name is chain.crt

cert_filename

str

Mandatory

minimum length: 4

maximum length: 20

Use this parameter to identify the file.cert downloaded from your Devo domain.

key_filename

str

Mandatory

minimum length: 4

maximum length: 20

Use this parameter to identify the file.key downloaded from your Devo domain.

short_unique_id

int

Mandatory

Minimum length: 1

Maximum length: 5

Use this param to give an unique id to this input service.

Note

This parameter is used to build the persistence address, do not use the same value for multiple collectors. It could cause a collision.

environment_value

str

Optional

Minimum length: 1

This is an optional control parameter that is injected into the events and allows to differentiate the environment. For example: dev and prod.

Info

This parameter should be removed if it is not used.

hostname_value

str

Mandatory

Minimum length: 1

The Qualys hostname. This must be supplied by every customer that wants to use this collector. For the "hostname", you can identify it in https://www.qualys.com/platform-identification/ Please, note that the hostname should not include the https:// protocol prefix.

username_value

str

Mandatory

Minimum length: 1

The Qualys username. To find out how to get it, see the Vendor Setup guide.

password_value

str

Mandatory

Minimum length: 1

The Qualys password. To find out how to get it, see the Vendor Setup guide.

override_tag_value

str

Optional

Devo tag-friendly string (no special characters, spaces, etc.) For more information see Devo Tags.

An optional tag that allows users to override the service default tags.

Info

This parameter can be removed or commented.

start_time_utc_value

str

Optional

UTC datetime string having datetime string format %Y-%m-%dT%H:%M:%SZ

 (e.g., “2023-07-11T01:23:01Z”)

This configuration allows you to set a custom date as the beginning of the period to download. This allows downloading historical data (one month back for example) before downloading new events.

Info

This parameter should be removed if it is not used.

request_period_in_seconds_value

int

Optional

minimum length: 1

Period in seconds used between each data pulling. This value will overwrite the default value (60 seconds).

Info

This parameter can be removed or commented.

host_filters_value

dict

Optional

Filter values:: 

details={All|All/AGs}

show_asset_id={0|1}

show_tags={0|1}

show_cloud_tags={0|1}

For more information check: https://cdn2.qualys.com/docs/qualys-api-vmpc-user-guide.pdf#page=641 

Example of use:

Code Block
filters:
  details: All   
    show_asset_id: “1”,
    show_cloud_tags: “0”
Info

This parameter can be removed or commented.

host_detection_filters_value

dict

Optional

show_asset_id={0|1}

show_tags={0|1}

show_reopened_info={0|1}

status={New|Fixed|Active|Re-Opened}

For more information check: https://cdn2.qualys.com/docs/qualys-api-vmpc-user-guide.pdf#page=641 

Example of use:

Code Block
filters:
   details: All ,   
   show_tags: “1”
   show_reopened_info: “0”,
   status: 
     - New
     - Fixed
Info

This parameter can be removed or commented.

Download the Docker image

The collector should be deployed as a Docker container. Download the Docker image of the collector as a .tgz file by clicking the link in the following table:

Collector Docker image

SHA-256 hash

collector-qualys-docker-image-2.0.0.tgz

bd80ea4fa96b3abf78cfa0c605d7210b6207a2323debe7f6c2072ad8235982a1

Use the following command to add the Docker image to the system:

Code Block
gunzip -c <image_file>-<version>.tgz | docker load
Note

Once the Docker image is imported, it will show the real name of the Docker image (including version info). Replace <image_file> and <version> with a proper value.

The Docker image can be deployed on the following services:

Docker

Execute the following command on the root directory <any_directory>/devo-collectors/<product_name>/

Code Block
docker run 
--name collector-<product_name> 
--volume $PWD/certs:/devo-collector/certs 
--volume $PWD/config:/devo-collector/config 
--volume $PWD/state:/devo-collector/state 
--env CONFIG_FILE=config.yaml 
--rm 
--interactive 
--tty 
<image_name>:<version>
Note

Replace <product_name>, <image_name> and <version> with the proper values.

Docker Compose

The following Docker Compose file can be used to execute the Docker container. It must be created in the <any_directory>/devo-collectors/<product_name>/ directory.

Code Block
version: '3'
services:
  collector-<product_name>:
    image: <image_name>:${IMAGE_VERSION:-latest}
    container_name: collector-<product_name>
    volumes:
      - ./certs:/devo-collector/certs
      - ./config:/devo-collector/config
      - ./credentials:/devo-collector/credentials
      - ./state:/devo-collector/state
    environment:
      - CONFIG_FILE=${CONFIG_FILE:-config.yaml}

To run the container using docker-compose, execute the following command from the <any_directory>/devo-collectors/<product_name>/ directory:

Code Block
IMAGE_VERSION=<version> docker-compose up -d
Note

Replace <product_name>, <image_name> and <version> with the proper values.

Rw tab
titleCloud collector

We use a piece of software called Collector Server to host and manage all our available collectors.

To enable the collector for a customer:

  1. In the Collector Server GUI, access the domain in which you want this instance to be created

  2. Click Add Collector and find the one you wish to add.

  3. In the Version field, select the latest value.

  4. In the Collector Name field, set the value you prefer (this name must be unique inside the same Collector Server domain).

  5. In the sending method select Direct Send. Direct Send configuration is optional for collectors that create Table events, but mandatory for those that create Lookups.

  6. In the Parameters section, establish the Collector Parameters as follows below:

Editing the JSON configuration

Code Block
{
  "global_overrides": {
    "debug": false
  },
  "inputs": {
    "qualys": {
      "id": "<short_unique_id>",
      "enabled": true,
      “environment”: “<environment_value>”,
      "credentials": {
         "hostname": "<hostname_value>",
         "username": "<username_value>",
         "password": "<password_value>"
      },
      "services": {
        "vm_scans": {
          "request_period_in_seconds": <request_period_in_seconds_value>,
          "override_tag": <override_tag_value>,
          "start_time_utc": <start_time_in_utc_value>
        },
         "user_activity": {
          "request_period_in_seconds": <request_period_in_seconds_value>,
          "override_tag": <override_tag_value>,
          "start_time_utc": <start_time_in_utc_value>
        },
       "host_list": {
          "request_period_in_seconds": <request_period_in_seconds_value>,
          "override_tag": <override_tag_value>,
          "start_time_utc": <start_time_in_utc_value>,
          "filters": <host_filters_value>
        },
        "host_list_detection": {
          "request_period_in_seconds": <request_period_in_seconds_value>,
          "override_tag": <override_tag_value>,
          "start_time_utc": <start_time_in_utc_value>,
          "filters": <host_detection_filters_value>
        }
      }
    }
  }
}

Please replace the placeholders with real world values following the description table below:

Parameter

Data type

Type

Value range

Details

collector_name

str

Mandatory

Minimum length: 1

Use this param to give a name to this collector.

devo_address

str

Mandatory

collector-us.devo.io 

collector-eu.devo.io 

Use this parameter to identify the Devo Cloud where the events will be sent.

chain_filename

str

Mandatory

minimum length: 4

maximum length: 20

Use this parameter to identify the chain.cert file downloaded from your Devo domain. Usually this file's name is chain.crt

cert_filename

str

Mandatory

minimum length: 4

maximum length: 20

Use this parameter to identify the file.cert downloaded from your Devo domain.

key_filename

str

Mandatory

minimum length: 4

maximum length: 20

Use this parameter to identify the file.key downloaded from your Devo domain.

short_unique_id

int

Mandatory

Minimum length: 1

Maximum length: 5

Use this param to give an unique id to this input service.

Note

This parameter is used to build the persistence address, do not use the same value for multiple collectors. It could cause a collision.

environment_value

str

Optional

Minimum length: 1

This is an optional control parameter that is injected into the events and allows to differentiate the environment. For example: dev and prod.

Info

This parameter should be removed if it is not used.

hostname_value

str

Mandatory

Minimum length: 1

The Qualys hostname. This must be supplied by every customer that wants to use this collector. For the "hostname", you can identify it in https://www.qualys.com/platform-identification/ Please, note that the hostname should not include the https:// protocol prefix.

username_value

str

Mandatory

Minimum length: 1

The Qualys username. To find out how to get it, see the Vendor Setup guide.

password_value

str

Mandatory

Minimum length: 1

The Qualys password. To find out how to get it, see the Vendor Setup guide.

override_tag_value

str

Optional

Devo tag-friendly string (no special characters, spaces, etc.) For more information see Devo Tags.

An optional tag that allows users to override the service default tags.

Info

This parameter can be removed or commented.

start_time_utc_value

str

Optional

UTC datetime string having datetime string format %Y-%m-%dT%H:%M:%SZ

 (e.g., “2023-07-11T01:23:01Z”)

This configuration allows you to set a custom date as the beginning of the period to download. This allows downloading historical data (one month back for example) before downloading new events.

Info

This parameter should be removed if it is not used.

request_period_in_seconds_value

int

Optional

minimum length: 1

Period in seconds used between each data pulling. This value will overwrite the default value (60 seconds).

Info

This parameter can be removed or commented.

host_filters_value

dict

Optional

Filter values:: 

details={All|All/AGs}

show_asset_id={0|1}

show_tags={0|1}

show_cloud_tags={0|1}

For more information check: https://cdn2.qualys.com/docs/qualys-api-vmpc-user-guide.pdf#page=641 

Example of use:

Code Block
filters:
  details: All   
    show_asset_id: “1”,
    show_cloud_tags: “0”
Info

This parameter can be removed or commented.

host_detection_filters_value

dict

Optional

show_asset_id={0|1}

show_tags={0|1}

show_reopened_info={0|1}

status={New|Fixed|Active|Re-Opened}

For more information check: https://cdn2.qualys.com/docs/qualys-api-vmpc-user-guide.pdf#page=641 

Example of use:

Code Block
filters:
   details: All ,   
   show_tags: “1”
   show_reopened_info: “0”,
   status: 
     - New
     - Fixed
Info

This parameter can be removed or commented.

Collector services detail

This section is intended to explain how to proceed with specific actions for services.

VM Scans

Internal process and deduplication method

Data is collected by setting a start date. To eliminate duplicates, the date of the last event sent to Devo and the ids of events with the same date are stored.

Devo categorization and destination

All events of this service are ingested into the table vuln.qualys.vulnerabilities

Setup Output

A successful run has the following output messages for the setup module:

Code Block
INFO InputProcess::MainThread -> QualysPullerSetup(example_collector,qualys#13241243,vm_scans#predefined) -> Starting thread
WARNING InputProcess::QualysPullerSetup(example_collector,qualys#13241243,vm_scans#predefined) -> The token/header/authentication has not been created yet
INFO InputProcess::QualysPullerSetup(example_collector,qualys#13241243,vm_scans#predefined) -> Finished building connector.
INFO InputProcess::QualysPullerSetup(example_collector,qualys#13241243,vm_scans#predefined) -> Setup for module <QualysScansPuller> has been successfully executed

Puller Output

Code Block
INFO InputProcess::QualysScansPuller(qualys,13241243,vm_scans,predefined) -> QualysScansPuller(qualys,13241243,vm_scans,predefined) Starting the execution of pre_pull()
INFO InputProcess::QualysScansPuller(qualys,13241243,vm_scans,predefined) -> Reading persisted data
INFO InputProcess::QualysScansPuller(qualys,13241243,vm_scans,predefined) -> Data retrieved from the persistence: {'@persistence_version': 1, 'start_time_str': '2024-01-07T05:00:00Z', 'last_event_time_str': '2024-01-07T05:00:00Z', 'last_ids': []}
INFO InputProcess::QualysScansPuller(qualys,13241243,vm_scans,predefined) -> Running the persistence upgrade steps
INFO InputProcess::QualysScansPuller(qualys,13241243,vm_scans,predefined) -> Running the persistence corrections steps
INFO InputProcess::QualysScansPuller(qualys,13241243,vm_scans,predefined) -> Running the persistence corrections steps
WARNING InputProcess::QualysScansPuller(qualys,13241243,vm_scans,predefined) -> Some changes have been detected and the persistence needs to be updated. Previous content: {'@persistence_version': 1, 'start_time_str': '2024-01-07T05:00:00Z', 'last_event_time_str': '2024-01-07T05:00:00Z', 'last_ids': []}. New content: {'@persistence_version': 1, 'start_time_str': '2024-01-09T05:00:00Z', 'last_event_time_str': '2024-01-09T05:00:00Z', 'last_ids': []}
INFO InputProcess::QualysScansPuller(qualys,13241243,vm_scans,predefined) -> Updating the persistence
WARNING InputProcess::QualysScansPuller(qualys,13241243,vm_scans,predefined) -> Persistence has been updated successfully
INFO InputProcess::QualysScansPuller(qualys,13241243,vm_scans,predefined) -> QualysScansPuller(qualys,13241243,vm_scans,predefined) Finalizing the execution of pre_pull()
INFO InputProcess::QualysScansPuller(qualys,13241243,vm_scans,predefined) -> Starting data collection every 60 seconds
INFO InputProcess::QualysScansPuller(qualys,13241243,vm_scans,predefined) -> Pull Started
INFO InputProcess::QualysScansPuller(qualys,13241243,vm_scans,predefined) -> Fetched scan with reference scan/1704855745.16165 (no. 1 out of 9)
INFO InputProcess::QualysScansPuller(qualys,13241243,vm_scans,predefined) -> Fetched scan with reference scan/1704855743.16156 (no. 2 out of 9)
INFO InputProcess::QualysScansPuller(qualys,13241243,vm_scans,predefined) -> Fetched scan with reference scan/1704855742.16154 (no. 3 out of 9)
INFO InputProcess::QualysScansPuller(qualys,13241243,vm_scans,predefined) -> Fetched scan with reference scan/1704844946.14597 (no. 4 out of 9)
INFO InputProcess::QualysScansPuller(qualys,13241243,vm_scans,predefined) -> Fetched scan with reference scan/1704844941.14584 (no. 5 out of 9)
INFO InputProcess::QualysScansPuller(qualys,13241243,vm_scans,predefined) -> Fetched scan with reference scan/1704844939.14574 (no. 6 out of 9)
INFO InputProcess::QualysScansPuller(qualys,13241243,vm_scans,predefined) -> Fetched scan with reference scan/1704844879.14540 (no. 7 out of 9)
INFO InputProcess::QualysScansPuller(qualys,13241243,vm_scans,predefined) -> Fetched scan with reference scan/1704844836.14456 (no. 8 out of 9)
INFO InputProcess::QualysScansPuller(qualys,13241243,vm_scans,predefined) -> Fetched scan with reference scan/1704844836.14462 (no. 9 out of 9)
INFO InputProcess::QualysScansPuller(qualys,13241243,vm_scans,predefined) -> (Partial) Statistics for this pull cycle (@devo_pulling_id=1704880028290):Number of requests made: 1; Number of events received: 9; Number of duplicated events filtered out: 0; Number of events generated and sent: 9; Average of events per second: 0.048.
INFO InputProcess::QualysScansPuller(qualys,13241243,vm_scans,predefined) -> Statistics for this pull cycle (@devo_pulling_id=1704880028290):Number of requests made: 1; Number of events received: 9; Number of duplicated events filtered out: 0; Number of events generated and sent: 9; Average of events per second: 0.048.
INFO InputProcess::QualysScansPuller(qualys,13241243,vm_scans,predefined) -> The data is up to date!

After a successful collector’s execution (this is, no error logs were found), you should be able to see the following log message:

Code Block
INFO InputProcess::QualysScansPuller(qualys,13241243,vm_scans,predefined) -> Statistics for this pull cycle (@devo_pulling_id=1704880028290):Number of requests made: 1; Number of events received: 9; Number of duplicated events filtered out: 0; Number of events generated and sent: 9; Average of events per second: 0.048.

Restart the persistence 

This collector uses persistent storage to download events in an orderly fashion and avoid duplicates. In case you want to re-ingest historical data or recreate the persistence, you can restart the persistence of this collector by following these steps:

  1. Edit the configuration file.

  2. Change the value of the start_time_utc parameter to a different one.

  3. Save the changes.

  4. Restart the collector.

The collector will detect this change and will restart the persistence using the parameters of the configuration file or the default configuration in case it has not been provided.

Troubleshooting

This collector has different security layers that detect both an invalid configuration and abnormal operation. This table will help you detect and resolve the most common errors.

Common Logic

Error Type

Error Id

Error Message

Cause

Solution

InitVariablesError

1

Missing parameter: 'datetime_format' in module_globals                                 (collector_definitions)

Parameter 'datetime_format' is not in collector_definitions.yaml

Contact the internal Devo team.

2

start_time_utc value: {start_time_in_utc_str}                                           does not comply with required format: {datetime_format}

The start_time_utc date entered by the user meets the required format.

Change the date to comply with the format, see the documentation for the format.

3

Invalid start_time_in_utc: {datetime_utc_now}. Must be in the past.

The start_time_utc date entered by the user is in the future.

Please enter a start_time_utc date earlier than the current date.

SetupError

102

ERROR: API Error. Cause: {e}

The cause and solution to the problem will be explained in the error message itself.

The cause and solution to the problem will be explained in the error message itself.

PullError

PullError

ERROR: API Error. Cause: {e}

The cause and solution to the problem will be explained in the error message itself.

The cause and solution to the problem will be explained in the error message itself.

Collector operations

Verify collector operations

Initialization

The initialization module is in charge of setup and running the input (pulling logic) and output (delivering logic) services and validating the given configuration.

A successful run has the following output messages for the initializer module:

Code Block
2023-01-10T15:22:57.146    INFO MainProcess::MainThread -> Loading configuration using the following files: {"full_config": "config.yaml", "job_config_loc": null, "collector_config_loc": null}
2023-01-10T15:22:57.146    INFO MainProcess::MainThread -> Using the default location for "job_config_loc" file: "/etc/devo/job/job_config.json"
2023-01-10T15:22:57.147    INFO MainProcess::MainThread -> "\etc\devo\job" does not exists
2023-01-10T15:22:57.147    INFO MainProcess::MainThread -> Using the default location for "collector_config_loc" file: "/etc/devo/collector/collector_config.json"
2023-01-10T15:22:57.148    INFO MainProcess::MainThread -> "\etc\devo\collector" does not exists
2023-01-10T15:22:57.148    INFO MainProcess::MainThread -> Results of validation of config files parameters: {"config": "config.yaml", "config_validated": True, "job_config_loc": "/etc/devo/job/job_config.json", "job_config_loc_default": True, "job_config_loc_validated": False, "collector_config_loc": "/etc/devo/collector/collector_config.json", "collector_config_loc_default": True, "collector_config_loc_validated": False}
2023-01-10T15:22:57.171 WARNING MainProcess::MainThread -> [WARNING] Illegal global setting has been ignored -> multiprocessing: False

Events delivery and Devo ingestion

The event delivery module is in charge of receiving the events from the internal queues where all events are injected by the pullers and delivering them using the selected compatible delivery method. A successful run has the following output messages for the initializer module:

Code Block
2023-01-10T15:23:00.788    INFO OutputProcess::MainThread -> DevoSender(standard_senders,devo_sender_0) -> Starting thread
2023-01-10T15:23:00.789    INFO OutputProcess::MainThread -> DevoSenderManagerMonitor(standard_senders,devo_1) -> Starting thread (every 300 seconds)
2023-01-10T15:23:00.790    INFO OutputProcess::MainThread -> DevoSenderManager(standard_senders,manager,devo_1) -> Starting thread
2023-01-10T15:23:00.842    INFO OutputProcess::MainThread -> global_status: {"output_process": {"process_id": 18804, "process_status": "running", "thread_counter": 21, "thread_names": ["MainThread", "pydevd.Writer", "pydevd.Reader", "pydevd.CommandThread", "pydevd.CheckAliveThread", "DevoSender(standard_senders,devo_sender_0)", "DevoSenderManagerMonitor(standard_senders,devo_1)", "DevoSenderManager(standard_senders,manager,devo_1)", "OutputStandardConsumer(standard_senders_consumer_0)",

Sender services

The Integrations Factory Collector SDK has 3 different senders services depending on the event type to delivery (internal, standard, and lookup). This collector uses the following Sender Services:

Sender services

Description

internal_senders

In charge of delivering internal metrics to Devo such as logging traces or metrics.

standard_senders

In charge of delivering pulled events to Devo.

Sender statistics

Each service displays its own performance statistics that allow checking how many events have been delivered to Devo by type:

Logging trace

Description

Number of available senders: 1

Displays the number of concurrent senders available for the given Sender Service

sender manager internal queue size: 0

Displays the items available in the internal sender queue.

Standard - Total number of messages sent: 57, messages sent since "2023-01-10 16:09:16.116750+00:00": 0 (elapsed 0.000 seconds

Displayes the number of events from the last time and following the given example, the following conclusions can be obtained:

  • 44 events were sent to Devo since the collector started.

  • The last checkpoint timestamp was 2023-01-10 16:09:16.116750+00:00.

  • 21 events were sent to Devo between the last UTC checkpoint and now.

  • Those 21 events required 0.00 seconds to be delivered.

Check memory usage

To check the memory usage of this collector, look for the following log records in the collector which are displayed every 5 minutes by default, always after running the memory-free process.

  • The used memory is displayed by running processes and the sum of both values will give the total used memory for the collector.

  • The global pressure of the available memory is displayed in the global value.

  • All metrics (Global, RSS, VMS) include the value before freeing and after previous -> after freeing memory

Code Block
INFO InputProcess::MainThread -> [GC] global: 20.4% -> 20.4%, process: RSS(34.50MiB -> 34.08MiB), VMS(410.52MiB -> 410.02MiB)
INFO OutputProcess::MainThread -> [GC] global: 20.4% -> 20.4%, process: RSS(28.41MiB -> 28.41MiB), VMS(705.28MiB -> 705.28MiB)

Change log

Release

Released on

Release Type

Details

Recommended actions

2.0.0

Full Release

Full Release

-