Qualys FIM collector

[ 1 Overview ] [ 2 Devo collector features ] [ 3 Data sources ] [ 4 Flattening preprocessing ] [ 5 Minimum configuration required for basic pulling ] [ 6 Accepted authentication methods ] [ 7 Run the collector ] [ 8 Collector services detail ] [ 9 Collector operations ] [ 10 Change log ]

Overview

Qualys File Integrity Monitoring (FIM) is a highly scalable cloud app that enables a simple way to monitor critical files, directories, and registry paths for.

Devo collector features

Feature	Details

Feature	Details
Allow parallel downloading (`multipod`)	`not allowed`
Running environments	`collector server` `on-premise`
Populated Devo events	`table`
Flattening preprocessing	`no`

Data sources

Data source	Description	API endpoint	Collector service name	Devo table	Available from release

Data source	Description	API endpoint	Collector service name	Devo table	Available from release
`Events`	`Get all the events`	`/v2/events/search`	`fim_alerts`	`monitor.qualys.fim.event`	`v1.0.1`
`Incidents`	`Get all the Incident`	`v3/incidents/search`	`fim_incidents`	`monitor.qualys.fim.incident`	`v1.0.1`

For more information on how the events are parsed, visit our page.

Flattening preprocessing

Data source	Collector service	Optional	Flattening details

Data source	Collector service	Optional	Flattening details
`Events`	`events`	`yes`	not required
`Incidents`	`incidents`	`yes`	not required

Minimum configuration required for basic pulling

Although this collector supports advanced configuration, the fields required to retrieve data with basic configuration are defined below.

This minimum configuration refers exclusively to those specific parameters of this integration. There are more required parameters related to the generic behavior of the collector. Check setting sections for details.

Setting	Details

Setting	Details
`username`	The username for Qualys FIM API.
`password`	The password for Qualys FIM API.
`base_url`	The token endpoint for to get the access token. (Ex:-`https://<qualys_base_url>)`
`auth_url`	The auth url for Qualys FIM API (Ex:-`https://<qualys_base_url>/auth)`

See the Accepted authentication methods section to verify what settings are required based on the desired authentication method.

Accepted authentication methods

Authentication method	Username	password

Authentication method	Username	password
`credentials`	REQUIRED	REQUIRED

Run the collector

Once the data source is configured, you can either send us the required information if you want us to host and manage the collector for you (Cloud collector), or deploy and host the collector in your own machine using a Docker image (On-premise collector).

Collector services detail

This section is intended to explain how to proceed with specific actions for services.

fim_incidents

Once the collector has been launched, it is important to check if the ingestion is performed in a proper way. To do so, go to the collector’s logs console.

This service has the following components:

Component	Description

Component	Description
Setup	The setup module is in charge of authenticating the service and managing the token expiration when needed.
Puller	The setup module is in charge of pulling the data in a organized way and delivering the events via SDK.

Setup output

A successful run has the following output messages for the setup module:

2024-05-30T17:12:26.992    INFO OutputProcess::MainThread -> Process started
2024-05-30T17:12:26.994    INFO MainProcess::MainThread -> Started all object from "MainProcess" process
2024-05-30T17:12:26.994    INFO InputProcess::MainThread -> Process Started
2024-05-30T17:12:27.015    INFO InputProcess::MainThread -> QualysFimBasePuller(qualys_fim,123123,fim_events,predefined) Starting the execution of init_variables()
2024-05-30T17:12:27.015    INFO InputProcess::MainThread -> Validating service metadata
2024-05-30T17:12:27.016    INFO InputProcess::MainThread -> Validating defined module definition
2024-05-30T17:12:27.019    INFO OutputProcess::MainThread -> DevoSender(standard_senders,devo_sender_0) -> Starting thread
2024-05-30T17:12:27.019    INFO InputProcess::MainThread -> Validating common input config
2024-05-30T17:12:27.019    INFO OutputProcess::MainThread -> DevoSenderManagerMonitor(standard_senders,devo_1) -> Starting thread (every 300 seconds)
2024-05-30T17:12:27.019    INFO OutputProcess::MainThread -> DevoSenderManager(standard_senders,manager,devo_1) -> Starting thread
2024-05-30T17:12:27.019    INFO OutputProcess::MainThread -> DevoSender(lookup_senders,devo_sender_0) -> Starting thread
2024-05-30T17:12:27.020    INFO OutputProcess::MainThread -> DevoSenderManagerMonitor(lookup_senders,devo_1) -> Starting thread (every 300 seconds)
2024-05-30T17:12:27.020    INFO OutputProcess::MainThread -> DevoSenderManager(lookup_senders,manager,devo_1) -> Starting thread
2024-05-30T17:12:27.020    INFO OutputProcess::DevoSenderManager(lookup_senders,manager,devo_1) -> [EMERGENCY PERSISTENCE SYSTEM] DevoSenderManager(lookup_senders,manager,devo_1) -> Nothing retrieved from the persistence.
2024-05-30T17:12:27.020    INFO InputProcess::MainThread -> Validating service input config
2024-05-30T17:12:27.020    INFO OutputProcess::MainThread -> DevoSender(internal_senders,devo_sender_0) -> Starting thread
2024-05-30T17:12:27.020    INFO OutputProcess::OutputLookupConsumer(lookup_senders_consumer_0) -> [EMERGENCY PERSISTENCE SYSTEM] OutputLookupConsumer(lookup_senders_consumer_0) -> Nothing retrieved from the persistence.
2024-05-30T17:12:27.021    INFO OutputProcess::MainThread -> DevoSenderManagerMonitor(internal_senders,devo_1) -> Starting thread (every 300 seconds)
2024-05-30T17:12:27.021    INFO OutputProcess::DevoSenderManager(standard_senders,manager,devo_1) -> [EMERGENCY PERSISTENCE SYSTEM] DevoSenderManager(standard_senders,manager,devo_1) -> Nothing retrieved from the persistence.
2024-05-30T17:12:27.021    INFO OutputProcess::OutputStandardConsumer(standard_senders_consumer_0) -> [EMERGENCY PERSISTENCE SYSTEM] OutputStandardConsumer(standard_senders_consumer_0) -> Nothing retrieved from the persistence.
2024-05-30T17:12:27.021    INFO OutputProcess::MainThread -> DevoSenderManager(internal_senders,manager,devo_1) -> Starting thread
2024-05-30T17:12:27.021    INFO InputProcess::MainThread -> Running overriding rules
2024-05-30T17:12:27.021    INFO InputProcess::MainThread -> Validating the rate limiter config given by the user
2024-05-30T17:12:27.021    INFO InputProcess::MainThread -> <requests_limits> setting has not been defined. The generic settings will be used instead.
2024-05-30T17:12:27.021    INFO InputProcess::MainThread -> Adding raw config to the collector store
2024-05-30T17:12:27.021    INFO OutputProcess::OutputInternalConsumer(internal_senders_consumer_0) -> [EMERGENCY PERSISTENCE SYSTEM] OutputInternalConsumer(internal_senders_consumer_0) -> Nothing retrieved from the persistence.
2024-05-30T17:12:27.021    INFO InputProcess::MainThread -> Running custom validation rules
2024-05-30T17:12:27.021    INFO InputProcess::MainThread -> QualysFimBasePuller(qualys_fim,123123,fim_events,predefined) Finalizing the execution of init_variables()
2024-05-30T17:12:27.023    INFO InputProcess::MainThread -> QualysFimBasePuller(qualys_fim,123123,fim_incidents,predefined) Starting the execution of init_variables()
2024-05-30T17:12:27.023    INFO OutputProcess::DevoSenderManager(internal_senders,manager,devo_1) -> [EMERGENCY PERSISTENCE SYSTEM] DevoSenderManager(internal_senders,manager,devo_1) -> Nothing retrieved from the persistence.
2024-05-30T17:12:27.023    INFO InputProcess::MainThread -> Validating service metadata
2024-05-30T17:12:27.024    INFO InputProcess::MainThread -> Validating defined module definition
2024-05-30T17:12:27.026    INFO InputProcess::MainThread -> Validating common input config
2024-05-30T17:12:27.027    INFO InputProcess::MainThread -> Validating service input config
2024-05-30T17:12:27.028    INFO InputProcess::MainThread -> Running overriding rules
2024-05-30T17:12:27.028    INFO InputProcess::MainThread -> Validating the rate limiter config given by the user
2024-05-30T17:12:27.028    INFO InputProcess::MainThread -> <requests_limits> setting has not been defined. The generic settings will be used instead.
2024-05-30T17:12:27.028    INFO InputProcess::MainThread -> Adding raw config to the collector store
2024-05-30T17:12:27.028    INFO InputProcess::MainThread -> Running custom validation rules
2024-05-30T17:12:27.028    INFO InputProcess::MainThread -> QualysFimBasePuller(qualys_fim,123123,fim_incidents,predefined) Finalizing the execution of init_variables()
2024-05-30T17:12:27.029    INFO InputProcess::MainThread -> InputThread(qualys_fim,123123) - Starting thread (execution_period=60s)
2024-05-30T17:12:27.029    INFO InputProcess::MainThread -> ServiceThread(qualys_fim,123123,fim_events,predefined) - Starting thread (execution_period=60s)
2024-05-30T17:12:27.029    INFO InputProcess::MainThread -> QualysFimBasePullerSetup(qualys_fim_collector,qualys_fim#123123,fim_events#predefined) -> Starting thread
2024-05-30T17:12:27.030    INFO InputProcess::MainThread -> QualysFimBasePuller(qualys_fim,123123,fim_events,predefined) - Starting thread
2024-05-30T17:12:27.030 WARNING InputProcess::QualysFimBasePuller(qualys_fim,123123,fim_events,predefined) -> Waiting until setup will be executed
2024-05-30T17:12:27.030    INFO InputProcess::QualysFimBasePullerSetup(qualys_fim_collector,qualys_fim#123123,fim_events#predefined) -> First run of the collector. Generating new access token.
2024-05-30T17:12:27.030 WARNING InputProcess::QualysFimBasePullerSetup(qualys_fim_collector,qualys_fim#123123,fim_events#predefined) -> The token/header/authentication has not been created yet
2024-05-30T17:12:27.032    INFO InputProcess::MainThread -> ServiceThread(qualys_fim,123123,fim_incidents,predefined) - Starting thread (execution_period=60s)
2024-05-30T17:12:27.032    INFO InputProcess::MainThread -> QualysFimBasePullerSetup(qualys_fim_collector,qualys_fim#123123,fim_incidents#predefined) -> Starting thread
2024-05-30T17:12:27.032    INFO InputProcess::MainThread -> QualysFimBasePuller(qualys_fim,123123,fim_incidents,predefined) - Starting thread
2024-05-30T17:12:27.032 WARNING InputProcess::QualysFimBasePuller(qualys_fim,123123,fim_incidents,predefined) -> Waiting until setup will be executed
2024-05-30T17:12:27.032    INFO InputProcess::QualysFimBasePullerSetup(qualys_fim_collector,qualys_fim#123123,fim_incidents#predefined) -> First run of the collector. Generating new access token.
2024-05-30T17:12:27.033 WARNING InputProcess::QualysFimBasePullerSetup(qualys_fim_collector,qualys_fim#123123,fim_incidents#predefined) -> The token/header/authentication has not been created yet
2024-05-30T17:12:27.035    INFO OutputProcess::MainThread -> [GC] global: 32.3% -> 32.3%, process: RSS(41.68MiB -> 42.68MiB), VMS(928.46MiB -> 928.46MiB)
2024-05-30T17:12:27.046    INFO InputProcess::MainThread -> [GC] global: 32.3% -> 32.4%, process: RSS(41.70MiB -> 41.70MiB), VMS(712.45MiB -> 712.45MiB)
2024-05-30T17:12:28.308    INFO OutputProcess::DevoSender(internal_senders,devo_sender_0) -> Created a sender: {"name": "DevoSender(internal_senders,devo_sender_0)", "url": "collector-eu.devo.io:443", "chain_path": "/home/md_tausif/gitlab/devo-collector-qualys-fim/certs/chain.crt", "cert_path": "/home/md_tausif/gitlab/devo-collector-qualys-fim/certs/int-if-integrations-india.crt", "key_path": "/home/md_tausif/gitlab/devo-collector-qualys-fim/certs/int-if-integrations-india.key", "transport_layer_type": "SSL", "last_usage_timestamp": null, "socket_status": null}, hostname: "2023-apac-0046", session_id: "139771304509792"
2024-05-30T17:12:36.214    INFO InputProcess::QualysFimBasePullerSetup(qualys_fim_collector,qualys_fim#123123,fim_events#predefined) -> Token is valid. Skipping the generation of new access token 
2024-05-30T17:12:36.215    INFO InputProcess::QualysFimBasePullerSetup(qualys_fim_collector,qualys_fim#123123,fim_events#predefined) -> Token is valid. Skipping the generation of new access token 
2024-05-30T17:12:36.215    INFO InputProcess::QualysFimBasePullerSetup(qualys_fim_collector,qualys_fim#123123,fim_events#predefined) -> Setup for module <QualysFimBasePuller> has been successfully executed

Puller output

A successful initial run has the following output messages for the puller module:

Note that the PrePull action is executed only one time before the first run of the Pull action.

2024-05-30T17:12:45.058    INFO InputProcess::QualysFimBasePuller(qualys_fim,123123,fim_incidents,predefined) -> Pull Started
2024-05-30T17:12:45.058    INFO InputProcess::QualysFimBasePuller(qualys_fim,123123,fim_incidents,predefined) -> Fetching data From : 2024-01-03 10:00:00+00:00  To : 2024-01-05 10:00:00+00:00
2024-05-30T17:12:47.053    INFO InputProcess::QualysFimBasePuller(qualys_fim,123123,fim_incidents,predefined) -> Sent 2 fim_incidents events to Devo.
2024-05-30T17:12:47.053    INFO InputProcess::QualysFimBasePuller(qualys_fim,123123,fim_incidents,predefined) -> (Partial) Statistics for this pull cycle (@devo_pulling_id=1717069365052):Number of requests made: 1; Number of events received: 2; Number of duplicated events filtered out: 0; Number of events generated and sent: 2; Average of events per second: 1.002.

After a successful collector’s execution (that is, no error logs found), you will see the following log message:

2024-05-30T17:12:47.053    INFO InputProcess::QualysFimBasePuller(qualys_fim,123123,fim_incidents,predefined) -> Statistics for this pull cycle (@devo_pulling_id=1717069365052):Number of requests made: 1; Number of events received: 2; Number of duplicated events filtered out: 0; Number of events generated and sent: 2; Average of events per second: 1.002.

This collector uses persistent storage to download events in an orderly fashion and avoid duplicates. In case you want to re-ingest historical data or recreate the persistence, you can restart the persistence of this collector by following these steps:

Edit the configuration file.
Change the value of the start_time_in_utc parameter to a different one.
Save the changes.
Restart the collector.

The collector will detect this change and will restart the persistence using the parameters of the configuration file or the default configuration in case it has not been provided.

This collector has different security layers that detect both an invalid configuration and abnormal operation. This table will help you detect and resolve the most common errors.

Error type	Error ID	Error message	Cause	Solution

Error type	Error ID	Error message	Cause	Solution
`SetupError`	100	Error occurred while requesting from the Qualys server. Error `message: {error_message}`	Error pccurred on the qualys server	you’ll get error message. Kindly reach the developer with the message
	101	The tokens provided are incorrect. Please specify the correct credentials	tokens (username, password) is invalid or incorrect	Please provide the correct tokens (username , password)
	102	The provided tokens are valid but they do not have the permission to get data	No permission for provided credentials to get the data	Please get the required permission to fetch the data from the vendor.
	103	Unexpected HTTP error occurred at the Qualys server. status cod	Unexpected HTTP error	Contact team in this case
`PullError`	300	HTTP Error occurred while retrieving events from Qualys `server{summery}` , `{details}`	This error happens when the collector tries to fetch the data from API.	In this error you will find the HTTP error code as well as the summary and details.
	301	Some error occurred while retrieving events from Qualys server. `Error details: {details`}	Some exceptions occurred while making the API request.	Reach out to the developer with the exact error message.

fim_alerts