Document toolboxDocument toolbox

Qualys FIM collector

Overview

Qualys File Integrity Monitoring (FIM) is a highly scalable cloud app that enables a simple way to monitor critical files, directories, and registry paths for.

Devo collector features

Feature

Details

Feature

Details

Allow parallel downloading (multipod)

not allowed

Running environments

  • collector server

  • on-premise

Populated Devo events

table

Flattening preprocessing

no

Data sources

Data source

Description

API endpoint

Collector service name

Devo table

Available from release

Data source

Description

API endpoint

Collector service name

Devo table

Available from release

Events

Get all the events

/v2/events/search

fim_alerts

monitor.qualys.fim.event

v1.0.1

Incidents

Get all the Incident

v3/incidents/search

fim_incidents

monitor.qualys.fim.incident

v1.0.1

For more information on how the events are parsed, visit our page.

Flattening preprocessing

Data source

Collector service

Optional

Flattening details

Data source

Collector service

Optional

Flattening details

Events

events

yes

not required

Incidents

incidents

yes

not required

Minimum configuration required for basic pulling

Although this collector supports advanced configuration, the fields required to retrieve data with basic configuration are defined below.

This minimum configuration refers exclusively to those specific parameters of this integration. There are more required parameters related to the generic behavior of the collector. Check setting sections for details.

Setting

Details

Setting

Details

username

The username for Qualys FIM API.

password

The password for Qualys FIM API.

base_url

The token endpoint for to get the access token. (Ex:-https://<qualys_base_url>)

auth_url

The auth url for Qualys FIM API
(Ex:-https://<qualys_base_url>/auth)

See the Accepted authentication methods section to verify what settings are required based on the desired authentication method.

Accepted authentication methods

Authentication method

Username

password

Authentication method

Username

password

credentials

REQUIRED

REQUIRED

Run the collector

Once the data source is configured, you can either send us the required information if you want us to host and manage the collector for you (Cloud collector), or deploy and host the collector in your own machine using a Docker image (On-premise collector).

Collector services detail

This section is intended to explain how to proceed with specific actions for services.

fim_incidents

Once the collector has been launched, it is important to check if the ingestion is performed in a proper way. To do so, go to the collector’s logs console.

This service has the following components:

Component

Description

Component

Description

Setup

The setup module is in charge of authenticating the service and managing the token expiration when needed.

Puller

The setup module is in charge of pulling the data in a organized way and delivering the events via SDK.

Setup output

A successful run has the following output messages for the setup module:

2024-05-30T17:12:26.992 INFO OutputProcess::MainThread -> Process started 2024-05-30T17:12:26.994 INFO MainProcess::MainThread -> Started all object from "MainProcess" process 2024-05-30T17:12:26.994 INFO InputProcess::MainThread -> Process Started 2024-05-30T17:12:27.015 INFO InputProcess::MainThread -> QualysFimBasePuller(qualys_fim,123123,fim_events,predefined) Starting the execution of init_variables() 2024-05-30T17:12:27.015 INFO InputProcess::MainThread -> Validating service metadata 2024-05-30T17:12:27.016 INFO InputProcess::MainThread -> Validating defined module definition 2024-05-30T17:12:27.019 INFO OutputProcess::MainThread -> DevoSender(standard_senders,devo_sender_0) -> Starting thread 2024-05-30T17:12:27.019 INFO InputProcess::MainThread -> Validating common input config 2024-05-30T17:12:27.019 INFO OutputProcess::MainThread -> DevoSenderManagerMonitor(standard_senders,devo_1) -> Starting thread (every 300 seconds) 2024-05-30T17:12:27.019 INFO OutputProcess::MainThread -> DevoSenderManager(standard_senders,manager,devo_1) -> Starting thread 2024-05-30T17:12:27.019 INFO OutputProcess::MainThread -> DevoSender(lookup_senders,devo_sender_0) -> Starting thread 2024-05-30T17:12:27.020 INFO OutputProcess::MainThread -> DevoSenderManagerMonitor(lookup_senders,devo_1) -> Starting thread (every 300 seconds) 2024-05-30T17:12:27.020 INFO OutputProcess::MainThread -> DevoSenderManager(lookup_senders,manager,devo_1) -> Starting thread 2024-05-30T17:12:27.020 INFO OutputProcess::DevoSenderManager(lookup_senders,manager,devo_1) -> [EMERGENCY PERSISTENCE SYSTEM] DevoSenderManager(lookup_senders,manager,devo_1) -> Nothing retrieved from the persistence. 2024-05-30T17:12:27.020 INFO InputProcess::MainThread -> Validating service input config 2024-05-30T17:12:27.020 INFO OutputProcess::MainThread -> DevoSender(internal_senders,devo_sender_0) -> Starting thread 2024-05-30T17:12:27.020 INFO OutputProcess::OutputLookupConsumer(lookup_senders_consumer_0) -> [EMERGENCY PERSISTENCE SYSTEM] OutputLookupConsumer(lookup_senders_consumer_0) -> Nothing retrieved from the persistence. 2024-05-30T17:12:27.021 INFO OutputProcess::MainThread -> DevoSenderManagerMonitor(internal_senders,devo_1) -> Starting thread (every 300 seconds) 2024-05-30T17:12:27.021 INFO OutputProcess::DevoSenderManager(standard_senders,manager,devo_1) -> [EMERGENCY PERSISTENCE SYSTEM] DevoSenderManager(standard_senders,manager,devo_1) -> Nothing retrieved from the persistence. 2024-05-30T17:12:27.021 INFO OutputProcess::OutputStandardConsumer(standard_senders_consumer_0) -> [EMERGENCY PERSISTENCE SYSTEM] OutputStandardConsumer(standard_senders_consumer_0) -> Nothing retrieved from the persistence. 2024-05-30T17:12:27.021 INFO OutputProcess::MainThread -> DevoSenderManager(internal_senders,manager,devo_1) -> Starting thread 2024-05-30T17:12:27.021 INFO InputProcess::MainThread -> Running overriding rules 2024-05-30T17:12:27.021 INFO InputProcess::MainThread -> Validating the rate limiter config given by the user 2024-05-30T17:12:27.021 INFO InputProcess::MainThread -> <requests_limits> setting has not been defined. The generic settings will be used instead. 2024-05-30T17:12:27.021 INFO InputProcess::MainThread -> Adding raw config to the collector store 2024-05-30T17:12:27.021 INFO OutputProcess::OutputInternalConsumer(internal_senders_consumer_0) -> [EMERGENCY PERSISTENCE SYSTEM] OutputInternalConsumer(internal_senders_consumer_0) -> Nothing retrieved from the persistence. 2024-05-30T17:12:27.021 INFO InputProcess::MainThread -> Running custom validation rules 2024-05-30T17:12:27.021 INFO InputProcess::MainThread -> QualysFimBasePuller(qualys_fim,123123,fim_events,predefined) Finalizing the execution of init_variables() 2024-05-30T17:12:27.023 INFO InputProcess::MainThread -> QualysFimBasePuller(qualys_fim,123123,fim_incidents,predefined) Starting the execution of init_variables() 2024-05-30T17:12:27.023 INFO OutputProcess::DevoSenderManager(internal_senders,manager,devo_1) -> [EMERGENCY PERSISTENCE SYSTEM] DevoSenderManager(internal_senders,manager,devo_1) -> Nothing retrieved from the persistence. 2024-05-30T17:12:27.023 INFO InputProcess::MainThread -> Validating service metadata 2024-05-30T17:12:27.024 INFO InputProcess::MainThread -> Validating defined module definition 2024-05-30T17:12:27.026 INFO InputProcess::MainThread -> Validating common input config 2024-05-30T17:12:27.027 INFO InputProcess::MainThread -> Validating service input config 2024-05-30T17:12:27.028 INFO InputProcess::MainThread -> Running overriding rules 2024-05-30T17:12:27.028 INFO InputProcess::MainThread -> Validating the rate limiter config given by the user 2024-05-30T17:12:27.028 INFO InputProcess::MainThread -> <requests_limits> setting has not been defined. The generic settings will be used instead. 2024-05-30T17:12:27.028 INFO InputProcess::MainThread -> Adding raw config to the collector store 2024-05-30T17:12:27.028 INFO InputProcess::MainThread -> Running custom validation rules 2024-05-30T17:12:27.028 INFO InputProcess::MainThread -> QualysFimBasePuller(qualys_fim,123123,fim_incidents,predefined) Finalizing the execution of init_variables() 2024-05-30T17:12:27.029 INFO InputProcess::MainThread -> InputThread(qualys_fim,123123) - Starting thread (execution_period=60s) 2024-05-30T17:12:27.029 INFO InputProcess::MainThread -> ServiceThread(qualys_fim,123123,fim_events,predefined) - Starting thread (execution_period=60s) 2024-05-30T17:12:27.029 INFO InputProcess::MainThread -> QualysFimBasePullerSetup(qualys_fim_collector,qualys_fim#123123,fim_events#predefined) -> Starting thread 2024-05-30T17:12:27.030 INFO InputProcess::MainThread -> QualysFimBasePuller(qualys_fim,123123,fim_events,predefined) - Starting thread 2024-05-30T17:12:27.030 WARNING InputProcess::QualysFimBasePuller(qualys_fim,123123,fim_events,predefined) -> Waiting until setup will be executed 2024-05-30T17:12:27.030 INFO InputProcess::QualysFimBasePullerSetup(qualys_fim_collector,qualys_fim#123123,fim_events#predefined) -> First run of the collector. Generating new access token. 2024-05-30T17:12:27.030 WARNING InputProcess::QualysFimBasePullerSetup(qualys_fim_collector,qualys_fim#123123,fim_events#predefined) -> The token/header/authentication has not been created yet 2024-05-30T17:12:27.032 INFO InputProcess::MainThread -> ServiceThread(qualys_fim,123123,fim_incidents,predefined) - Starting thread (execution_period=60s) 2024-05-30T17:12:27.032 INFO InputProcess::MainThread -> QualysFimBasePullerSetup(qualys_fim_collector,qualys_fim#123123,fim_incidents#predefined) -> Starting thread 2024-05-30T17:12:27.032 INFO InputProcess::MainThread -> QualysFimBasePuller(qualys_fim,123123,fim_incidents,predefined) - Starting thread 2024-05-30T17:12:27.032 WARNING InputProcess::QualysFimBasePuller(qualys_fim,123123,fim_incidents,predefined) -> Waiting until setup will be executed 2024-05-30T17:12:27.032 INFO InputProcess::QualysFimBasePullerSetup(qualys_fim_collector,qualys_fim#123123,fim_incidents#predefined) -> First run of the collector. Generating new access token. 2024-05-30T17:12:27.033 WARNING InputProcess::QualysFimBasePullerSetup(qualys_fim_collector,qualys_fim#123123,fim_incidents#predefined) -> The token/header/authentication has not been created yet 2024-05-30T17:12:27.035 INFO OutputProcess::MainThread -> [GC] global: 32.3% -> 32.3%, process: RSS(41.68MiB -> 42.68MiB), VMS(928.46MiB -> 928.46MiB) 2024-05-30T17:12:27.046 INFO InputProcess::MainThread -> [GC] global: 32.3% -> 32.4%, process: RSS(41.70MiB -> 41.70MiB), VMS(712.45MiB -> 712.45MiB) 2024-05-30T17:12:28.308 INFO OutputProcess::DevoSender(internal_senders,devo_sender_0) -> Created a sender: {"name": "DevoSender(internal_senders,devo_sender_0)", "url": "collector-eu.devo.io:443", "chain_path": "/home/md_tausif/gitlab/devo-collector-qualys-fim/certs/chain.crt", "cert_path": "/home/md_tausif/gitlab/devo-collector-qualys-fim/certs/int-if-integrations-india.crt", "key_path": "/home/md_tausif/gitlab/devo-collector-qualys-fim/certs/int-if-integrations-india.key", "transport_layer_type": "SSL", "last_usage_timestamp": null, "socket_status": null}, hostname: "2023-apac-0046", session_id: "139771304509792" 2024-05-30T17:12:36.214 INFO InputProcess::QualysFimBasePullerSetup(qualys_fim_collector,qualys_fim#123123,fim_events#predefined) -> Token is valid. Skipping the generation of new access token 2024-05-30T17:12:36.215 INFO InputProcess::QualysFimBasePullerSetup(qualys_fim_collector,qualys_fim#123123,fim_events#predefined) -> Token is valid. Skipping the generation of new access token 2024-05-30T17:12:36.215 INFO InputProcess::QualysFimBasePullerSetup(qualys_fim_collector,qualys_fim#123123,fim_events#predefined) -> Setup for module <QualysFimBasePuller> has been successfully executed

Puller output

A successful initial run has the following output messages for the puller module:

Note that the PrePull action is executed only one time before the first run of the Pull action.

2024-05-30T17:12:45.058 INFO InputProcess::QualysFimBasePuller(qualys_fim,123123,fim_incidents,predefined) -> Pull Started 2024-05-30T17:12:45.058 INFO InputProcess::QualysFimBasePuller(qualys_fim,123123,fim_incidents,predefined) -> Fetching data From : 2024-01-03 10:00:00+00:00 To : 2024-01-05 10:00:00+00:00 2024-05-30T17:12:47.053 INFO InputProcess::QualysFimBasePuller(qualys_fim,123123,fim_incidents,predefined) -> Sent 2 fim_incidents events to Devo. 2024-05-30T17:12:47.053 INFO InputProcess::QualysFimBasePuller(qualys_fim,123123,fim_incidents,predefined) -> (Partial) Statistics for this pull cycle (@devo_pulling_id=1717069365052):Number of requests made: 1; Number of events received: 2; Number of duplicated events filtered out: 0; Number of events generated and sent: 2; Average of events per second: 1.002.

After a successful collector’s execution (that is, no error logs found), you will see the following log message:

2024-05-30T17:12:47.053 INFO InputProcess::QualysFimBasePuller(qualys_fim,123123,fim_incidents,predefined) -> Statistics for this pull cycle (@devo_pulling_id=1717069365052):Number of requests made: 1; Number of events received: 2; Number of duplicated events filtered out: 0; Number of events generated and sent: 2; Average of events per second: 1.002.

This collector uses persistent storage to download events in an orderly fashion and avoid duplicates. In case you want to re-ingest historical data or recreate the persistence, you can restart the persistence of this collector by following these steps:

  1. Edit the configuration file.

  2. Change the value of the start_time_in_utc parameter to a different one.

  3. Save the changes.

  4. Restart the collector.

The collector will detect this change and will restart the persistence using the parameters of the configuration file or the default configuration in case it has not been provided.

This collector has different security layers that detect both an invalid configuration and abnormal operation. This table will help you detect and resolve the most common errors.

Error type

Error ID

Error message

Cause

Solution

Error type

Error ID

Error message

Cause

Solution

SetupError

100

Error occurred while requesting from the Qualys server. Error message: {error_message}

Error pccurred on the qualys server

you’ll get error message. Kindly reach the developer with the message

101

The tokens provided are incorrect. Please specify the correct credentials

tokens (username, password) is invalid or incorrect

Please provide the correct tokens (username , password)

102

The provided tokens are valid but they do not have the permission to get data

No permission for provided credentials to get the data

Please get the required permission to fetch the data from the vendor.

103

Unexpected HTTP error occurred at the Qualys server. status cod

Unexpected HTTP error

Contact team in this case

PullError

300

HTTP Error occurred while retrieving events from Qualys server{summery} , {details}

This error happens when the collector tries to fetch the data from API.

In this error you will find the HTTP error code as well as the summary and details.

 

301

Some error occurred while retrieving events from Qualys server. Error details: {details}

Some exceptions occurred while making the API request.

Reach out to the developer with the exact error message.

fim_alerts

Once the collector has been launched, it is important to check if the ingestion is performed in a proper way. To do so, go to the collector’s logs console.

This service has the following components:

Component

Description

Component

Description

Setup

The setup module is in charge of authenticating the service and managing the token expiration when needed.

Puller

The setup module is in charge of pulling the data in a organized way and delivering the events via SDK.

Setup output

A successful run has the following output messages for the setup module:

A successful initial run has the following output messages for the puller module:

After a successful collector’s execution (that is, no error logs found), you will see the following log message:

This collector uses persistent storage to download events in an orderly fashion and avoid duplicates. In case you want to re-ingest historical data or recreate the persistence, you can restart the persistence of this collector by following these steps:

  1. Edit the configuration file.

  2. Change the value of the start_time_in_utc parameter to a different one.

  3. Save the changes.

  4. Restart the collector.

The collector will detect this change and will restart the persistence using the parameters of the configuration file or the default configuration in case it has not been provided.

Collector operations

This section is intended to explain how to proceed with specific operations of this collector.

Change log

Release

Released on

Release type

Details

Recommendations

Release

Released on

Release type

Details

Recommendations

v1.0.1

May 30, 2024

BUG FIX

Token expiration issue

Recommended version

v1.0.0

May 28, 2024

FIRST RELEASE

Released the first version of the Qualys FIM collector.

Initial version