Breadcrumbs

Initialize the Qualys FIM Beat

Prerequisites

  • The Open Collector is installed. If you have not already installed it, follow the instructions in the Open Collector Installation and User Guide, and then return to this topic.

  • An API Token is generated to provide the configuration keys.

  • The required keys API base URL, Username, and Password should be passed while configuring the Qualys FIM Beat.

  • The following port is open:

    Direction

    Port

    Protocol

    Source

    Outbound

    443

    HTTPS

    qualysfimbeat

Initialize the Beat via the Web Console (Recommended)

  1. Ensure that the Open Collector Connection to the SIEM (WebUI) setup has been completed.

  2. Ensure that the System Monitor Agent to which you intend to send these logs has been Configured for JSON Parsing.

Use either the Enable JSON Parsing on System Monitor Agents or the Enable JSON Parsing for an Existing System Monitor Agent sections at the above link to configure the System Monitor Agent for JSON Parsing.

  1. Follow the steps outlined in Add a Beat in the Web Console to create the Beat via the Web UI.

Initialize the Beat via Command Line (Legacy)

  1. Confirm the Open Collector is running:

    ./lrctl status

    You should see the open_collector and metrics versions.

    If the Open Collector is not running correctly, see

    Troubleshoot the Open Collector

    in the Open Collector Installation and User Guide.

  2. In the Open Collector, run the following command to start the beat:

    ./lrctl qualysfimbeat start

  3. Enter the following details:

    1. A unique identifier for the Qualys FIM beat.

    2. The API base URL for the Qualys FIM beat. 

      For more information on the API base URL, see Identify your Qualys Platform.

      The Qualys login link must be mapped with the API base URL. This will be used to make API calls to the Qualys FIM.

      For example, in the Identify your Qualys Platform topic, if the Platform URL under Your Platform is "https://qualysguard.qg2.apps.qualys.com", the Platform will be US2. The API base URL for the Qualys FIM beat will be the API Gateway URL mentioned under API URLs against the Platform. Therefore, the API base URL in this case will be "https://gateway.qg2.apps.qualys.com".

    3. The username for the Qualys FIM beat.

      This is the login username used to access the Qualys Portal.

    4. The password for the Qualys FIM beat.

      This is the login password used to access the Qualys Portal.

    The configuration has been saved and the service has been started successfully.

  4. (Optional) To check the status of the service, run the following command:

    ./lrctl qualysfimbeat status

Default Config Values for Qualys FIM Beat

S. No.

Field Name

Default Value

1.

period

120s

2.

HeartbeatInterval

1m0s 

3.

HeartbeatDisabled

false

4.

username

User Provided

5.

password

User Provided

6.

url

User Provided

7.

numberofbackdays  

7


Troubleshooting tips

If you experience data loss while the beat is running, increase the period value in the configuration file. By default, the beat is configured to poll 2000 logs/request during a period of 120 seconds. The number of logs to pull during the period can also be increased in the configuration file.