QualysGuard Security and Compliance Suite automates the process of vulnerability management and policy compliance across the enterprise, providing network discovery and mapping, asset prioritization, vulnerability assessment reporting and remediation tracking according to business risk. One or more QualysGuard appliances are installed to scan hosts and collect vulnerability data; however, all management and reporting functions are performed through the Qualys web application.
This document instructs you how to configure collection of Qualys vulnerability data via the LogRhythm System Monitor Agent.
You must be running Qualys API v1 or v2.
The collection mechanism used by the agent will reference a file and retain the last log read from the file by state tracking. The following information is required for this process to function properly and should be gathered prior to configuring collection:
- Name of the file that will be accessed and collected by the agent.
- The LogRhythm System Monitor Agent used to collect the audit data from the flat file.
Configure Qualys Vulnerability Scanner
Qualys requires a user name and password to connect to the API. Customers can create a specific user for this purpose or configure an existing user to have API access. If the user has not been granted API access and fully activated for both web and API access, an error will be written to the System Monitor log with the message “Invalid Qualys user name and password.”
To create a new user:
- Open the Qualys Web Interface.
- Under Tools, click the User Accounts section.
- Select the menu New / User…
- Fill out the required fields, supplying a valid email address to which you have access.
- Ensure that the user has access to one or more Asset Groups, which allows records to be collected.
- Confirm that the Allow access to: API box is selected, then click Save.
Qualys sends an email to the supplied address.
- Click the link and log in to activate the account.
Qualys sends a second email to the supplied address with a link to the following URL: https://qualysguard.qualys.com/fo/
- Click this link and log in a second time to enable API access.
- Use these credentials for configuration below.
To use the LogRhythm Qualys integration, you must subscribe to both the Qualys API module and the KBX (Knowledge Base Download API). You must contact your Qualys representative and request that the KBX API be turned on – it is not turned on by default.
If you don't subscribe to the API module and the KBX is not turned on, the following error message appears:
Warning*** Unable to query Qualys knowledge base for QID xxxxx: You are not allowed to download the Knowledge Base, please contact your sales representative for more information.
If you receive this error message, you must contact your Qualys representative for assistance.
The Qualys interface is configured with an ini file in the Agent's config folder (typically “C:\Program Files\LogRhythm\LogRhythm System Monitor\config\qualys.ini”). The following configuration options are available in the qualys.ini file:
|URL||The URL of the Qualys API.|
|UserName||CHANGE_THIS||The API user name.|
The API password. The password must be encrypted using the lrcrypt command line utility.
Usage: lrcrypt [-e passwordtoencrypt] [path\inifile]
See LogRhythm Password Encryption for more information on how to use the LogRhythm Encryption Utility.
|RetryLimit||3||The number of times to retry the connection to Qualys.|
|NumberHostsToQuery||-1||The number of hosts to query. The default value (-1) sets no limit on the number of hosts.|
|KBCacheExpiresDays||90||The length of time that Qualys knowledge base documents are in a file before being deleted and downloaded again.|
Flag which controls the source of the log message date.
False uses the current date and time.
True uses the date and time Qualys last found the vulnerability.
|Timeout||100||The timeout (in seconds) to use when requesting data from the Qualys server. Range: 0-300s (0=infinite)|
|Flags to control which days of the week to query the API. Each day should be set to true or false.|
|Time||01:00||The time of day to query the API. Both 12 and 24 hour time formats are recognized.|
|RepeatInterval||1:00||The repeat interval for querying the API after the initial query controlled by the Time setting. If set to zero, query the API only once per day according to the Time setting. If non-zero, query the API every <RepeatInterval> minutes starting at <Time>.|
|StartupDelayInSeconds||60||If the API needs to be queried when the System Monitor is started, it will wait this long before running.|
|ProxyServer||The URL of the proxy server to use for connecting to the Qualys API.|
|UserName||If required, the proxy server user name.|
|Password||If required, the proxy server password. The password must be encrypted using the lrcrypt command line utility.|
Usage: lrcrypt [-e passwordtoencrypt] [path\inifile]
See the Deployment Security for more information on how to use the LogRhythm Encryption Utility.
|Domain||If required, the name of the domain to which the proxy belongs.|
Only Global Admins or Restricted Admins with elevated View and Manage privileges can take this action.
LogRhythm requires a LogRhythm System Monitor Agent be used to collect the logs. The file being collected must be viewable on the host with the agent using a standard file name path such as /var/log/logfile.txt or C:\logs\logfile.txt.
To create a Qualys Log Source:
On the main toolbar, click Deployment Manager.
- Click the System Monitors tab.
Double-click the System Monitor Agent that will collect the information from the Qualys interface.
The System Monitor Agent Properties dialog box appears.
- Click the Agent Settings tab.
Right-click anywhere in the Log Message Sources Collected by this Agent grid, and then click New.
- Click the Basic Configuration tab.
Configure the following fields:
- Log Message Source Type. Select API - Qualys Vulnerability Scanner.
- Log Message Processing Mode. Select MPE Processing Enabled, Event Forwarding Enabled.
Log Message Processing Engine (MPE) Policy. Select LogRhythm Default.
- Click the Flat File Settings tab.
In the File Path box, type the full file path to the qualys.ini configuration file, including the file name (typically “C:\Program Files\LogRhythm\LogRhythm System Monitor\config\qualys.ini”).
- Click OK to save the configuration, and then click OK to close the System Monitor Agent Properties dialog box.