This website uses cookies. By continuing to browse or login to this website, you consent to the use of cookies. Learn more.
OK
drbeanz
Absent Member.
Absent Member.
‎2013-03-13 12:56
1312 views

QualysGuard and ESM

Jump to solution

Hello there!

This is my first post to this forum, and I figured I'd kick it off with something that's been stumping me for a while. We have a Connector in a ArcSight Connector appliance that is supposed to gather host and vulnerability data from QualysGuard. The Connector sends this data to a Logger device, but the only events I can see coming from the Connector are "Connector Raw Event Statistics". When I configure the Connector to send data directly to the ESM, the same events show up there and no new vulnerabilities are added to the Vulnerability Active List, even though I have confirmed that there are new vulnerabilities in recent QG reports.

Please see the "Qualys_ArcSight_settings" attached JPG for a screenshot of our current Connector settings.

I've successfully accessed the scan_report.php and scan_report_list.php pages with my QualysGuard credentials, and there I can properly see data from recent reports. I also tried setting up another Connector from scratch, but I get the same "Connector Raw Event Statistics" events and no updated vulnerabilities in the ESM. Any other troubleshooting ideas that I should try?

On another note, this functionality was apparently working at one point because I see historical vulnerabilities on the ESM with the format "Qualys - 19071" instead of the actual vulnerability name (see this post for another example). The properties of the vulnerability don't add other data - see "Sample_vulnerability" attached JPG - as I expected they would, according to page 13 of the configuration PDF (attached). Is there a way to change this mapping or to add more fields to the ESM vulnerability object?

Thank you!

Labels (4)
Preview file
56 KB
Preview file
63 KB
Preview file
146 KB
0 Likes
Reply
Report Inappropriate Content
1 Solution

Accepted Solutions
drbeanz
Absent Member.
Absent Member.
‎2013-03-18 20:32

Jump to solution

kevquinlan - thanks for your suggestion. After getting inconclusive results from the agent.log, I decided to open a case with ArcSight support. They informed me that QualysGuard 7.8 is not currently supported by the connector. Guess I'll have to try setting up Nessus next.

View solution in original post

0 Likes
Reply
Report Inappropriate Content
4 Replies
kevquinlan
Knowledge Partner Knowledge Partner
Knowledge Partner
‎2013-03-13 14:02

Jump to solution

i think you need to start by looking through the logs for this connector - it will likely point you in the right direction -i.e. credentials, connectivity etc.

you can view the logs by going through the connector appliance diagnostic tools and viewing the agent.log for this connector

What connector version are you using? it may be that you need to update to the more recent ones - for example support for Qualys version 7.1 + only came around Aug 2012 and 7.7 in Jan 2013 - it could be the API changed in Jan when the connector last seemed to work?

if you cant see anything obvious in the logs post a sanitised copy of your agent.log

0 Likes
Reply
Report Inappropriate Content
drbeanz
Absent Member.
Absent Member.
‎2013-03-18 20:32

Jump to solution

kevquinlan - thanks for your suggestion. After getting inconclusive results from the agent.log, I decided to open a case with ArcSight support. They informed me that QualysGuard 7.8 is not currently supported by the connector. Guess I'll have to try setting up Nessus next.

View solution in original post

0 Likes
Reply
Report Inappropriate Content
GrayWinst
Cadet 1st Class
Cadet 1st Class
‎2013-04-23 03:10

Jump to solution

Thanks so much for this post, our connector was driving me mad...  Here's the exception I was seeing... I can confirm that I do in fact have connectivity from my connector to the Qualys service...  the exception indicates connectivity, but I've verified all is well on that front...

I'd be curious if you had the same exception in your agent.log file...

[2013-04-23 01:48:27,178][ERROR][default.com.arcsight.util.AgentUtil][fromFileToJAXPDocument]

java.net.ConnectException: Connection timed out: connect

at java.net.PlainSocketImpl.socketConnect(Native Method)

at java.net.PlainSocketImpl.doConnect(PlainSocketImpl.java:351)

at java.net.PlainSocketImpl.connectToAddress(PlainSocketImpl.java:213)

at java.net.PlainSocketImpl.connect(PlainSocketImpl.java:200)

at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:366)

at java.net.Socket.connect(Socket.java:529)

at com.sun.net.ssl.internal.ssl.SSLSocketImpl.connect(SSLSocketImpl.java:559)

at com.sun.net.ssl.internal.ssl.BaseSSLSocketImpl.connect(BaseSSLSocketImpl.java:141)

at sun.net.NetworkClient.doConnect(NetworkClient.java:163)

at sun.net.www.http.HttpClient.openServer(HttpClient.java:394)

at sun.net.www.http.HttpClient.openServer(HttpClient.java:529)

at sun.net.www.protocol.https.HttpsClient.<init>(HttpsClient.java:272)

at sun.net.www.protocol.https.HttpsClient.New(HttpsClient.java:329)

at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.getNewHttpClient(AbstractDelegateHttpsURLConnection.java:172)

at sun.net.www.protocol.http.HttpURLConnection.plainConnect(HttpURLConnection.java:911)

at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:158)

at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1172)

at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:234)

at java.net.URL.openStream(URL.java:1010)

at org.apache.xerces.readers.DefaultReaderFactory.createReader(DefaultReaderFactory.java:149)

at org.apache.xerces.readers.DefaultEntityHandler.startReadingFromExternalEntity(DefaultEntityHandler.java:767)

at org.apache.xerces.readers.DefaultEntityHandler.startReadingFromExternalSubset(DefaultEntityHandler.java:566)

at org.apache.xerces.framework.XMLDTDScanner.scanDoctypeDecl(XMLDTDScanner.java:1139)

at org.apache.xerces.framework.XMLDocumentScanner.scanDoctypeDecl(XMLDocumentScanner.java:2197)

at org.apache.xerces.framework.XMLDocumentScanner.access$000(XMLDocumentScanner.java:86)

at org.apache.xerces.framework.XMLDocumentScanner$PrologDispatcher.dispatch(XMLDocumentScanner.java:883)

at org.apache.xerces.framework.XMLDocumentScanner.parseSome(XMLDocumentScanner.java:381)

at org.apache.xerces.framework.XMLParser.parse(XMLParser.java:952)

at com.arcsight.util.AgentUtil.fromStringToJAXPDocument(AgentUtil.java:429)

at com.arcsight.agent.lf.b.n(b.java:330)

at com.arcsight.agent.lf.b.run(b.java:562)

at java.lang.Thread.run(Thread.java:662)

0 Likes
Reply
Report Inappropriate Content
GrayWinst
Cadet 1st Class
Cadet 1st Class
‎2013-04-23 03:23

Jump to solution

After posting the above, I found these comments in Trouble-Shooting section... I'm leaving my prior post in case you (like me) run into the problem below... the error above relates to it...

Communication with the Qualys URL cannot be established. What can I do?

There is a known issue with the connector framework attempting to access the Internet directly, even when you specify proxy settings during connector setup. This causes communication to the Qualys URL to fail. To work around this problem, modify the following settings in the $ARCSIGHT_HOME/current/jre/lib/net.properties file:

https.proxyHost=<hostname> http.nonProxyHosts=localhost|127.0.0.1|<manager_host>|<manager_ip> https.nonProxyHosts=localhost|127.0.0.1|<manager_host>|<manager_ip>

0 Likes
Reply
Report Inappropriate Content
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.