This Source is available in the Fed deployment.
A Qualys VMDR Source tracks errors, reports its health, and start-up progress. You’re informed, in real-time, if the Source is having trouble connecting, if there's an error requiring user action, or if it is healthy and collecting by utilizing Health Events.
When a Qualys VMDR Source is created, it goes through the following states:
- Pending. Once the Source is submitted, it is validated, stored, and placed in a Pending state.
- Started. A collection task is created on the Hosted Collector.
- Initialized. The task configuration is complete in Sumo Logic.
- Authenticated. The Source successfully authenticated with Qualys.
- Collecting. The Source is actively collecting data from Qualys.
If the Source has any issues during any one of these states, it is placed in an Error state.
When you delete the Source, it is placed in a Stopping state. When it has successfully stopped, it is deleted from your Hosted Collector.
On the Collection page, the Health and Status for Sources is displayed. Use Health Events to investigate issues with collection.
Hover your mouse over the status icon to view a tooltip with a count of the detected errors and warnings.
You can click on the status icon to open a Health Events panel with details on each detected issue.
Create a Qualys VMDR Source
When you create a Qualys VMDR Source, you add it to a Hosted Collector. Before creating the Source, identify the Hosted Collector you want to use or create a new Hosted Collector. For instructions, see Configure a Hosted Collector.
To configure a Qualys VMDR Source:
- In Sumo Logic, select Manage Data > Collection > Collection.
- On the Collectors page, click Add Source next to a Hosted Collector.
- Select Qualys VMDR.
- Enter a Name to display for the Source in the Sumo Logic web application. The description is optional.
- (Optional) For Source Category, enter any string to tag the output collected from the Source. Category metadata is stored in a searchable field called
- (Optional) Fields. Click the +Add Field link to define the fields you want to associate. Each field needs a name (key) and value.
- A green circle with a check mark is shown when the field exists in the Fields table schema.
- An orange triangle with an exclamation point is shown when the field doesn't exist in the Fields table schema. In this case, an option to automatically add the nonexistent fields to the Fields table schema is provided. If a field is sent to Sumo Logic that does not exist in the Fields schema it is ignored, known as dropped.
- Qualys API Server URL and Qualys API Gateway URL. Provide the Qualys API server URLs. Use the Qualys Platform Identification page and scroll down to API URLs to for a reference to your Qualys deployment location.
- Username and Password. Use your Qualys account username and password for API authentication.
- The next section covers the type of data to collect and how often.
- Collect vulnerability data. This option will fetch the list of hosts with the host's latest vulnerability data based on the host-based scan data available in the user’s account. We recommend leaving the polling interval at the default 1 hour.
- (Optional) Collect KnowledgeBase Information. This option is only available if you choose to collect vulnerability data. If selected, it will automatically download the vulnerability details from the Qualys KnowledgeBase for vulnerabilities detected within your environment.
- Collect asset inventory. This option consumes asset data from Qualys Global IT Asset Inventory API. The inventory data collected here will also be used in Cloud SIEM as inventory data. We recommend leaving the polling interval at the default 24 hours.
- To forward Qualys VMDR assetInventory to CSE, it is recommended to create a Field Extraction Rule with the following criteria:
_sourceCategory="<enter your source category here from Step 5>" "assetInventory"
- Parse Expression:
"true" as _siemForward
- When you are finished configuring the Source, click Submit.
When Sumo Logic detects an issue, it is tracked by Health Events. The following table shows three possible error types. It tells the reason for the error, if the source attempts to retry, and the name of the event log in the Health Event Index.
|Type||Reason||Retries||Retry Behavior||Health Event Name|
|ThirdPartyConfig||Normally due to an invalid configuration. You'll need to review your Source configuration and make an update.||No retries are attempted until the Source is updated.||Not applicable||ThirdPartyConfigError|
|ThirdPartyGeneric||Normally due to an error communicating with the third party service APIs.||Yes||The Source will retry indefinitely.||ThirdPartyGenericError|
|FirstPartyGeneric||Normally due to an error communicating with the internal Sumo Logic APIs.||Yes||The Source will retry indefinitely.||FirstPartyGenericError|
Restarting your Source
If your Source encounters ThirdPartyConfig errors, you can restart it from either the Sumo Logic UI or Sumo Logic API.
To restart your source in the Sumo Logic platform, follow the steps below:
- Open the Collection page, and go to Manage Data > Collection > Collection.
- Select the source and click the information icon on the right side of the row.
- The API usage information popup is displayed. Click the Restart Source button on the bottom left.
- Click Confirm to send the restart request.
- The bottom left of the platform will provide a notification informing you the request was successful.
To restart your source using the Sumo Management API, follow the instructions below:
- Example endpoint:
Sumo Logic endpoints like
api.sumologic.com are different in deployments outside
us1. For example, an API endpoint in Europe would begin
api.eu.sumologic.com. A service endpoint in
us2 (Western U.S.) would begin
service.us2.sumologic.com. For more information, see Sumo Logic Endpoints.
What specific API routes does this C2C collect?
|Data Type||API Route||Description|
|Vulnerability Detections||This collects a current list of new vulnerabilities detected for each computer. Each detection is sent as a separate log to Sumo Logic.|
API details are on page 496 in this Qualys PDF.
|KnowledgeBase||This collects the current vulnerability details from the Qualys KnowledgeBase for vulnerabilities when they are detected within your environment.|
Permissions - A subscription must be granted permission to run this API function. Roles
API details are on page 209 in this Qualys PDF.
|Computer Inventory||This collects the details for each asset/computer from Qualys. This data source is supported by Cloud SIEM as inventory data.|
Permissions - User must have the
API details are on page 27 in the this Qualys PDF.
Is anything changed with data for computer inventory?
Sometimes the asset information from the computer inventory data can exceed the Sumo Logic maximum log size of 64KB. Sumo Logic will automatically split log messages exceeding the size limit into smaller chunks. This C2C makes the following changes to the computer inventory asset data collected in order to keep most logs under the size limit and prevent splitting:
openPortListDatakey only contains information about ports open since the last time computer asset was ingested instead of listing all open port history from all time.
softwareListDatais reduced down from the full details to simply a list/array of software names using the full name.
How can I differentiate between data types collected?
The Qualys VMDR C2C collects all data using JSON as the format. It will add an additional key to your data called
LogType with the values of
assetInventory. This allows you to easily filter between them in your search queries.