How to collect events from XML files in Qualys Format

book

Article ID: 177642

calendar_today

Updated On:

Products

Security Information Manager

Issue/Introduction

You must collect events from an XML file output from a Product in Qualys Format.
 

Resolution

Rapid7 NeXpose has the capability of sending their event output in Qualys Guard format.
Note: As part of an OEM partnership agreement between Rapid7 and Symantec, Symantec's Control Compliance Suite Vulnerability Manager (CCS VM) leverages the Rapid7 NeXpose scan engine. As such, events generated by CCS VM may also be collected by following the these instructions.

To collect Rapid7 events, or any other point product that can output to Qualys Guard format we do not have a collector for, you must use the Qualys Guard collector. You do not have to have a Qualys Guard account to do this.

Note: You must setup a method to transfer the resulting XML from the Rapid7 computer to the computer that has the Agent and Collector installed.

How to collect Rapid7 events with the Qualys Guard collector on-box
Warning: When collecting on box, we recommend the sensor to be set to Delete processed files to prevent the drive from becoming full.
 

    1. Install the Qualys Guard collector to the Symantec Security Information Manager (SSIM) appliance through System Updates in the Web UI.
    2. Run LiveUpdate from the Web UI on the Qualys Guard collector (June 2010 or higher) and Qualys sensor (v2.27 or higher).
    3. Unregister the current Qualys Guard SIP from the SSIM.
    4. Register the updated SIP obtained from the LiveUpdate.
      • You must transfer the updated SIP from the /opt/Symantec/sesa/Agent/collectors/qualysguard/utils directory off the SSIM first.
    5. Create a Configuration on the SSIM for Qualys Guard.
      Note: Do not enable the sensor until a properly formated XML file from Rapid7 or CCS VM is in the offline directory.
      • Specify an offline directory where the XML in Qualys Guard format from Rapid7 will be.
      • Speciffy the number of days to Load History Reports.
    6. The XML files from Rapid7 must have a filename format of _scan__.xml (Note: there are two underscores after scan).
      For example with a default sensor name of Sensor 0:

      Sensor_0_scan__20090421.xml
       

How to collect Rapid7 events with Qualys Guard collector off-box
 

    1. Install the Symantec Event Agent on the computer that Rapid7 will send its events to.
    2. Install the Qualys Guard collector on that same computer.
    3. Run LiveUpdate on the Qualys Guard collector (June 2010 or higher) and Qualys sensor (v2.27 or higher).
    4. Register the updated SIP obtained from the LiveUpdate.
      • With a default install, the updated SIP is located in C:\Program Files\Symantec\Event Agent\Collectors\qualysguard\utils directory.
    5. Create a Configuration on the SSIM for Qualys Guard.
      Note: Do not enable the sensor until a properly formated XML file from Rapid7 or CCSVM is in the offline directory.
      • Specify an offline directory where the XML in Qualys Guard format from Rapid7 will be.
      • Speciffy the number of days to Load History Reports.
    6. The XML files from Rapid7 must have a filename format of _scan__.xml (Note: there are two underscores after scan).
      For example with a default sensor name of Sensor 0:

      Sensor_0_scan__20090421.xml





 


Applies To

Rapid7 NeXpose and Symantec Control Compliance Suite (CCS) Vulnerability Manager output in this format.