Had few questions regarding this app, can anyone please help?
1. In a distributed envt, I have installed this app on the forwarder. The index exists on the indexer and I'm able to see the data in the index on the search head when I search for `index=qualys`, but the lookup file qualys_kb lies on the forwarder, so I'm unable to see the lookup data on the search head. What to do in this case??
2. Should we install the app on both Forwarder and Search head in this case?
But i think it'll duplicate the indexed events, correct me if I'm wrong.
3. And in case ans to above is true, then how do I disable the script for detection on the search head and only enable the kb populator script? Only enabling the kb populator script under Data inputs-> Scripts in search head isn't updating the lookup file on the search head.
Any pointers to the same are welcome.
Thanks
Rahul
↧