I’ve followed this document:
and configured the qradar adapter to send data to bigfix, however from the bigfix side, no data received.
Any one able to advice?
2016-05-20 11:02:50,569 [pool-2-thread-1] com.q1labs.qvm.adaptor.plugin.PluginProcessor$CanonicalDataProducer: [DEBUG] Processing raw data from file /store/qvm/adaptor/bigfix/20160519.195709.000.2.testz.Full Scan.json.raw
2016-05-20 11:02:50,589 [pool-2-thread-1] com.q1labs.qvm.adaptor.plugin.PluginProcessor$CanonicalDataProducer: [DEBUG] Processing 20160519.195709.000.2.testz.Full Scan
2016-05-20 11:02:50,589 [pool-2-thread-1] com.q1labs.qvm.adaptor.plugin.PluginProcessor$CanonicalDataProducer: [DEBUG] Call getAssetUpdates {testz:2:1463659029000}
2016-05-20 11:02:50,589 [pool-2-thread-1] com.q1labs.qvm.adaptor.plugin.QvmJdbcCanonicalDataSource: [DEBUG] About to retrieve asset updates for scan: testz, using SQL
SELECT
DISTINCT( asset.Asset.id ) AS "assetid",
inet( interface_data.ipAddress ) AS "ipaddress",
assetproperty_data.assetName AS "assetname",
COALESCE( count_data.risk_score, 0 )::NUMERIC(10,2) AS "asset_riskScore",
cve_data.vulninstance_id AS "vulninstance_id",
vuln_data.vuln_id AS "vuln_id",
COALESCE( vuln_data.risk_score, 0 )::NUMERIC(10,2) AS "vuln_riskScore",
COALESCE( cve_data.refValue, 'NO CVE' ) AS "cve_id",
assetproperty_data.bigFixAgentId AS "bigfixagentid"
FROM asset.Asset
LEFT OUTER JOIN (
SELECT
ip_agg.assetId assetId,
trim( '#' from substring( string_agg( ip_agg.ipAddress, '#' ) FROM '[A-Z,a-z,0-9,.,:]+#?' ) ) ipAddress,
ip_agg.ipCount ipCount
FROM (
SELECT
iface.assetId AS assetId,
CASE WHEN ip.ipv4Address IS NOT NULL THEN ip2Address( ip.ipv4Address ) ELSE ip.ipv6Address END AS ipAddress,
COUNT( CASE WHEN ip.ipv4Address IS NOT NULL THEN ip2address( ip.ipv4Address ) ELSE ip.ipv6Address END ) OVER assetIdWin AS ipCount,
GREATEST( ip.lastSeenScanner,ip.lastSeenProfiler,ip.created ) AS lastObserved,
MAX ( GREATEST ( ip.lastSeenScanner, ip.lastSeenProfiler, ip.created ) ) OVER assetIdWin AS lastObservedMax
FROM asset.IpAddress ip
INNER JOIN asset.Interface iface ON ip.interfaceId = iface.id
WINDOW assetIdWin AS ( PARTITION BY iface.assetId )
) ip_agg
WHERE
ip_agg.lastObserved = ip_agg.lastObservedMax
GROUP BY ip_agg.assetId,ip_agg.ipCount
) interface_data ON interface_data.assetId = asset.Asset.id
LEFT OUTER JOIN (
SELECT
asset.AssetProperty.assetId AS assetId,
array_to_string( array_agg( CASE WHEN asset.AssetProperty.assetPropertyTypeId = ( SELECT id FROM asset.AssetPropertyType WHERE lower(typeName) LIKE 'unified name' ) THEN asset.AssetProperty.propertyValue ELSE NULL END ), ',') AS assetName,
array_to_string( array_agg( CASE WHEN asset.assetProperty.assetPropertyTypeId = ( SELECT id FROM asset.AssetPropertyType WHERE lower(typeName) LIKE 'big fix agent id' ) THEN asset.AssetProperty.propertyValue ELSE NULL END ), ',') AS bigfixAgentId
FROM asset.AssetProperty
GROUP BY asset.AssetProperty.assetId
) assetproperty_data ON assetproperty_data.assetId = asset.Asset.id
LEFT OUTER JOIN (
SELECT
v.assetId AS asset_id,
count( DISTINCT v.vulnId ) AS vulnerability_count,
SUM( asset.VulnInstanceStatistics.adjusted_risk_score ) AS risk_score
FROM asset.VulnInstance v
LEFT OUTER JOIN asset.VulnInstanceStatistics ON v.id = asset.VulnInstanceStatistics.vulninstanceId
WHERE ( CASE WHEN v.lastScannedFor IS NULL THEN DATE('1900-01-01') ELSE v.lastScannedFor END ) <= v.lastSeen
AND v.id NOT IN ( SELECT vulninstance_id FROM exception_rule.vuln_mgt_vulninstance WHERE NOW() <= except_until_date )
GROUP BY asset_id
) count_data on count_data.asset_id = asset.Asset.id
LEFT OUTER JOIN (
SELECT
v.assetId AS asset_id,
v.vulnId AS vuln_id,
v.id AS vulninstance_id,
SUM( asset.VulnInstanceStatistics.adjusted_risk_score ) AS risk_score
FROM asset.VulnInstance v
LEFT OUTER JOIN asset.VulnInstanceStatistics ON v.id = asset.VulnInstanceStatistics.vulninstanceId
WHERE ( CASE WHEN v.lastScannedFor IS NULL THEN DATE('1900-01-01') ELSE v.lastScannedFor END ) <= v.lastSeen
AND v.id NOT IN ( SELECT vulninstance_id FROM exception_rule.vuln_mgt_vulninstance WHERE NOW() <= except_until_date )
GROUP BY v.assetId, v.vulnId, v.id
) vuln_data on vuln_data.asset_id = asset.Asset.id
LEFT OUTER JOIN (
SELECT DISTINCT( v.id ) AS vulninstance_id,
erv.refValue AS refValue
FROM ExtRef AS er
INNER JOIN ExtRefValue erv ON er.extRefValueId = erv.extRefValueId
INNER JOIN ExtRefType ert ON erv.extRefTypeId = ert.extRefTypeId
INNER JOIN asset.VulnInstance v ON v.vulnid = er.vulnid
WHERE ert.extRefTypeId = 3
GROUP BY v.id, erv.refValue
) cve_data on cve_data.vulninstance_id = vuln_data.vulninstance_id
RIGHT OUTER JOIN (
SELECT cs.asset_id,
( SELECT COUNT( id )
FROM asset.VulnOnAssetScan
WHERE asset_scan_id = cs.id
AND is_found = false ) AS cleared
FROM asset.CompletedAssetScan AS cs
LEFT JOIN asset.ScanConfig sc ON cs.scan_config_id = sc.id
WHERE cs.scanner_id = ?
AND sc.scan_config_name = ?
AND sc.config_type = ?
) custom_data ON custom_data.asset_id = asset.Asset.id
WHERE assetproperty_data.bigFixAgentId != ''
AND cve_data.refValue != 'NO CVE'
AND ( COALESCE( count_data.risk_score, 0 )::NUMERIC(10,2) >= ?
OR COALESCE( vuln_data.risk_score, 0 )::NUMERIC(10,2) >= ?
OR custom_data.cleared > 0 )
AND asset.Asset.id = ANY( string_to_array( ?, ',' )::BIGINT[] ) ORDER BY asset.Asset.id
2016-05-20 11:02:51,944 [pool-2-thread-1] com.q1labs.qvm.adaptor.plugin.AssetUpdateBuilder: [DEBUG] Asset vuln update limit is 300
2016-05-20 11:02:51,944 [pool-2-thread-1] com.q1labs.qvm.adaptor.plugin.QvmJdbcCanonicalDataSource: [DEBUG] Asset update retrieved 0 updates
2016-05-20 11:02:51,944 [pool-2-thread-1] com.q1labs.qvm.adaptor.plugin.PluginProcessor$CanonicalDataProducer: [DEBUG] Received 0 asset updates
2016-05-20 11:02:51,944 [pool-2-thread-1] com.q1labs.qvm.adaptor.plugin.PluginProcessor: [DEBUG] StoreCanonicalUpdates updateCount=0
2016-05-20 11:03:04,033 [pool-3-thread-1] com.q1labs.qvm.adaptor.plugin.PluginProcessor$PluginDataPublisher: [DEBUG] No data received on plugin publish queue, shutdown=false
2016-05-20 11:03:04,033 [pool-3-thread-1] com.q1labs.qvm.adaptor.plugin.PluginProcessor$PluginDataPublisher: [DEBUG] Read plugin publish queue
2016-05-20 11:03:34,033 [pool-3-thread-1] com.q1labs.qvm.adaptor.plugin.PluginProcessor$PluginDataPublisher: [DEBUG] No data received on plugin publish queue, shutdown=false
2016-05-20 11:03:34,034 [pool-3-thread-1] com.q1labs.qvm.adaptor.plugin.PluginProcessor$PluginDataPublisher: [DEBUG] Read plugin publish queue
2016-05-20 11:03:34,039 [pool-1-thread-1] com.q1labs.qvm.adaptor.plugin.SourceDataDistributor: [DEBUG] Source data distributor timeout
2016-05-20 11:03:34,039 [pool-1-thread-1] com.q1labs.qvm.adaptor.plugin.SourceDataDistributor: [DEBUG] SourceDataDistributor.distribute source=/store/qvm/adaptor/data
2016-05-20 11:03:34,039 [pool-1-thread-1] com.q1labs.qvm.adaptor.utils.FileUtils: [DEBUG] ReadDataFiles suffix=.json dir=/store/qvm/adaptor/data
2016-05-20 11:03:34,039 [pool-1-thread-1] com.q1labs.qvm.adaptor.plugin.SourceDataDistributor: [DEBUG] Processed 0 files, runForever is false
2016-05-20 11:03:34,039 [pool-1-thread-1] com.q1labs.qvm.adaptor.plugin.SourceDataDistributor: [INFO] Start shutdown timer
2016-05-20 11:03:49,031 [pool-2-thread-1] com.q1labs.qvm.adaptor.plugin.PluginProcessor$CanonicalDataProducer: [DEBUG] Process raw data files
2016-05-20 11:03:49,031 [pool-2-thread-1] com.q1labs.qvm.adaptor.utils.FileUtils: [DEBUG] ReadDataFiles suffix=.raw dir=/store/qvm/adaptor/bigfix
2016-05-20 11:03:49,031 [pool-2-thread-1] com.q1labs.qvm.adaptor.plugin.PluginProcessor$CanonicalDataProducer: [DEBUG] There are 0 raw data files in /store/qvm/adaptor/bigfix
2016-05-20 11:04:04,034 [pool-3-thread-1] com.q1labs.qvm.adaptor.plugin.PluginProcessor$PluginDataPublisher: [DEBUG] No data received on plugin publish queue, shutdown=false
2016-05-20 11:04:04,034 [pool-3-thread-1] com.q1labs.qvm.adaptor.plugin.PluginProcessor$PluginDataPublisher: [DEBUG] Read plugin publish queue
2016-05-20 11:04:34,034 [pool-3-thread-1] com.q1labs.qvm.adaptor.plugin.PluginProcessor$PluginDataPublisher: [DEBUG] No data received on plugin publish queue, shutdown=false
2016-05-20 11:04:34,035 [pool-3-thread-1] com.q1labs.qvm.adaptor.plugin.PluginProcessor$PluginDataPublisher: [DEBUG] Read plugin publish queue
2016-05-20 11:04:34,039 [pool-1-thread-1] com.q1labs.qvm.adaptor.plugin.PluginDriver: [INFO] StopOnComplete pluginCount=1
2016-05-20 11:04:34,039 [pool-1-thread-1] com.q1labs.qvm.adaptor.plugin.SourceDataDistributor: [INFO] Stop data distributor
2016-05-20 11:04:34,040 [pool-1-thread-1] com.q1labs.qvm.adaptor.plugin.PluginProcessor: [INFO] StopOnComplete plugin processor for bigfix
2016-05-20 11:04:34,041 [pool-1-thread-1] com.q1labs.qvm.adaptor.plugin.PluginProcessor: [INFO] Wait on reader service shutdown, plugin=bigfix
2016-05-20 11:04:34,041 [pool-1-thread-1] com.q1labs.qvm.adaptor.plugin.PluginProcessor$CanonicalDataProducer: [DEBUG] Process raw data files
2016-05-20 11:04:34,041 [pool-1-thread-1] com.q1labs.qvm.adaptor.utils.FileUtils: [DEBUG] ReadDataFiles suffix=.raw dir=/store/qvm/adaptor/bigfix
2016-05-20 11:04:34,041 [pool-1-thread-1] com.q1labs.qvm.adaptor.plugin.PluginProcessor$CanonicalDataProducer: [DEBUG] There are 0 raw data files in /store/qvm/adaptor/bigfix
2016-05-20 11:04:34,041 [pool-1-thread-1] com.q1labs.qvm.adaptor.plugin.bigfix.BixfixSession: [INFO] Close session
2016-05-20 11:04:34,041 [pool-1-thread-1] com.q1labs.qvm.adaptor.plugin.PluginDriver: [INFO] Wait on shutdown latch
2016-05-20 11:04:34,041 [pool-1-thread-1] com.q1labs.qvm.adaptor.plugin.PluginDriver: [INFO] StopOnComplete: shutdown complete
2016-05-20 11:05:04,035 [pool-3-thread-1] com.q1labs.qvm.adaptor.plugin.PluginProcessor$PluginDataPublisher: [DEBUG] No data received on plugin publish queue, shutdown=true
2016-05-20 11:05:04,035 [pool-3-thread-1] com.q1labs.qvm.adaptor.plugin.PluginProcessor$PluginDataPublisher: [INFO] Data Publisher shutting down on request