Get Started with Agent Correlation Identifier 

Agent Correlation Identifier allows you to merge unauthenticated and authenticated vulnerability scan results from scanned IP interfaces and agent VM scans for your cloud agent assets. The Agent Correlation Identifier is supported for VM only and is detected by QID 48143 “Qualys Correlation ID Detected”.
For more information on merging unauthenticated and scan agent results, visit our blog and watch video!

NoteQualys does not recommend enabling this feature on any host with any external facing interface.

Prerequisites

The Agent Correlation Identifier feature must be available on your Qualys Cloud Platform.

- Your agent hosts must have the minimum Cloud Agent version: Windows Agent version 4.2 or later | Linux Agent version 3.1 or later

- The agent configuration profile must have the Agent Scan Merge option enabled. See steps below to learn how to enable this option in the Cloud Agent UI.

- The following TCP ports must not be blocked: 10001, 10002, 10003, 10004, 10005. These ports will be included in your vulnerability scans automatically when the agent correlation identifier option is accepted. We’ll add these ports to the scanned ports list.

- Your vulnerability scans must include Information Gathered QID 48143 “Qualys Correlation ID Detected”. A Full vulnerability scan will include this QID by default. If you run a custom scan using a search list, then you’ll need to make sure this QID is included. Add the QID to a search list and add the search list to the scan option profile under Vulnerability Detection: Custom.

- Make sure that agentid-service is running on the agent and listening on the port.

What are the steps?

Follow the steps below to start using the Agent Correlation Identifier.

In Cloud Agent:

1) Toggle On the Enable Agent Scan Merge for this profile option in the configuration profile. Choose Cloud Agent from the app picker, then go to Agent Management > Configuration Profiles. Create a new profile (or edit an existing profile) and select this option.

In Vulnerability Management:

2) (Manager primary contact) Go to Assets > Setup > Asset Tracking & Data Merging. On the Unique Asset Identifiers tab, scroll down to Agent Correlation Identifier and select the option Accept Agent Correlation Identifier.

3) Go to Scans > Option Profiles. Create a new option profile (or edit an existing profile) and make sure the scan is a Full scan or Custom scan with QID 48143 added.

4) Run new vulnerability scans to start gathering data for QID 48143.

 

Troubleshooting Unauth MergeTroubleshooting Unauth Merge

Where are the correlation logs?

For Windows:

Log Location: C:\ProgramData\Qualys\QualysAgent\Correlation\Resources\logs\agentid.txt

Example: agentid-2021-01-07T06-31-17.992.log.gz

- Check running process: Go to Task Manager and search 'agentid-service.exe' process.

- Process: agentid-service

- After logs exceed 10MB threshold, the logs are rolled, compressed and archived with log name and current UTC time appended. This process continues for 5 rotations.

For Linux:

- Log location: /var/log/qualys/agentid.log

  If user have relocated log directory, then agentid.log will also be stored there.

- Example: agentid-2021-01-07T06-31-17.992.log.gz

- Check running process: Run ps -aux | grep agentid-service command.

- Process: agentid-service

- After logs exceed 10MB threshold, the logs are rolled, compressed and archived with log name and current UTC time appended. This process continues for 5 rotations.

Where are the correlation artifacts?

Artifact Location for Windows 

C:\ProgramData\Qualys\QualysAgent\Correlation

Artifact Location for Linux

/usr/local/qualys/cloud-agent/correlation/manifests

 

Unsupported Platforms

Windows  Linux

- Windows XP

- Windows Server 2003

- CentOS 5.x

- Red Hat 5.x

- Suse 10.x

- MacOS

- AIX