I am facing a unique issue in which my agents appear to communicate with the Platform(I can infer that from logs) but when I try to see them on Agent Module via GUI, there is no trace of them. Why would this happen. Any idea?
I ran into this issue and it was due to reuse of a VM host image in which the agent was already installed. Because the host was cloned from the image it had the same "HostID" registry key (under HKEY_LOCAL_MACHINE\SOFTWARE\Qualys) as the original image. This is the unique ID the agent uses for tracking hosts. The Qualys platform doesn't seem to show hosts using the same/duplicate HostID.
Recently there was release of new" duplicate hostID detection" feature but this did not fix it for me ...and just deleting the regkey doesn't work. I had to manually reinstall the agent on the host to get a new HostID and have the host show up in Qualys.
Re-installation is not feasible in case 1000s of endpoints. Also in my case, agent checked in earlier but just vanished from platform later but logs shows that agent is continuously communicating with platform.
That's exactly what happened in my case also for the duplicates I was able to witness activity for (before I knew they were a problem).. they showed up in the cloud agent platform GUI by hostname and under an Asset Search in the VM module. Only that they would disappear a short time later. This issue was what originally led to opening of a ticket and the discovery of the duplicate hostID's from the host clone.
I also had the same issue in reinstalling on a large number of devices, I thought the duplicate detection logic would have fixed it but it didn't and Qualys support didn't really offer much solutions afterwords other than a re-install. I'm still in the process of trying to do that.
For the hosts that are in question, check the HostID registry key under HKEY_LOCAL_MACHINE\SOFTWARE\Qualys. Make a list and see if there are any duplicates. The hostID also seems to be buried in the logs of each agent under the URL to phone home, it should looks something like this:
XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX = Customer/Activation ID
AAAAAAAA-AAAA-AAAA-AAAA-AAAAAAAAAAAA = Agent HostID
Yeah, I have already checked these but it looks like too late since the platform has already deleted the hosts . Also these are unique hosts and they have been no duplicate entries from them.
To add to that qualys uninstall utility should remove the registry keys as well.
Retrieving data ...