topic Re: OSSECNotConfiguredError after upgrade in All Apps and Add-ons

OSSECNotConfiguredError after upgrade

att35 — Wed, 07 May 2014 15:04:02 GMT

Hi,

We recently upgraded our Splunk instances to latest version (6.1.0). Now, whenever I do "List Agents" from OSSEC App in Splunk, following message is displayed.

OSSECNotConfiguredError This OSSEC Server is not configured for agent management. Error

I tried to initialize and re-built OSSEC lookup table but that doesn't fix it. We are using multiple splunk instances and I noticed this issue on all.(Each upgraded to 6.1.0)

Please Advise.

Thanks,

Abhi

Re: OSSECNotConfiguredError after upgrade

rivy4321 — Thu, 08 May 2014 17:23:12 GMT

Hi Abhi,

I fixed it like this.

->1. Change the following lines in /opt/splunk/etc/apps/ossec/bin/pyOSSEC.py

Original:
cfg = parse_config_file('../local/ossec_servers.conf', cfg)

New:
cfg = parse_config_file(os.environ['SPLUNK_HOME'] + '/etc/apps/ossec/local/ossec_servers.conf')

->2. Create a file /opt/splunk/etc/apps/ossec/bin/sshwrap

#!/bin/sh

LD_LIBRARY_PATH=/lib/x86_64-linux-gnu:$LD_LIBRARY_PATH
export LD_LIBRARY_PATH

/usr/bin/ssh "$@"

And make is executable :
chmod 755 /opt/splunk/etc/apps/ossec/bin/sshwrap

->3. Adapt the ssh executable in /opt/splunk/etc/apps/ossec/local/ossec_servers.conf to point to the wrappers script.

Old:
AGENT_CONTROL = ssh ossec -t -l splunk sudo /var/ossec/bin/agent_control -l MANAGE_AGENTS = ssh ossec -t -l splunk sudo /var/ossec/bin/manage_agents

New:
AGENT_CONTROL = /opt/splunk/etc/apps/ossec/bin/sshwrap ossec -t -l splunk sudo /var/ossec/bin/agent_control -l MANAGE_AGENTS = /opt/splunk/etc/apps/ossec/bin/sshwrap ossec -t -l splunk sudo /var/ossec/bin/manage_agents

That did the trick for me.

Best regards,

Thomas Elsen

Re: OSSECNotConfiguredError after upgrade

att35 — Fri, 09 May 2014 14:36:43 GMT

Hi Thomas,

Thanks for replying.

I tried these steps but it is still showing OSSEC not configured. I did notice few differences in the configuration I have.
Steps 1 & 2 done exactly as mentioned in your response.

On Step 3, ossec_servers.conf is under /opt/splunk/etc/apps/ossec/default. "local" directory is not present.

Re: OSSECNotConfiguredError after upgrade

att35 — Mon, 28 Sep 2020 16:34:25 GMT

Now, in this file, instead of
AGENT_CONTROL = ssh ossec -t -l splunk sudo /var/ossec/bin/agent_control -l
MANAGE_AGENTS = ssh ossec -t -l splunk sudo /var/ossec/bin/manage_agents

It had:

[_local]
AGENT_CONTROL = sudo /var/ossec/bin/agent_control -l
MANAGE_AGENTS = sudo /var/ossec/bin/manage_agents

Could it be because both OSSEC and Splunk are on the same server?

I appended the above lines with the sshwrap entry as you mentioned but that did not help.

Re: OSSECNotConfiguredError after upgrade

att35 — Mon, 28 Sep 2020 16:34:27 GMT

Then I changed both entries to exactly as they worked for you, i.e.

[_local]
AGENT_CONTROL = /opt/splunk/etc/apps/ossec/bin/sshwrap ossec -t -l splunk sudo /var/ossec/bin/agent_control -l
MANAGE_AGENTS = /opt/splunk/etc/apps/ossec/bin/sshwrap ossec -t -l splunk sudo /var/ossec/bin/manage_agents

Still no change. Restarted Splunk but OSSEC app still comes not configured.

Did I do any step incorrectly?

Many Thanks,

Abhi

Re: OSSECNotConfiguredError after upgrade

rivy4321 — Fri, 09 May 2014 15:06:27 GMT

Hi Abhi,

I suggest you first follow the steps in this answer.

http://answers.splunk.com/answers/42717/how-do-i-enable-remote-agent-management-in-splunk-for-ossec

Afterwards you have to apply the above fixes.

Best regards,
Thomas

Re: OSSECNotConfiguredError after upgrade

att35 — Fri, 09 May 2014 15:50:31 GMT

Hi Thomas,

It's working fine now.

In my case, Step 1 fixes the issue. I had to add the line you mentioned so that Splunk uses the correct ossec_servers.conf file.

Thanks again for all the help.

Abhi

Re: OSSECNotConfiguredError after upgrade

bkcarter — Thu, 21 Aug 2014 22:28:17 GMT

Step 1 also fixed the issues I was having with it erroring out on the List Agents button with v6.01 and 1.189 version of the app.

Thanks!

Re: OSSECNotConfiguredError after upgrade

Bloodnite — Sat, 09 May 2015 00:24:39 GMT

A thousand times.... THANK YOU. Followed your steps and the OSSEC agent Management piece is working again now!!!!!