https://community.splunk.com/t5/All-Apps-and-Add-ons/OSSEC-Agent-Management-configuration/m-p/90741#M6032 <P>Ok. Thanks ddpbsd. I think that part of my concern was, being new to this app, I didn't see any data when I went to the dashboard for it. But as of right now I'm seeing data. Thanks</P> Fri, 14 Oct 2011 22:24:38 GMT dlynum 2011-10-14T22:24:38Z https://community.splunk.com/t5/All-Apps-and-Add-ons/OSSEC-Agent-Management-configuration/m-p/90736#M6027 <P>I'm new to OSSEC. I've got version 2.6 of OSSEC installed, running, and sending me alerts. Since I'm only monitoring one host with OSSEC, I did a local install. I'm running Splunk 4.2.3, and your Splunk for OSSEC plugin. When I went to the Agent Management page, and clicked on "List Agents", I received the message "This OSSEC Server is not configured for agent management."</P> <P>How do I configure agent management?</P> <P>Thanks</P> Wed, 12 Oct 2011 19:05:29 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/OSSEC-Agent-Management-configuration/m-p/90736#M6027 dlynum 2011-10-12T19:05:29Z https://community.splunk.com/t5/All-Apps-and-Add-ons/OSSEC-Agent-Management-configuration/m-p/90737#M6028 <P>"Agents" in this context refers to OSSEC agents. OSSEC agents are systems running OSSEC and reporting log messages, file integrity checksums, and other information to a centralized OSSEC server.</P> <P>A local OSSEC install will not have any agents.</P> Thu, 13 Oct 2011 00:19:11 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/OSSEC-Agent-Management-configuration/m-p/90737#M6028 ddpbsd 2011-10-13T00:19:11Z https://community.splunk.com/t5/All-Apps-and-Add-ons/OSSEC-Agent-Management-configuration/m-p/90738#M6029 <P>Since I'm only monitoring a single server, would it make any sense for me to add an agent onto it so that I can use Splunk for OSSEC to its potential?</P> Thu, 13 Oct 2011 23:37:34 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/OSSEC-Agent-Management-configuration/m-p/90738#M6029 dlynum 2011-10-13T23:37:34Z https://community.splunk.com/t5/All-Apps-and-Add-ons/OSSEC-Agent-Management-configuration/m-p/90739#M6030 <P>That's entirely up to you. If you don't want to monitor another system, adding it as an agent is probably not a good idea.</P> Thu, 13 Oct 2011 23:42:43 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/OSSEC-Agent-Management-configuration/m-p/90739#M6030 ddpbsd 2011-10-13T23:42:43Z https://community.splunk.com/t5/All-Apps-and-Add-ons/OSSEC-Agent-Management-configuration/m-p/90740#M6031 <P>The agent screens in <I>Splunk for OSSEC</I> are really meant for dealing with OSSEC agent keys, which are used to identify individual remote OSSEC agents and protect data in transit.</P> <P>As ddpbsd pointed out, these are really more applicable for multi-system installations. If you are only going to run a single system, the agent management screens will not be particularly useful.</P> <P>That said, you configure agent management by creating/editing the file called <CODE>ossec_servers.conf</CODE> in your <CODE>$SPLUNK_HOME/etc/apps/ossec/local</CODE> directory. </P> <P>Take a look at the <CODE>README</CODE> file included with Splunk for OSSEC for more detail, and if anything doesn't make sense feel free to ask. But essentially you need to provide a path for Splunk to execute OSSEC's <CODE>manage_agents</CODE> and <CODE>agent_control</CODE> commands.</P> Fri, 14 Oct 2011 21:47:54 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/OSSEC-Agent-Management-configuration/m-p/90740#M6031 southeringtonp 2011-10-14T21:47:54Z https://community.splunk.com/t5/All-Apps-and-Add-ons/OSSEC-Agent-Management-configuration/m-p/90741#M6032 <P>Ok. Thanks ddpbsd. I think that part of my concern was, being new to this app, I didn't see any data when I went to the dashboard for it. But as of right now I'm seeing data. Thanks</P> Fri, 14 Oct 2011 22:24:38 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/OSSEC-Agent-Management-configuration/m-p/90741#M6032 dlynum 2011-10-14T22:24:38Z