topic Re: Configuing remote OSSEC Agent Management in Getting Data In

Configuing remote OSSEC Agent Management

wpz1599 — Thu, 07 Oct 2010 01:45:18 GMT

I am struggling to get the "OSSEC Agent Management" page to display my remote agents. Testing using the ossec_agent_status.py and ossecservers.py scripts shows expected results. The listagents.py script states that "...OSSEC Server is not configured for agent management...". Interestingly, if the MANAGE_AGENTS entry in the ossec_servers.conf file is outside a stanza (precedes the [_local]) the script returns expected results. Any ideas?

Re: Configuing remote OSSEC Agent Management

southeringtonp — Thu, 07 Oct 2010 03:59:45 GMT

That functionality is pretty new, so it could be a bug, or it may be a case sensitivity issue.

What build number of the OSSEC app are you using - have you already downloaded the latest release from SplunkBase?

Putting it outside of any stanza makes it a default value. To rule out an issue with the _local macro, enter the hostname in instead of using _local. Does that work correctly?

Try this in local/ossec_servers.conf and let me know if anything changes:

[_local]
# Turn off default settings for local machine
MANAGE_AGENTS =
AGENT_CONTROL =

[yourservername]
# Explicitly configure for your system
MANAGE_AGENTS = <your command line here>
AGENT_CONTROL = <your command line here>

Don't forget to run [OSSEC - Rebuild OSSEC Server Lookup Table] after making the change.

If an error is occurring in the backend, it may be masked by the Agent Management screen.

Go to Search, and issue the following command:

| listagents ossec_server=yourhostname

If we're hitting an error, you should see a backtrace here that would be hidden in the other view.

Re: Configuing remote OSSEC Agent Management

wpz1599 — Fri, 08 Oct 2010 19:43:57 GMT

The application, OSSEC, is currently at 1.1.74. The OSSEC server is remote to the server which is running the splunk software. I have configured a remote server explicitly. The use of a local server would be invalid in this configuration.

Re: Configuing remote OSSEC Agent Management

wpz1599 — Fri, 08 Oct 2010 19:56:35 GMT

After making the suggested modification to turn off the default settings, the behavior remains the same. The listagent.py script returns the error stating that it is not configured. The ossecserver.py and ossec_agent_status.py script return expected values. After executing the configuration changes and performing the [OSSEC - Rebuild OSSEC Server Lookup Table] function, the webapp is behaving a bit better. The [OSSEC Agent Status] dashboard now lists the OSSEC Server, but returns no data. It does not state that there was "no result" and its legend has "NULL" as its value. The [OSSEC Agent Management] portion now has the OSSEC server listed in its OSSEC Server pulldown. It does not return any data and shows "no results found" for the List Agents action. Making progress. Next thougths?

Re: Configuing remote OSSEC Agent Management

southeringtonp — Fri, 08 Oct 2010 22:55:01 GMT

It's possible that an error is occurring somewhere in the backend and the error message is being masked by that view. What happens if you call it directly? (see edits above)

Re: Configuing remote OSSEC Agent Management

wpz1599 — Tue, 12 Oct 2010 04:12:56 GMT

There was a hidden error related to the ssh command not being found. I reconfigured using the full path to ssh and executed the search you indicated and got the follow error. (Posted separately).

Re: Configuing remote OSSEC Agent Management

wpz1599 — Mon, 28 Sep 2020 09:18:58 GMT

Error : Traceback: Traceback (most recent call last): File "/opt/splunk/etc/apps/ossec/bin/listagents.py", line 34, in ossec.cache_agents() File "/opt/splunk/etc/apps/ossec/bin/pyOSSEC.py", line 342, in cache_agents self.connect() File "/opt/splunk/etc/apps/ossec/bin/pyOSSEC.py", line 331, in connect self.c.expect_exact('Choose your action:') File "../3rdparty/pexpect-2.3/pexpect.py", line 1343, in expect_exact return self.expect_loop(searcher_string(pattern_list), timeout, searchwindowsize) File "../3rdparty/pexpect-2.3/pexpect.py", line 1396, in expect_loop raise

Re: Configuing remote OSSEC Agent Management

wpz1599 — Mon, 28 Sep 2020 09:19:01 GMT

EOF (str(e) + '\n' + str(self)) EOF: End Of File (EOF) in read_nonblocking(). Exception style platform. version: 2.3 ($Revision: 399 $) command: /usr/local/bin/ssh args: ['/usr/local/bin/ssh', '-xt', 'naadmp04', '/var/ossec/bin/manage_agents'] searcher: searcher_string: 0: "Choose your action:" buffer (last 100 chars): before (last 100 chars): ty/pexpect-2.3/pexpect.py"", line 545, in _spawn for i in range (3, max_fd):

Re: Configuing remote OSSEC Agent Management

wpz1599 — Mon, 28 Sep 2020 09:19:04 GMT

MemoryError " after: match: None match_index: None exitstatus: None flag_eof: True pid: 348198 child_fd: 7 closed: False timeout: 5 delimiter: logfile: None logfile_read: None logfile_send: None maxread: 2000 ignorecase: False searchwindowsize: None delaybeforesend: 0.05 delayafterclose: 0.1 delayafterterminate: 0.1

Re: Configuing remote OSSEC Agent Management

wpz1599 — Tue, 12 Oct 2010 04:23:56 GMT

From within the /opt/splunk/etc/apps/ossec/local directory the following works (running as root).

../bin/listagents.py ossec_server=naadmp04

Re: Configuing remote OSSEC Agent Management

wpz1599 — Tue, 12 Oct 2010 04:26:56 GMT

I also noticed that in the traceback for the search line "| listagents ..." it shows that the MANAGE_AGENTS command line is being executed.

Re: Configuing remote OSSEC Agent Management

southeringtonp — Tue, 12 Oct 2010 06:33:27 GMT

It's timing out waiting for the manage_agents prompt. Usually that means it's getting hung up on an SSH key or password prompt. It's strange though that you would have a successful connection when you tried it from the command-line. When you tested from the command line, did you by any chance have an SSH key agent running? I just uploaded an experimental build 1.1.76 - try that version and see if it helps. The new build has better handling of certain types of connection error.

Re: Configuing remote OSSEC Agent Management

southeringtonp — Wed, 14 Mar 2012 01:46:49 GMT

More detailed instructions are now in a separate Answers post.

http://splunk-base.splunk.com/answers/42717/how-do-i-enable-remote-agent-management-in-splunk-for-ossec